DEV Community

Karl Heinz Marbaise
Karl Heinz Marbaise

Posted on

Maven Artifact Checksums - What?

If you are using Apache Maven you might have faced with issues like this:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-shade-plugin:2.1:shade (default) on project cores-batch: Error creating shaded jar: invalid LOC header (bad signature) -> [Help 1]
.... (remove many lines for brevity).
Caused by: invalid LOC header (bad signature)
    at Method)

How could that happen? Most of the time these are downloading/network issues which are causing something like this. In extreme rare cases it might also be a hardware error (But usually I have my doubts about that). This means the downloaded artifacts are not correctly downloaded or downloaded from repositories which do not exist anymore. Or any other strange thing you could imagine. If have artifacts which contain html snippets this is an indicator that you are trying to download artifacts from repositories which do not exist anymore. This means you have to check you configuration for your used repositories which is obviously wrong.

So now the question is: What can you do to prevent that in the furture?

If you take a look on Stackoverflow related to that. More or less all answers will tell you to delete your local cache $HOME/.m2/repositoy and rebuild.
This is unfortunately only a try to fix a symptom but not the real cause. So work begins with deleting the locale cache as a first step.

And now the very important part:

You have to configure Maven to check the checksums of the downloaded artifacts and fail your build if they are not correct. This is called checksum policy which I strongly recommend to use.

This means you have to change the configuration in your settings.xml. This means you have to change the checksum policy in your settings.xml.
A temporary solution would be to call maven with: --strict-checksums which exactly does this but only for the appropriate call of Maven and not allways. So it is better to configure this into your settings.xml which will look like this:

<settings xmlns=""
          <name>Codehaus Snapshots</name>

Furthermore you have to configure this for all of your repositories in your settings.xml. If you are using a repository manager either locally or within a corporate environment. You have to check your repository manager as well if it is correctly configured to check the checksums. You should of course not forget to check if you are downloading via https:// instead of http:// from all of your remote repositories.

Top comments (2)

boxleytw profile image
Brian Oxley

This was helpful, thank you!

Any suggestions on how to set this globally? Ideally would be in my pom.xml, if that is possible.

khmarbaise profile image
Karl Heinz Marbaise

As I wrote in my article. The settings.xml is the location to set it globally. No in the pom.xml you can not set it nor is it ideal.