Maven resolver currently only verifies provided checksums (via ProvidedChecksumsSource) when artifacts are downloaded from a remote repository. While this strategy is efficient when working with a clean local repository, it can create problems if two Maven projects share a local repository, where only one project validates hashes. If the first project has downloaded a corrupted artifact, the second project would now use this corrupted artifact despite knowing a non-matching checksum.
With the proposed change, artifacts are validated whenever they are resolved. This allows to retain the integrity of a project also when sharing a local Maven repository with other, unsecured projects.
The current PR only activates this general validation if a global validation policy is defined.