In some situations (like not having money on balance), my internet provider redirects any HTTP request to a simple html stub. Recently maven cache on my dev machive was flooded by jar files with content consisting of an html stub from my internet provider. These jar files were not noticed during the build and ended up being deployed to Tomcat as a part of my project artifacts. I noticed problem thanks to warnings about corrupted jar files at Tomcat log. Obviously, I want to avoid this situation in future.
I see that at a maven cache, there are *.sha1
files that are expected to contain integrity checksums for jar files. In my case, these *.sha1
had also wrong content (consisting of an html stub).
How can I configure maven to fail during artifact download or during build process if jar file content does not match the integrity checksum?
The Maven version I use is 3.3.9
.
Pass the command-line option --strict-checksums
.
https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option
-C, --strict-checksums
Fail the build if checksums don’t match