Maven Artifact Checksums - What?

If you are using Apache Maven you might have faced with issues like this:

 1[ERROR] Failed to execute goal org.apache.maven.plugins:maven-shade-plugin:2.1:shade (default) on project cores-batch: Error creating shaded jar: invalid LOC header (bad signature) -> [Help 1]
 2...
 3.... (remove many lines for brevity).
 4...
 5Caused by: java.util.zip.ZipException: invalid LOC header (bad signature)
 6    at java.util.zip.ZipFile.read(Native Method)
 7    at java.util.zip.ZipFile.access$1400(ZipFile.java:56)
 8    at java.util.zip.ZipFile$ZipFileInputStream.read(ZipFile.java:679)
 9    at java.util.zip.ZipFile$ZipFileInflaterInputStream.fill(ZipFile.java:415)
10    at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)
11    at java.io.FilterInputStream.read(FilterInputStream.java:107)
12...

How could that happen? Most of the time these are downloading/network issues which are causing something like this. In extreme rare cases it might also be a hardware error (But usually I have my doubts about that). This means the downloaded artifacts are not correctly downloaded or downloaded from repositories which do not exist anymore. Or any other strange thing you could imagine. If you have artifacts which contain html snippets this is an indicator that you are trying to download artifacts from repositories which do not exist anymore. This means you have to check you configuration for your used repositories which is obviously wrong.

So now the question is: What can you do to prevent that in the furture?

If you take a look on Stackoverflow related to that. More or less all answers will tell you to delete your local cache $HOME/.m2/repositoy and rebuild. This is unfortunately only a try to fix a symptom but not the real cause. So work begins with deleting the locale cache as a first step.

And now the very important part:

You have to configure Maven to check the checksums of the downloaded artifacts and fail your build if they are not correct. This is called checksum policy which I strongly recommend to use.

This means you have to change the configuration in your settings.xml. This means you have to change the checksum policy in your settings.xml. A temporary solution would be to call maven with: --strict-checksums which exactly does this but only for the appropriate call of Maven and not always. So it is better to configure this into your settings.xml which will look like this:

 1<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
 2  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 3  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
 4                      https://maven.apache.org/xsd/settings-1.0.0.xsd">
 5  ...
 6  <profiles>
 7    <profile>
 8      ...
 9      <repositories>
10        <repository>
11          <id>codehausSnapshots</id>
12          <name>Codehaus Snapshots</name>
13          <releases>
14            <enabled>false</enabled>
15            <updatePolicy>always</updatePolicy>
16            <checksumPolicy>fail</checksumPolicy>
17          </releases>
18          <snapshots>
19            <enabled>true</enabled>
20            <updatePolicy>never</updatePolicy>
21            <checksumPolicy>fail</checksumPolicy>
22          </snapshots>
23          <url>...</url>
24        </repository>
25      </repositories>
26      <pluginRepositories>
27        ...
28      </pluginRepositories>
29      ...
30    </profile>
31  </profiles>
32  ...
33</settings>

Furthermore, you have to configure this for all of your repositories in your settings.xml. If you are using a repository manager either locally or within a corporate environment. You have to check your repository manager as well if it is correctly configured to check the checksums. You should of course not forget to check if you are downloading via https:// instead of http:// from all of your remote repositories.