Validating contents of resources fetched via insecure channels

fetch.xml

@@ -359,6 +359,14 @@ Set -Ddest=LOCATION on the command line
   <target name="netrexx"
           description="load NetRexx compiler"
           depends="init-no-m2,-setup-temp-cache,-fetch-netrexx,-fetch-netrexx-no-commons-net">
+    <checksum file="${temp.dir}/NetRexx.zip" algorithm="SHA-256" property="${netrexx.sha256}" verifyProperty="netrexx.hash.matches"/>
+    <fail message="NetRexx.zip fetched via ftp has an unexpected SHA-256 checksum, the file may have been tampered with">
+       <condition>
+         <not>
+           <istrue value="${netrexx.hash.matches}"/>
+         </not>
+      </condition>
+    </fail>
     <copy todir="${dest.dir}" flatten="true">
       <zipfileset src="${temp.dir}/NetRexx.zip">
         <include name="NetRexx\lib\NetRexxC.jar"/>

lib/libraries.properties

@@ -28,6 +28,9 @@ m2.sha1.checksum=b09be554228d66d208e5fef5266844aacf443abc
 # Repository to use by default for fetching dependencies.
 m2.repo=https://repo1.maven.org/maven2/
 
+# hashes of libraries loaded over insecure connections
+netrexx.sha256=1f99f054e9b1e412d29823088f3fa7cfce90a7af25d907a60a6d7908a6b97ea4
+
 # Versions of different libraries. Please keep in alphabetical order, except
 # when a specific dependency forces them to be out-of-order
 ivy.version=2.4.0