> DO I need to add a checksum? That is right, we require dependency verification.
Here's a sample when I recently added a new dependency: https://github.com/apache/jmeter/commit/a2690e8a6d22420869eb89643c116901cc5c5bce Note that there were changes to checksum.xml, and the new pgp keys have been added as well to /cached-pgp-keys/ folder. Don't forget to add the added keys to your commit as well. --- In this case it would be reasonably safe to launch the build with -PchecksumUpdateAll. Then the checksum file will be updated automatically. Of course, it makes sense to doublecheck if ffcd6605daa43db4290eca4898e2d057e0d58dc6 matches the official signing key for the dependency. It should typically be printed on the official website of the dependency or at least in the github repository. See samples in https://github.com/junit-team/junit5/issues/2020#issuecomment-534117511 Vladimir