### New feature, improvement proposal From docs ## Checksum verification of downloaded binaries To avoid supply-chain-attacks by downloading a corrupted artifact, it is possible to specify checksums for both the *maven-wrapper.jar* and the downloaded distribution. To apply verification, add the expected file's SHA-256 sum in hex notation, using only small caps, to `maven-wrapper.properties`. The property for validating the *maven-wrapper.jar* file is named `wrapperSha256Sum` whereas the distribution file property is named `distributionSha256Sum`. Given the increasing frequency and sophistication of supply chain attacks, we should probably just do this by default.