[MNG-8182] Missing or mismatching Trusted Checksum for some artifacts is not properly reported

[jira-importer]

Marcono1234 opened MNG-8182 and commented

Description

When using Maven Artifact Resolver's "Trusted Checksums" feature, but the checksum for maven-shared-incremental is missing, the error is not properly reported on the console:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile (default-compile) on project my-app: Execution default-compile of goal org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile failed: Plugin org.apache.maven.plugins:maven-compiler-plugin:3.13.0 or one of its dependencies could not be resolved:
[ERROR]
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.

Note how there are no details about why resolution failed.
When running with -X / \--debug the information is visible in the stack trace, however I think this information should be shown by default.

Caused by: org.eclipse.aether.resolution.DependencyResolutionException: The following artifacts could not be resolved: org.apache.maven.shared:maven-shared-incremental:jar:1.1 (present): Missing from summaryFile trusted checksum(s) [SHA-1] for artifact org.apache.maven.shared:maven-shared-incremental:jar:1.1

It seems org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver#resolveInternal is ommitting the cause when throwing a new exception. Therefore I reported it as Maven bug, though maybe the underlying issue is with Maven Artifact Resolver?

I also haven't fully understood the internal details of the Artifact Resolver "Trusted Checksums" feature yet. It seems the checksum for maven-shared-incremental is stored in a separate checksums-local.sha1 file. Either way, regardless of the implementation details, the fact that it is a separate file makes it more likely that users accidentally forget to commit it for example in Git and then get the irritating error mentioned above.

How to reproduce

I have performed this on Windows 10, but the OS might not matter.

1. Download the attached [^checksums-test.zip] and extract it
2. Inside it, run

./mvnw compile

(x) Bug: An error occurs, but the error message does not explain why the dependencies could not be resolved

1. Run

./mvnw compile -X

(i) Note: The stack trace now reveals that the cause for the error is the missing checksum for maven-shared-incremental

1. Run

./mvnw compile "-Daether.artifactResolver.postProcessor.trustedChecksums.record=true"

(i) Note: An additional checksums-local.sha1 file was created and the build succeeded

As side note: Maybe the way this sample project uses the "Trusted Checksums" feature is not proper (see also related Stack Overflow question), though either way, the incomplete error message is confusing.

---

Affects: 3.9.8

Attachments:

• checksums-test.zip (10.68 kB)

Issue Links:

• MNG-7758 o.e.aether.resolution.ArtifactResolutionException incorrectly examined when multiple repositories are involved
  ("is caused by")

Remote Links:

• GitHub Pull Request #1632
  
• GitHub Pull Request #1635
  

Backported to: 4.0.0-beta-4, 3.9.9

[jira-importer]

Marcono1234 commented

Edit: Maybe this is not limited to a missing checksum for maven-shared-incremental.
In checksums-central.sha1 I have edited the checksum of plexus-compiler-api-2.15.0.jar (so that it should cause a mismatch error), and when running ./mvnw compile the cause is not displayed either unless debug logging is active.

[jira-importer]

Michael Osipov commented

Tamas Cservenak

[jira-importer]

Tamas Cservenak commented

Error message now looks like this:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile (default-compile) on project my-app: Execution default-compile of goal org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile failed: Plugin org.apache.maven.plugins:maven-compiler-plugin:3.13.0 or one of its dependencies could not be resolved:
[ERROR] 	Missing from summaryFile trusted checksum(s) [SHA-1] for artifact org.apache.maven.shared:maven-shared-incremental:jar:1.1

[jira-importer]

Tamas Cservenak commented

Marcono1234Also see DEMO https://github.com/cstamas/tc-demo

[jira-importer]

Marcono1234 commented

Thanks a lot for fixing this, and for the demo project! It seems I was pretty close then with my Stack Overflow answer, except that I wasn't aware of ${session.rootDirectory}; I have adjusted my answer there.

Are there any plans to make configuring / enabling the "Trusted Checksums" feature easier in the future? Ideally directly in the pom.xml, so that it is not as error-prone as the current approach:

Current approach	pom.xml approach
Using .mvn/maven.config to specify system properties is complicated, and it can easily happen that the setup is wrong (e.g. missing / mistyped system property name).	Configuration in pom.xml would be more obvious and pom.xml schema would prevent malformed configuration and typos.
Requires recent Maven versions / usage of Maven wrapper. When accidentally using older version no checksum verification is performed.	If the checksum configuration was part of the pom.xml, then (hopefully) older Maven versions would reject it because it is unknown to them, and you would notice that you are using a too old Maven version.

This is a bit similar to MNG-6026, but I am not suggesting to move this checksum information inside the pom.xml. Instead I am suggesting to keep the existing format and behavior of the Maven Artifact Resolver, but allow configuring it through pom.xml, instead of / in addition to the currently used -Daether.artifactResolver... (and similar) properties.