When downloading files from a remote repository, in numerous cases Archiva stores invalid checksum files (sha1|md5) in its local repository. Upon checking the remote repository, the checksum files are found to be valid. If that is the case, the invalid checksum files are usually identical copies of the artifact's POM file and thus can't be used for checksum validation.
The issue can be reproduced using the minimal pre-configured Archiva package (apache-archiva-2.2.1-bin.zip).
Reproduction of the error
- Downloaded/unpacked/started packaged (zip) Archiva 2.2.1
- Configured archiva as local maven mirror
When checking the filesystem of archiva local repository upon artifact download, it is immediately obvious that the *.[md5|sha1] files are invalid:
archiva.log shows no errors regarding the artifact in question. Checking the source repository (maven central -> http://central.maven.org/maven2/org/apache/maven/plugins/maven-plugins/28/) shows that the original sha1/md5 files are ok. This seems to happen unpredictably for arbitrary artifacts.
This issue has been posted on StackOverflow (see external issue URL) using a more sophisticated configuration.