release of maven-lockfile
John Neffenger
john at status6.com
Fri Sep 27 15:29:36 UTC 2024
On 9/27/24 1:20 AM, Martin Monperrus wrote:
> To generate a lock file, run the following command:
> $ mvn io.github.chains-project:maven-lockfile:generate
I just discovered yesterday that Maven 3.9.2 or later now has support
for dependency and plugin verification built in! It's called "Trusted
Checksums," and it's rather poorly documented for the moment. It's very
similar to how the Gradle dependency verification works.
There's a demonstration project here:
Trusted Checksums Demo
https://github.com/cstamas/tc-demo
Some unhelpful Maven documentation is here:
Trusted Checksums
https://maven.apache.org/resolver/expected-checksums.html#trusted-checksums
There's a more helpful Stack Overflow answer here:
How to use Maven Resolver "Trusted Checksums" to ensure artifact integrity?
https://stackoverflow.com/q/78746427
I added it to my Maven project by setting the following command-line
options in my project's '.mvn/maven.config' file:
------------------------------------------------------------------------
$ cat .mvn/maven.config
--strict-checksums
-Daether.trustedChecksumsSource.summaryFile=true
-Daether.trustedChecksumsSource.summaryFile.basedir=${session.rootDirectory}/.mvn/checksums/
-Daether.artifactResolver.postProcessor.trustedChecksums=true
-Daether.artifactResolver.postProcessor.trustedChecksums.checksumAlgorithms=SHA-512
-Daether.artifactResolver.postProcessor.trustedChecksums.failIfMissing=true
------------------------------------------------------------------------
Then I recorded the SHA-512 checksums just once with:
------------------------------------------------------------------------
$ mvn clean verify
-Daether.artifactResolver.postProcessor.trustedChecksums.record
------------------------------------------------------------------------
After that, when anyone builds my project, the checksums for all 379
dependencies and plugins are verified:
------------------------------------------------------------------------
$ mvn clean package
...
[INFO] Loaded 379 trusted checksums from
/home/john/src/pub/hello-java/.mvn/checksums/checksums-central.sha512
...
[INFO] BUILD SUCCESS
------------------------------------------------------------------------
John
More information about the rb-general
mailing list