From fb6d9b0d5d603d4339f5547a74f00833b221cc0a Mon Sep 17 00:00:00 2001
From: jkf <jm@famkruithof.net>
Date: Sun, 26 May 2019 08:11:28 +0200
Subject: [PATCH] Validating contents of resources fetched via insecure
 channels

---
 fetch.xml                | 8 ++++++++
 lib/libraries.properties | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/fetch.xml b/fetch.xml
index 679aceb4a..106237d54 100644
--- a/fetch.xml
+++ b/fetch.xml
@@ -342,6 +342,14 @@ Set -Ddest=LOCATION on the command line
   <target name="netrexx"
           description="load NetRexx compiler"
           depends="init-no-m2,-setup-temp-cache,-fetch-netrexx,-fetch-netrexx-no-commons-net">
+    <checksum file="${temp.dir}/NetRexx.zip" algorithm="SHA-256" property="${netrexx.sha256}" verifyProperty="netrexx.hash.matches"/>
+    <fail message="NetRexx.zip fetched via ftp has an unexpected SHA-256 checksum, the file may have been tampered with">
+       <condition>
+         <not>
+           <istrue value="${netrexx.hash.matches}"/>
+         </not>
+      </condition>
+    </fail>
     <copy todir="${dest.dir}" flatten="true">
       <zipfileset src="${temp.dir}/NetRexx.zip">
         <include name="NetRexx\lib\NetRexxC.jar"/>
diff --git a/lib/libraries.properties b/lib/libraries.properties
index 9ecbcfb1c..fcad6710b 100644
--- a/lib/libraries.properties
+++ b/lib/libraries.properties
@@ -28,6 +28,9 @@ m2.sha1.checksum=b09be554228d66d208e5fef5266844aacf443abc
 # Repository to use by default for fetching dependencies.
 m2.repo=http://repo1.maven.org/maven2/
 
+# hashes of libraries loaded over insecure connections
+netrexx.sha256=1f99f054e9b1e412d29823088f3fa7cfce90a7af25d907a60a6d7908a6b97ea4
+
 # Versions of different libraries. Please keep in alphabetical order, except
 # when a specific dependency forces them to be out-of-order
 ivy.version=2.4.0