Verified, and as I assumed: it works Jeremy, but there are other things that may end up in unexpected results.
I tested locally, and "it works for me": $ mvn -s settings.xml dependency:resolve -Daether.checksums.algorithms=SHA-512,SHA-256,SHA-1,MD5 -Daether.connector.smartChecksums=false $ tree local/org/test/test/1.0 local/org/test/test/1.0 ├── _remote.repositories ├── test-1.0.pom ├── test-1.0.pom.sha512 ├── test-1.0.txt └── test-1.0.txt.sha512 So what I did is to explicitly DISABLE "smart checksums". And here is what happens in details when smart checksums not disabled: - ANY modern MRM (Artifactory, Nexus, etc, but same is true for Central) sends sha1/md5 in response headers - "smart checksums" hits BEFORE (when artifact response arrives) checksum is requested from remote - checksums are satisfied even BEFORE SHA-512 or SHA-256 would be asked for (as header contains SHA-1 that is enabled, and it matched) So what happens is that smart checksums from header matches, and resolver is satisfied with SHA-1 (or MD5) as those two are enabled => all ok Alternative would be to not enable SHA-1/MD5 that are delivered by majority of remote repositories and MRMs and consumed by "smart checksum": $ mvn -s settings.xml dependency:resolve -Daether.checksums.algorithms=SHA-512,SHA-256 But this requires that EVERYTHING, every artifact have SHA-512, SHA-256 available. Will extend this page https://maven.apache.org/resolver/about-checksums.html as things are getting more involved if you factor in "trusted" and "provided" checksums... HTH Tamas On Sat, Apr 22, 2023 at 8:26 AM Tamás Cservenák <[email protected]> wrote: > My assumption: have you tried SHA-256 with aether.connector.smartChecksums > disabled? > > T > > On Sat, Apr 22, 2023, 07:18 Tamás Cservenák <[email protected]> wrote: > >> Howdy, >> >> This sounds strange, will try to reproduce it. One remark though: >> checksum names as mentioned in doco are case sensitive... >> >> T >> >> On Fri, Apr 21, 2023, 23:47 Jeremy Landis <[email protected]> >> wrote: >> >>> Since maven 3.9.0, sha 256/512 checksums no longer are being pulled if >>> available and requested either through command line are or maven.config. >>> Has this been reported? Dropping back to maven 3.8.8 it works again. >>> >>> Sent from my Verizon, Samsung Galaxy smartphone >>> Get Outlook for Android<https://aka.ms/AAb9ysg> >>> ________________________________ >>> From: Tamás Cservenák <[email protected]> >>> Sent: Friday, April 21, 2023 9:33:38 AM >>> To: Maven Developers List <[email protected]> >>> Subject: Re: [HEADS UP] Maven 3.9.2 is around the corner >>> >>> Howdy, >>> >>> There is one (IMHO) blocker bug reported for resolver 1.9.8 >>> >>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FMRESOLVER-352&data=05%7C01%7C%7Cea21ea9209154ca1771708db426d134b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638176808464235323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oultEa5oVRUabJrPG615pTRAnUR%2FR7k1321Fj8Lcm1U%3D&reserved=0 >>> <https://issues.apache.org/jira/browse/MRESOLVER-352> >>> >>> That means Maven 3.9.2 needs to wait for bugfix release of resolver (if >>> nothing else crops up). >>> >>> Thanks >>> T >>> >>> On Mon, Apr 17, 2023 at 4:04 PM Tamás Cservenák <[email protected]> >>> wrote: >>> >>> > Howdy, >>> > >>> > The 3.9.2 is nearly done: >>> > >>> > >>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fissues%2F%3Fjql%3Dproject%2520%253D%2520MNG%2520AND%2520fixVersion%2520%253D%25203.9.2&data=05%7C01%7C%7Cea21ea9209154ca1771708db426d134b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638176808464235323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AVt2ekkafWkdjn0R6UMxgwm9Xux6utXvmu%2Ffaw%2FM7BE%3D&reserved=0 >>> < >>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20fixVersion%20%3D%203.9.2 >>> > >>> > >>> > There are some candidates as well: >>> > >>> > >>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fissues%2F%3Fjql%3Dproject%2520%253D%2520MNG%2520AND%2520fixVersion%2520%253D%25203.9.x-candidate&data=05%7C01%7C%7Cea21ea9209154ca1771708db426d134b%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638176808464235323%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=p2Hmmf0BP2V%2FFBePFHg3%2BDBW2IvnvtgT6hZzkNAX0a8%3D&reserved=0 >>> < >>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20fixVersion%20%3D%203.9.x-candidate >>> > >>> > >>> > As usual, please raise your voice if there are some other issues not in >>> > these two sets above, or if you have a candidate that should be moved >>> to >>> > 3.9.2. >>> > >>> > Thanks >>> > T >>> > >>> >>
