javamavenjardependencieschecksum

Lock dependencies by secure checksum in Maven


When I distribute a source project with a POM I can define dependencies with version strings. The build will download those dependencies if they are not in the local repository, it will even verify the checksums of those downloaded files with the metadata from the same repository (-C).

However the build will download those dependencies from a number of public repositories (and proxies) and my users are at the mercy of those public services if they will return unmodified files.

I would like to have a way to record the checksums of all my build dependencies and ship them together with the POM (so I am sure the files are unaltered but I dont need to ship a copy of my local repository to builders).

Is there a Maven way to do this? Similiar to that, is there a easy way to archive my dependencies (copy of the local repository with all used artifacts and metadata files) so I can repeat my build even when the central repositories fail or ship them to offline customers?

(Both without the need for an repository proxy if possible. I know I can build something to do that, I just wonder if there is a infrastructure in maven for that already. Maybe shipping a local repository which does only contain the metadata files or similiar?)

NB: I am not looking for createChecksum on the generated artifacts, but on locking the checksums of the used dependencies. I found a maven-create-checksums plugin, but no corresponding verifyer.


Solution

  • BTW I found a solution with recent maven you can use .mvn/checksums/ to provide trusted checksum files or directories: https://maven.apache.org/resolver/expected-checksums.html