This bit of complexity verifies the sha1 key of the m2 library against what is in the libraries file.

Provided the ant distro is validated, this ensures that the maven library that comes down is also valid.

git-svn-id: https://svn.apache.org/repos/asf/ant/core/trunk@383684 13f79535-47bb-0310-9956-ffa450edef68

fetch.xml

@@ -77,6 +77,7 @@
   
   <target name="probe-m2" depends="pick-dest">
     <!-- Look for M2 ant tasks in our classpath-->
+    <property name="m2.artifact" location="${dest.dir}/${m2.jar.name}"/>
     <available property="m2.antlib.found"
       resource="org/apache/maven/artifact/ant/antlib.xml" />
     <condition property="m2.antlib.typefound">
@@ -85,18 +86,48 @@
   </target>
   
 
-  <target name="get-m2" depends="probe-m2,pick-dest" unless="m2.antlib.found">
+  <target name="download-m2" depends="probe-m2,pick-dest" unless="m2.antlib.found">
     <!-- fetch M2 ant tasks into our repository, if it is not there-->
     <get src="${m2.antlib.url}" 
-      dest="${dest.dir}/${m2.jar.name}" 
+      dest="${m2.artifact}" 
       verbose="true"
       usetimestamp="false"/>
+  </target>
+
+  <target name="dont-validate-m2-checksum" depends="probe-m2"
+          if="m2.antlib.found">
+    <property name="checksum.equal" value="true" />
+  </target>
+
+  <target name="validate-m2-checksum" 
+          depends="download-m2,dont-validate-m2-checksum"
+          if="m2.sha1.checksum" unless="m2.antlib.found">
+    <checksum file="${m2.artifact}"
+        algorithm="SHA"
+        property="${m2.sha1.checksum}" 
+        verifyProperty="checksum.equal"/>
+  </target>
+
+  <target name="checksum-mismatch" depends="validate-m2-checksum" 
+          unless="checksum.equal" if="m2.sha1.checksum">
+    <delete file="${m2.artifact}"/>
+    <fail >
+      Failed to verify the downloaded file ${m2.antlib.url}" against the checksum
+      coded into libraries.properties. 
+      The local copy has been deleted, for security reasons
+    </fail>
+  </target>
+
+  <target name="checksum-match" depends="checksum-mismatch"
+          unless="checksum.equal">
     <fail status="0">
-      The Maven2 JAR has been installed; rerun ant to load it. 
+      The Maven2 JAR has been installed; rerun Ant to load it.
     </fail>
-  </target>  
-  
-  
+  </target>
+
+  <target name="get-m2" depends="checksum-match" 
+      description="Download the Maven2 Ant tasks"/> 
+
   <target name="macros" depends="get-m2"
     xmlns:artifact="antlib:org.apache.maven.artifact.ant">
 

lib/libraries.properties

@@ -1,13 +1,15 @@
 #this file declares the libraries for use in 
 #a given release of the components
 
-m2.version=2.0
+#if you change this, change the checksum to match
+m2.version=2.0.1
 m2.url=http://ibiblio.org/maven2/
 m2.artifact-name=maven-artifact-ant
 m2.jar.name=${m2.artifact-name}-${m2.version}-dep.jar
 #this is the URL of the antlib library, that is pulled down for everything else.
 m2.antlib.url=${m2.url}/org/apache/maven/${m2.artifact-name}/${m2.version}/${m2.jar.name}
-
+#this is the sha1 checksum of the artifact
+m2.sha1.checksum=7240828f1744c1f9f8b158a026ac368a03f536a3
 
 
 #versions of different libraries. Please keep in alphabetical order, except
@@ -23,7 +25,7 @@ jdepend.version=2.7
 junit.version=3.8.1
 jsch.version=0.1.17
 jython.version=3.8.1
-log4j.version=1.2.12
+log4j.version=1.2.13
 #rhino.version=1.5R5
 oro.version=2.0.8
 regexp.version=1.3