From 8925a5e72446c376034b6e393a00955f470c4308 Mon Sep 17 00:00:00 2001
From: Steve Loughran <stevel@apache.org>
Date: Mon, 6 Mar 2006 21:47:42 +0000
Subject: [PATCH] This bit of complexity verifies the sha1 key of the m2
 library against what is in the libraries file.

Provided the ant distro is validated, this ensures that the maven library that comes down is also valid.

git-svn-id: https://svn.apache.org/repos/asf/ant/core/trunk@383684 13f79535-47bb-0310-9956-ffa450edef68
---
 fetch.xml                | 43 ++++++++++++++++++++++++++++++++++------
 lib/libraries.properties |  8 +++++---
 2 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/fetch.xml b/fetch.xml
index 8bf24027d..8bcf5db96 100644
--- a/fetch.xml
+++ b/fetch.xml
@@ -77,6 +77,7 @@
   
   <target name="probe-m2" depends="pick-dest">
     <!-- Look for M2 ant tasks in our classpath-->
+    <property name="m2.artifact" location="${dest.dir}/${m2.jar.name}"/>
     <available property="m2.antlib.found"
       resource="org/apache/maven/artifact/ant/antlib.xml" />
     <condition property="m2.antlib.typefound">
@@ -85,18 +86,48 @@
   </target>
   
 
-  <target name="get-m2" depends="probe-m2,pick-dest" unless="m2.antlib.found">
+  <target name="download-m2" depends="probe-m2,pick-dest" unless="m2.antlib.found">
     <!-- fetch M2 ant tasks into our repository, if it is not there-->
     <get src="${m2.antlib.url}" 
-      dest="${dest.dir}/${m2.jar.name}" 
+      dest="${m2.artifact}" 
       verbose="true"
       usetimestamp="false"/>
+  </target>
+
+  <target name="dont-validate-m2-checksum" depends="probe-m2"
+          if="m2.antlib.found">
+    <property name="checksum.equal" value="true" />
+  </target>
+
+  <target name="validate-m2-checksum" 
+          depends="download-m2,dont-validate-m2-checksum"
+          if="m2.sha1.checksum" unless="m2.antlib.found">
+    <checksum file="${m2.artifact}"
+        algorithm="SHA"
+        property="${m2.sha1.checksum}" 
+        verifyProperty="checksum.equal"/>
+  </target>
+
+  <target name="checksum-mismatch" depends="validate-m2-checksum" 
+          unless="checksum.equal" if="m2.sha1.checksum">
+    <delete file="${m2.artifact}"/>
+    <fail >
+      Failed to verify the downloaded file ${m2.antlib.url}" against the checksum
+      coded into libraries.properties. 
+      The local copy has been deleted, for security reasons
+    </fail>
+  </target>
+
+  <target name="checksum-match" depends="checksum-mismatch"
+          unless="checksum.equal">
     <fail status="0">
-      The Maven2 JAR has been installed; rerun ant to load it. 
+      The Maven2 JAR has been installed; rerun Ant to load it.
     </fail>
-  </target>  
-  
-  
+  </target>
+
+  <target name="get-m2" depends="checksum-match" 
+      description="Download the Maven2 Ant tasks"/> 
+
   <target name="macros" depends="get-m2"
     xmlns:artifact="antlib:org.apache.maven.artifact.ant">
 
diff --git a/lib/libraries.properties b/lib/libraries.properties
index 8802ee686..bc2ac579d 100644
--- a/lib/libraries.properties
+++ b/lib/libraries.properties
@@ -1,13 +1,15 @@
 #this file declares the libraries for use in 
 #a given release of the components
 
-m2.version=2.0
+#if you change this, change the checksum to match
+m2.version=2.0.1
 m2.url=http://ibiblio.org/maven2/
 m2.artifact-name=maven-artifact-ant
 m2.jar.name=${m2.artifact-name}-${m2.version}-dep.jar
 #this is the URL of the antlib library, that is pulled down for everything else.
 m2.antlib.url=${m2.url}/org/apache/maven/${m2.artifact-name}/${m2.version}/${m2.jar.name}
-
+#this is the sha1 checksum of the artifact
+m2.sha1.checksum=7240828f1744c1f9f8b158a026ac368a03f536a3
 
 
 #versions of different libraries. Please keep in alphabetical order, except
@@ -23,7 +25,7 @@ jdepend.version=2.7
 junit.version=3.8.1
 jsch.version=0.1.17
 jython.version=3.8.1
-log4j.version=1.2.12
+log4j.version=1.2.13
 #rhino.version=1.5R5
 oro.version=2.0.8
 regexp.version=1.3