Hi, There is a "Trusted Checksums" https://maven.apache.org/resolver/expected-checksums.html
We can store / record checksums in the project file and use it next time. Here is a demo project with "Trusted Checksums" https://github.com/cstamas/tc-demo On Fri, 11 Jul 2025 at 00:55, Elliotte Rusty Harold <elh...@ibiblio.org> wrote: > > Personal opinion only: displaying checksums, even optionally, is > unlikely to be helpful. No one pays attention to these or verifies > them. Recently I actually went to the trouble of verifying the > checksums for a major Apache project and discovered the KEYS file was > borked. No one had noticed for years. Checksums need to be verified > automatically. Adding code to support manual verification is security > theater and a waste of time. > > > > On Thu, Jul 10, 2025 at 6:18 PM Calum Harrison > <calum.harri...@snyk.io.invalid> wrote: > > > > Hi dev list, > > > > I'd like to propose a small enhancement to the maven-dependency-plugin. > > From a Software Composition Analysis (SCA) and security perspective, it's > > crucial to verify the exact artifact that has been resolved during a build. > > Private or third-party repositories may provide artifacts that have been > > patched or altered but retain the same GAV (GroupId, ArtifactId, Version) > > coordinates. This makes identifying the specific artifact provenance a > > challenge. > > > > Would the team consider adding an optional flag (e.g., -DshowChecksums) to > > commands like dependency:tree and dependency:list that would display the > > SHA-1 hash of the resolved artifact? > > This would provide a simple, standardized way to verify artifact integrity > > without relying on third-party plugins, which are often restricted in > > corporate environments. > > > > Is this functionality something that would be within the scope of the > > maven-dependency-plugin, or would it be better suited for another plugin or > > Maven core itself? > > > > Thanks, > > Calum > > > > -- > Elliotte Rusty Harold > elh...@ibiblio.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > -- Sławomir Jaranowski --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
