Configuring maven to check integrity checksums when downloading artifacts from repository and/or building a project?

Question

In some situations (like not having money on balance), my internet provider redirects any HTTP request to a simple html stub. Recently maven cache on my dev machive was flooded by jar files with content consisting of an html stub from my internet provider. These jar files were not noticed during the build and ended up being deployed to Tomcat as a part of my project artifacts. I noticed problem thanks to warnings about corrupted jar files at Tomcat log. Obviously, I want to avoid this situation in future.

I see that at a maven cache, there are *.sha1 files that are expected to contain integrity checksums for jar files. In my case, these *.sha1 had also wrong content (consisting of an html stub).

How can I configure maven to fail during artifact download or during build process if jar file content does not match the integrity checksum?

The Maven version I use is 3.3.9.

Answer 1

Maven-lockfile provides build integrity by checking the checksums of all dependencies, direct and transitive. It applies the concept of lockfile / dependency pinning to Maven.

See Github repository at https://github.com/chains-project/maven-lockfile/

Answer 2

If you work with an IDE like IntelliJ, there is an option as well:

Answer 3

In Maven 4.0.0-alpha-2, if a downloaded file fails the checksum check, the build will fail. This used to be a warning.

Jira-Issue: https://issues.apache.org/jira/browse/MNG-5728

Answer 4

Pass the command-line option --strict-checksums.

https://books.sonatype.com/mvnref-book/reference/running-sect-options.html#running-sect-deps-option

-C, --strict-checksums

Fail the build if checksums don’t match