javamavenchecksumdata-integrity

Configuring maven to check integrity checksums when downloading artifacts from repository and/or building a project?


In some situations (like not having money on balance), my internet provider redirects any HTTP request to a simple html stub. Recently maven cache on my dev machive was flooded by jar files with content consisting of an html stub from my internet provider. These jar files were not noticed during the build and ended up being deployed to Tomcat as a part of my project artifacts. I noticed problem thanks to warnings about corrupted jar files at Tomcat log. Obviously, I want to avoid this situation in future.

I see that at a maven cache, there are *.sha1 files that are expected to contain integrity checksums for jar files. In my case, these *.sha1 had also wrong content (consisting of an html stub).

How can I configure maven to fail during artifact download or during build process if jar file content does not match the integrity checksum?

The Maven version I use is 3.3.9.


Solution

  • Pass the command-line option --strict-checksums.

    https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option

    -C, --strict-checksums

    Fail the build if checksums don’t match