diff --git a/gradlew b/gradlew index 98a05d787ee04..2cb83c664d83c 100755 --- a/gradlew +++ b/gradlew @@ -201,6 +201,7 @@ fi # Loop in case we encounter an error. +REQUIRED_WRAPPER_JAR_CHECKSUM="76805e32c009c0cf0dd5d206bddc9fb22ea42e84db904b764f3047de095493f3" for attempt in 1 2 3; do if [ ! -e "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" ]; then if ! curl -s -S --retry 3 -L -o "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" "https://raw.githubusercontent.com/gradle/gradle/v9.1.0/gradle/wrapper/gradle-wrapper.jar"; then @@ -209,6 +210,26 @@ for attempt in 1 2 3; do sleep 5 continue fi + else + # Verify checksum of existing wrapper JAR. + # This prevents developers from running into incompatibility issues when using an outdated wrapper JAR after a Gradle upgrade. + # Use sha256sum or shasum, whichever is available. + if command -v sha256sum >/dev/null 2>&1; then + LOCAL_WRAPPER_JAR_CHECKSUM=$(sha256sum "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" | awk '{print $1}') + elif command -v shasum >/dev/null 2>&1; then + LOCAL_WRAPPER_JAR_CHECKSUM=$(shasum -a 256 "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" | awk '{print $1}') + else + # If no checksum tool is found, this verification is skipped . + warn "Cannot find sha256sum or shasum to verify wrapper JAR." + break + fi + + # If the local checksum does not match the required checksum, delete the JAR to force re-download. + if [ "$LOCAL_WRAPPER_JAR_CHECKSUM" != "$REQUIRED_WRAPPER_JAR_CHECKSUM" ] ; then + rm -f "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" + else + break + fi fi done diff --git a/wrapper.gradle b/wrapper.gradle index a0f400271d0d2..cd1de19c3d61a 100644 --- a/wrapper.gradle +++ b/wrapper.gradle @@ -39,11 +39,13 @@ task bootstrapWrapper() { // github.com servers deprecated TLSv1/TLSv1.1 support some time ago, so older versions // of curl (built against OpenSSL library that doesn't support TLSv1.2) would fail to // fetch the jar. - def wrapperBaseUrl = "https://raw.githubusercontent.com/gradle/gradle/v$versions.gradle/gradle/wrapper" - def wrapperJarUrl = wrapperBaseUrl + "/gradle-wrapper.jar" + // IMPORTANT: This checksum **must** be updated whenever the Gradle version changes. + String wrapperChecksum = "76805e32c009c0cf0dd5d206bddc9fb22ea42e84db904b764f3047de095493f3" + def wrapperJarUrl = "https://raw.githubusercontent.com/gradle/gradle/v$versions.gradle/gradle/wrapper/gradle-wrapper.jar" def bootstrapString = """ # Loop in case we encounter an error. + REQUIRED_WRAPPER_JAR_CHECKSUM="$wrapperChecksum" for attempt in 1 2 3; do if [ ! -e "$wrapperJarPath" ]; then if ! curl -s -S --retry 3 -L -o "$wrapperJarPath" "$wrapperJarUrl"; then @@ -52,6 +54,26 @@ task bootstrapWrapper() { sleep 5 continue fi + else + # Verify checksum of existing wrapper JAR. + # This prevents developers from running into incompatibility issues when using an outdated wrapper JAR after a Gradle upgrade. + # Use sha256sum or shasum, whichever is available. + if command -v sha256sum >/dev/null 2>&1; then + LOCAL_WRAPPER_JAR_CHECKSUM=\$(sha256sum "$wrapperJarPath" | awk '{print \$1}') + elif command -v shasum >/dev/null 2>&1; then + LOCAL_WRAPPER_JAR_CHECKSUM=\$(shasum -a 256 "$wrapperJarPath" | awk '{print \$1}') + else + # If no checksum tool is found, this verification is skipped . + warn "Cannot find sha256sum or shasum to verify wrapper JAR." + break + fi + + # If the local checksum does not match the required checksum, delete the JAR to force re-download. + if [ "\$LOCAL_WRAPPER_JAR_CHECKSUM" != "\$REQUIRED_WRAPPER_JAR_CHECKSUM" ] ; then + rm -f "$wrapperJarPath" + else + break + fi fi done """.stripIndent()