Hiram Chirino

Hiram Chirino

Bit Mojo - My random ramblings on hawt technology.

Hiram Chirino

2 minute read

So in my last post I was suggesting making it easier to include dependency checksums as part of a maven build. I decided that it should be simple enough to implement this as a Maven Plugin. For those of you interested, you can get the source to the new Checksum Plugin here.

The basic problem the plugin is trying to solve is that it is possible that central repositories get hacked and the artifacts/dependencies of our builds get replaced with
malicious versions. Right now we have no way to easily detect that
and we could potential create a release build of a project which
bundles one of those malicious dependencies. In practice this rarely
occurs, but it’s not out of the realm of possibilities.

Basically the plugin supports generating a checksum.txt file that is included as part of the project build. This file holds all the checksums for the dependencies (including the dependencies’ pom checksum). Generating/updating is induced via the use of a maven profile. This is only done when dependencies get updated.

In a normal build the plugin just validates the checksums of the downloaded dependencies against those stored in the checksum.txt file.

I wish I could move up the validation of the dependencies from their current maven life cycle locations, but it seems you can’t get the list of dependencies it gets moved up any more. Any maven mojo hackers have any work arounds for that?

comments powered by Disqus


I'm a software engineer for Red Hat Inc.
Disclaimer: The views expressed on this site are mine alone and do not necessarily reflect the views of my employer or its affiliated entities.

Recent posts

See more