Uploaded image for project: 'Archiva'
  1. Archiva
  2. MRM-1926

Invalid checksum files in Archiva repository after download from remote repository

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.2.1
    • Fix Version/s: 2.2.3
    • Component/s: system
    • Labels:
      None
    • Environment:
      Ubuntu Linux 16.04 LTS x64; Ubuntu Linux 15.10 x64; CentOS 7.2 x64; JDK 1.8

      Description

      When downloading files from a remote repository, in numerous cases Archiva stores invalid checksum files (sha1|md5) in its local repository. Upon checking the remote repository, the checksum files are found to be valid. If that is the case, the invalid checksum files are usually identical copies of the artifact's POM file and thus can't be used for checksum validation.
      The issue can be reproduced using the minimal pre-configured Archiva package (apache-archiva-2.2.1-bin.zip).

      Reproduction of the error
      Prerequisites:

      • Downloaded/unpacked/started packaged (zip) Archiva 2.2.1
      • Configured archiva as local maven mirror
      mvn compile
          .
          .
          .
      Downloading: http://localhost:8080/repository/internal/org/apache/maven/plugins/maven-plugins/28/maven-plugins-28.pom
      [WARNING] Checksum validation failed, expected <?xml but is ad21477ba223c7e4360600db11d6115344065d85 for http://localhost:8080/repository/internal/org/apache/maven/plugins/maven-plugins/28/maven-plugins-28.pom
      [WARNING] Could not validate integrity of download from http://localhost:8080/repository/internal/org/apache/maven/plugins/maven-plugins/28/maven-plugins-28.pom: Checksum validation failed, expected <?xml but is ad21477ba223c7e4360600db11d6115344065d85
      [WARNING] Checksum validation failed, expected <?xml but is ad21477ba223c7e4360600db11d6115344065d85 for http://localhost:8080/repository/internal/org/apache/maven/plugins/maven-plugins/28/maven-plugins-28.pom
      

      When checking the filesystem of archiva local repository upon artifact download, it is immediately obvious that the *.[md5|sha1] files are invalid:

      maik@tpx1:~/Downloads/apache-archiva-2.2.1/repositories/internal/org/apache/maven/plugins/maven-plugins/28$ ll
      total 68
      drwxr-xr-x 2 maik maik  4096 Sep 21 15:48 ./
      drwxr-xr-x 5 maik maik  4096 Sep 21 15:48 ../
      -rw-r--r-- 1 maik maik 12031 Sep 21 15:48 maven-plugins-28.pom
      -rw-r--r-- 1 maik maik 12031 Sep 21 15:48 maven-plugins-28.pom.md5
      -rw-r--r-- 1 maik maik 12031 Sep 21 15:48 maven-plugins-28.pom.sha1
      maik@tpx1:~/Downloads/apache-archiva-2.2.1/repositories/internal/org/apache/maven/plugins/maven-plugins/28$ head -n 4 maven-plugins-28.pom.sha1
      <?xml version='1.0' encoding='UTF-8'?>
      <!--
      Licensed to the Apache Software Foundation (ASF) under one
      or more contributor license agreements.  See the NOTICE file
      

      archiva.log shows no errors regarding the artifact in question. Checking the source repository (maven central -> http://central.maven.org/maven2/org/apache/maven/plugins/maven-plugins/28/) shows that the original sha1/md5 files are ok. This seems to happen unpredictably for arbitrary artifacts.

      This issue has been posted on StackOverflow (see external issue URL) using a more sophisticated configuration.

        Attachments

          Activity

            People

            • Assignee:
              martin_s Martin Stockhammer
              Reporter:
              mfleuter Maik F.
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: