Skip to content

Fix script sha256sum verification on macOS#393

Merged
slachiewicz merged 1 commit into
apache:masterfrom
emilime93:fix-macos-sha256sum-bug
Jan 17, 2026
Merged

Fix script sha256sum verification on macOS#393
slachiewicz merged 1 commit into
apache:masterfrom
emilime93:fix-macos-sha256sum-bug

Conversation

@emilime93

@emilime93 emilime93 commented Jan 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

I found a vulnerability/bug in the mvnw script on macOS where malformed SHA-256 checksums in the distributionSha256Sum property may pass validation despite being invalid. This only impacts cases where the checksum is incorrectly formatted, not when it's correctly formatted but incorrect.

This occurs because the script invokes sha256sum without the --strict flag, and macOS's Darwin implementation does not enforce strict format checking by default, unlike GNU coreutils. When a malformed checksum is provided (e.g., an extra hex character), sha256sum emits a warning to stderr but returns a success exit code, which the script interprets as valid. Since stderr is redirected to /dev/null, the warning is silenced. The issue affects both mvnw and only-mvnw scripts. The fix adds the --strict flag to ensure improperly formatted checksum lines cause validation to fail, aligning macOS behavior with Linux.

Unfortunately I did not find an easy way to make a test for this.

  • Your pull request should address just one issue, without pulling in other changes.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Each commit in the pull request should have a meaningful subject line and body.
    Note that commits might be squashed by a maintainer on merge.
  • Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied.
    This may not always be possible but is a best-practice.
  • Run mvn verify to make sure basic checks pass.
    A more thorough check will be performed on your pull request automatically.
  • You have run the integration tests successfully (mvn -Prun-its verify).

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

@emilime93
Add --strict flag to sha256sum verification
5380a35 
Without it, the macOS implementation exits with code 0 for malformed input, triggering a false positive
@slachiewicz slachiewicz added the bug Something isn't working label Jan 17, 2026
@slachiewicz slachiewicz merged commit 4ab5304 into apache:master Jan 17, 2026
12 checks passed
@github-actions github-actions Bot added this to the 3.3.4 milestone Jan 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@slachiewicz slachiewicz

Labels

bug Something isn't working

Projects

None yet

Milestone

3.3.4

Development

Successfully merging this pull request may close these issues.

2 participants

@emilime93 @slachiewicz