0

Title says it all. Our security team wants some logging or something that indicates that this is happening.

I renamed some repository folders so they would be downloaded again. There is no:

Checksum checked: ok!

in the log. I can show that the sha1s are being created and such. That is ok, but is there some logging that could be turned on to show it is actually happening?

OR, is there a way to shut it off? That might be valuable as well.

markthegrea
  • 3,731
  • 7
  • 55
  • 78
  • Does https://stackoverflow.com/questions/3865343/maven-checksum-pom-setting help? – Naman Oct 10 '17 at 17:46
  • I don't think so. That is just telling it to create the checksum for the jar you are making. I need to verify that the jars I am including in my code have been "checksummed". – markthegrea Oct 10 '17 at 17:48
  • Your security team should look into an on-site artifact repository manager like [Artifactory](https://www.jfrog.com/artifactory/), especially if there is a need to artifact traceability, or auditability of builds. – M. le Rutte Oct 10 '17 at 17:49
  • Maven has `--strict-checksums` and `--lax-checksums` to control how it reacts to checksum failures. I know this doesn't directly answer your question, but it's possible to look into maven's source code and see how exactly those two flags are implemented. – jingx Oct 10 '17 at 17:56
  • 1
    You can configure in your [settings.xml to turn the checksum policy to fail instead of warn by default](https://maven.apache.org/settings.html). That means if a checksum is wrong the build will fail. Apart from that I would suggest to use a repository manager which already should do such things.... – khmarbaise Oct 10 '17 at 18:00

0 Answers0