[MNG-8182] Missing or mismatching Trusted Checksum for some artifacts is not properly reported - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.9.8
Fix Version/s: 3.9.9, 4.0.0-beta-4, 4.0.0
Component/s: Core
Labels:
None

Description

When using Maven Artifact Resolver's "Trusted Checksums" feature, but the checksum for maven-shared-incremental is missing, the error is not properly reported on the console:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile (default-compile) on project my-app: Execution default-compile of goal org.apache.maven.plugins:maven-compiler-plugin:3.13.0:compile failed: Plugin org.apache.maven.plugins:maven-compiler-plugin:3.13.0 or one of its dependencies could not be resolved:
[ERROR]
[ERROR]
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.

Note how there are no details about why resolution failed.
When running with -X / --debug the information is visible in the stack trace, however I think this information should be shown by default.

Caused by: org.eclipse.aether.resolution.DependencyResolutionException: The following artifacts could not be resolved: org.apache.maven.shared:maven-shared-incremental:jar:1.1 (present): Missing from summaryFile trusted checksum(s) [SHA-1] for artifact org.apache.maven.shared:maven-shared-incremental:jar:1.1

It seems org.apache.maven.plugin.internal.DefaultPluginDependenciesResolver#resolveInternal is ommitting the cause when throwing a new exception. Therefore I reported it as Maven bug, though maybe the underlying issue is with Maven Artifact Resolver?

I also haven't fully understood the internal details of the Artifact Resolver "Trusted Checksums" feature yet. It seems the checksum for maven-shared-incremental is stored in a separate checksums-local.sha1 file. Either way, regardless of the implementation details, the fact that it is a separate file makes it more likely that users accidentally forget to commit it for example in Git and then get the irritating error mentioned above.

How to reproduce

I have performed this on Windows 10, but the OS might not matter.

Download the attached checksums-test.zip and extract it
Inside it, run
```
./mvnw compile
```
Bug: An error occurs, but the error message does not explain why the dependencies could not be resolved
Run
```
./mvnw compile -X
```
Note: The stack trace now reveals that the cause for the error is the missing checksum for maven-shared-incremental

Run

./mvnw compile "-Daether.artifactResolver.postProcessor.trustedChecksums.record=true"

Note: An additional checksums-local.sha1 file was created and the build succeeded

As side note: Maybe the way this sample project uses the "Trusted Checksums" feature is not proper (see also related Stack Overflow question), though either way, the incomplete error message is confusing.