Maven Artifact Checksums
Want to learn more about working with Apache Maven and some of the problems you might face? Check out this post where we look at using Maven and artifact checksums.
Join the DZone community and get the full member experience.
Join For FreeIf you are using Apache Maven, you might have faced issues like this:
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-shade-plugin:2.1:shade (default) on project cores-batch: Error creating shaded jar: invalid LOC header (bad signature) -> [Help 1]
...
.... (remove many lines for brevity).
...
Caused by: java.util.zip.ZipException: invalid LOC header (bad signature)
at java.util.zip.ZipFile.read(Native Method)
at java.util.zip.ZipFile.access$1400(ZipFile.java:56)
at java.util.zip.ZipFile$ZipFileInputStream.read(ZipFile.java:679)
at java.util.zip.ZipFile$ZipFileInflaterInputStream.fill(ZipFile.java:415)
at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)
at java.io.FilterInputStream.read(FilterInputStream.java:107)
...How could that happen? Most of the time, these are downloading or network issues that are causing this. In extreme cases, it might also be a hardware error. But, usually, I have my doubts about that. This means that the downloaded artifacts are not correctly downloaded or downloaded from repositories that do not exist anymore. Or, this could be any other strange thing that you could imagine. If you have artifacts that contain HTML snippets, this is an indicator that you are trying to download artifacts from repositories that no longer exist. Therefore, you will have to check your configuration for used repositories, which is obviously wrong.
So, now the question is: what can you do to prevent that in the future?
If you take a look on Stackoverflow, more or less, all answers will tell you to delete your local cache $HOME/.m2/repositoy and rebuild.
This is, unfortunately, only going to fix the symptoms and not the real cause. So, work can begin by deleting the local cache as a first step.
And now, we will look at the most important part — you have to configure Maven to check the checksums of the downloaded artifacts and fail your build if they are not correct. This is called the checksum policy, which I strongly recommend.
This means that you have to change the configuration in your settings.xml. You have to change the checksum policy in your settings.xml
A temporary solution would be to call Maven with --strict-checksums, which does this only for the appropriate call of Maven. So, it is better to configure this into your settings.xml, which will look like this:
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
https://maven.apache.org/xsd/settings-1.0.0.xsd">
...
<profiles>
<profile>
...
<repositories>
<repository>
<id>codehausSnapshots</id>
<name>Codehaus Snapshots</name>
<releases>
<enabled>false</enabled>
<updatePolicy>always</updatePolicy>
<checksumPolicy>fail</checksumPolicy>
</releases>
<snapshots>
<enabled>true</enabled>
<updatePolicy>never</updatePolicy>
<checksumPolicy>fail</checksumPolicy>
</snapshots>
<url>...</url>
</repository>
</repositories>
<pluginRepositories>
...
</pluginRepositories>
...
</profile>
</profiles>
...
</settings>Furthermore, you have to configure this for all of your repositories in your settings.xml. If you are using a repository manager, either locally or within a corporate environment, you have to check your repository manager as well if it is correctly configured to check the checksums. You should, of course, not forget to check if you are downloading via https:// instead of http:// from all of your remote repositories.
Hope this helps!
Opinions expressed by DZone contributors are their own.
Comments