Class TrustedChecksumsArtifactResolverPostProcessor

All Implemented Interfaces:

@Singleton @Named("trustedChecksums") public final class TrustedChecksumsArtifactResolverPostProcessor extends ArtifactResolverPostProcessorSupport
Artifact resolver processor that verifies the checksums of all resolved artifacts against trusted checksums. Is also able to "record" (calculate and write them) to trusted checksum sources, that do support this operation.

It uses a list of ChecksumAlgorithmFactoryies to work with, by default SHA-1.

Configuration keys:

  • aether.artifactResolver.postProcessor.trustedChecksums.checksumAlgorithms - Comma separated list of ChecksumAlgorithmFactory names to use (default "SHA-1").
  • aether.artifactResolver.postProcessor.trustedChecksums.failIfMissing - To fail if artifact being validated is missing a trusted checksum (default false).
  • aether.artifactResolver.postProcessor.trustedChecksums.snapshots - Should snapshot artifacts be handled (validated or recorded). Snapshots are by "best practice" in-house produced, hence should be trusted (default false).
  • aether.artifactResolver.postProcessor.trustedChecksums.record - If this value set to true, this component with not validate but "record" encountered artifact checksums instead (default false).

This component uses TrustedChecksumsSource as source of checksums for validation and also to "record" the calculated checksums. To have this component usable, there must exist at least one enabled checksum source. In case of multiple checksum sources enabled, ALL of them are used as source for validation or recording. This implies that if two enabled checksum sources "disagree" about an artifact checksum, the validation failure is inevitable.