And one more thing: On a related note (globally, not TC related directly), in Maven 4 (Resolver 2) we have much greater control over connectors, see https://github.com/apache/maven-resolver/issues/1361
And as the issue shows, "signature checking" connector is about to arrive soon(ish). And this also opens the door for many other connectors as well... Thanks T On Fri, Jul 11, 2025 at 5:18 PM Tamás Cservenák <ta...@cservenak.net> wrote: > > Howdy, > > Yes, sadly we (project) are very bad at "advertising" and "properly > documenting" things. Sorry about that. > > Trusted checksums is in fact SPI and one can plug in various sources > (while resolver contains some "basic" implementations). This is a very > similar setup as with Remote Repository Filtering (RRF, > https://maven.apache.org/resolver/remote-repository-filtering.html) it > is also SPI + "basic" example implementations. > > For example, Maveniverse Mimir is a checksum provider for Maven too: > https://github.com/maveniverse/mimir/blob/639f49f4d6e763cbcdfc7b29dc69f0eb22c345f1/extension3/src/main/java/eu/maveniverse/maven/mimir/extension3/MimirTrustedChecksumsSource.java#L31 > > It just hook into SPI: > https://github.com/apache/maven-resolver/tree/a60ebd1a6cd1d40019303b8bbee5b601f8e33d0a/maven-resolver-spi/src/main/java/org/eclipse/aether/spi/checksums > > Also, there is my personal "demo" but most probably I need to update it: > https://github.com/cstamas/tc-demo > > In this case, the "checksums source" (file) is checked in with > sources/project files, the most basic setup (as hopefully you trust to > repo you are building sources from, hence you should trust the > checksums enlisted as well). > > Thanks > T > > On Fri, Jul 11, 2025 at 4:57 PM John Neffenger <j...@status6.com> wrote: > > > > On 7/11/25 7:26 AM, Calum Harrison wrote: > > > "Trusted Checksums" is good to know about -- I had missed that. > > > > It's very easy to miss! > > > > I came across it accidentally myself rather recently. I was > > participating in this issue: > > > > [MNG-6026] Extend the Project Object Model (POM) with trust information > > (OpenPGP, hash values) #7858 > > https://github.com/apache/maven/issues/7858 > > > > but I missed the post by Tamás Cservenák that announced it: > > > > Maven OOTB provides: trusted checksums ... > > https://github.com/apache/maven/issues/7858#issuecomment-3041224404 > > > > Gradle has had similar dependency verification for some time: > > > > Verifying dependencies > > https://docs.gradle.org/current/userguide/dependency_verification.html > > > > The corresponding Maven documentation is found at the link below. The > > Maven page looks more like an internal design document, which is > > important, but we're missing a good description of the end-user interface. > > > > Expected Checksums > > https://maven.apache.org/resolver/expected-checksums.html > > > > This is a long-awaited major new feature and enhancement. It seems that > > very few users of Maven are aware of it. > > > > John > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
