Reputation: 5129
hash values in maven repositories
Artifacts in a Maven repository have MD5 and SHA1 hash values. Where are the hash values generated, during build time by the local Maven installation or by the repository server after the artifacts have been uploaded?
Upvotes: 1
Views: 2693
Answers (1)
Reputation: 14116
The .md5 and the .sha1 hashes are generated by Maven's Artifact handling code just before deployment (though bugs in 2.1.0 and 2.2.0 resulted in the hashes being computed earlier which is why those specific versions deploy incorrect hashes and are considered a bad idea to use)
If you want to validate artifact authenticity it's the gpg signatures that all recent (at least the last 2 years) releases in central are required to have as well.
Consider the .md5 and .sha1 hashes as verification that the artifact is intact, and the gpg as verification that the artifact is authentic
Upvotes: 2
Related Questions
- Nexus raw repository vs maven repository
- Maven private remote repository setup
- What is in the packed Maven index (nexus-maven-repository-index.gz)?
- Maven and snapshots?
- Does a maven repository have a standard format?
- list of maven repository URL's
- Store Nexus/Maven artifact with no version number
- How does Maven interact with different repositories?
- How do you peg versions of Maven artifacts in the Nexus repository manager?
- Maven repository in Nexus