2

Recent Maven Artifact Resolver versions have a "Trusted Checksums" feature. As mentioned for example in this Reddit comment it seems that feature can be used to ensure artifact integrity and protect against some aspects of supply chain attacks. And it seems to be more secure than external Maven plugins trying to provide this functionality, since there the plugin itself (and other plugins) are downloaded before integrity verification can be performed.

However, I am currently having these problems with it:

  1. It only works for recent Maven versions
    If you accidentally use an older version integrity verification will not be performed
  2. It seems you have to provide the aether.trustedChecksumsSource.* and aether.artifactResolver.postProcessor.trustedChecksums.* arguments (see also documentation) on the command line
    This is quite cumbersome and easy to forget, and it seems to not be possible to enable it in the pom.xml
  3. By default aether.trustedChecksumsSource.summaryFile.basedir is relative to the local Maven repository
    This makes it difficult to add the file to Git for the Maven project, so that it can be shared with other developers. Additionally using expressions such as ${project.basedir} as value seems to not work.

I am using Maven version 3.9.8.

What is a good way to use the "Trusted Checksums" feature, ideally solving all the problems mentioned above?

Improve this question

1 Answer 1

Reset to default
1

(The following does not fully solve all problems, and maybe there are better solutions; I will not mark it as accepted answer yet.)

Addressing the problems:

  1. Use Maven Wrapper to control which exact Maven version is used
  2. The Maven Artifact Resolver properties can be declared in the .mvn/maven.config file
  3. Most expressions don't seem to work in .mvn/maven.config, but ${session.rootDirectory} added in Maven 3.9.2 does work

So the setup could look like this:

  1. Set up Maven Wrapper with a recent Maven version, for example Maven 3.9.8
    You should then also specify wrapperSha256Sum and distributionSha256Sum when using wrapper:wrapper respectively in the wrapper properties to prevent supply chain attacks against the wrapper.
  2. Create the .mvn/maven.config file with this content: 
    -Daether.artifactResolver.postProcessor.trustedChecksums=true
-Daether.artifactResolver.postProcessor.trustedChecksums.failIfMissing=true
-Daether.trustedChecksumsSource.summaryFile=true
-Daether.trustedChecksumsSource.summaryFile.basedir=${session.rootDirectory}/.mvn/checksums
  3. Create the checksums file once (and ideally manually verify that the checksums are correct) 
    ./mvnw clean verify "-Daether.artifactResolver.postProcessor.trustedChecksums.record=true"
    (you might have to replace verify with whatever phase or plugin goals you are using)
  4. For all subsequent Maven usage always run ./mvnw ...
    This should then validate the checksums. When adding dependencies, plugins or changing their version or the Maven version you might have to run with trustedChecksums.record=true again.

Warning: These steps might be incorrect and might not guarantee security; additionally it is not clear if third-party tools, especially IDEs, consider these settings, and if they use the Maven Wrapper or their own Maven version.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the writeup. At least in an enterprise environment, where people are forced to a specific settings.xml the above is helpful. At least during CI builds the behavior may be enforced, which is usually enough.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.