✨ feat: Add sha256 and sha512 checksums to remote mode (#1200)

LogFlames · algomaster99 · web-flow · commit ce475db2a6a3 · 2025-06-12T14:04:42.000+02:00
Co-authored-by: Aman Sharma &lt;mannu.poski10@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -69,7 +69,7 @@ mvn -f pom.lockfile.xml
 - `includeMavenPlugins` (`-DincludeMavenPlugins=true`) will include the maven plugins in the lockfile. This is useful if you want to validate the Maven plugins as well.
 - `allowValidationFailure` (`-DallowValidationFailure=true`, default=false) allow validation failures, printing a warning instead of an error. This is useful if you want to only validate the Maven lockfile, but do not need to fail the build in case the lockfile is not valid. Use with caution, you loose all guarantees.
 - `includeEnvironment` (`-DincludeEnvironment=true`) will include the environment metadata in the lockfile. This is useful if you want to have warnings when the environment changes.
-- `checksumAlgorithm` (`-DchecksumAlgorithm=sha256`) will set the checksum algorithm used to generate the lockfile. The default depends on your checksum mode.
+- `checksumAlgorithm` (`-DchecksumAlgorithm=sha256`) will set the checksum algorithm used to generate the lockfile. If not explicitly provided it will use SHA-256.
 - `checksumMode` will set the checksum mode used to generate the lockfile. See [Checksum Modes](/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/ChecksumModes.java) for more information.
 - `skip` (`-Dskip=true`) will skip the execution of the plugin. This is useful if you would like to disable the plugin for a specific module.
 - `lockfileName` (`-DlockfileName=my-lockfile.json` default="lockfile.json") will set the name of the lockfile file to be generated/read.
diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/ChecksumModes.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/ChecksumModes.java
@@ -6,11 +6,14 @@
  */
 public enum ChecksumModes {
     /**
-     * Downloads the checksum from the maven repository.
+     * Downloads the checksum from the maven repository. Supports md5, sha1, sha256 and sha512. If the requested
+     * checksum is not found in remote repository, the artifact will be downloaded and checksum will be calculated
+     * on the downloaded artifact. The download will be verified with the sha1 checksum if it available in the remote
+     * repository.
      */
     REMOTE("remote"),
     /**
-     * Calculates the checksum from the downloaded artifact.
+     * Calculates the checksum from the downloaded artifact in the local m2 folder.
      */
     LOCAL("local");
 
diff --git a/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java b/maven_plugin/src/main/java/io/github/chains_project/maven_lockfile/checksum/RemoteChecksumCalculator.java
@@ -1,10 +1,13 @@
 package io.github.chains_project.maven_lockfile.checksum;
 
+import com.google.common.io.BaseEncoding;
 import io.github.chains_project.maven_lockfile.data.ResolvedUrl;
 import java.net.URI;
 import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
+import java.security.MessageDigest;
+import java.util.Locale;
 import java.util.Optional;
 import org.apache.log4j.Logger;
 import org.apache.maven.artifact.Artifact;
@@ -23,8 +26,12 @@ public RemoteChecksumCalculator(
             ProjectBuildingRequest artifactBuildingRequest,
             ProjectBuildingRequest pluginBuildingRequest) {
         super(checksumAlgorithm);
-        if (!(checksumAlgorithm.equals("sha1") || checksumAlgorithm.equals("md5"))) {
-            throw new IllegalArgumentException("Invalid checksum algorithm maven central only supports sha1 or md5");
+        if (!(checksumAlgorithm.equals("md5")
+                || checksumAlgorithm.equals("sha1")
+                || checksumAlgorithm.equals("sha256")
+                || checksumAlgorithm.equals("sha512"))) {
+            throw new IllegalArgumentException(
+                    "Invalid checksum algorithm maven central only supports md5, sha1, sha256 or sha512.");
         }
 
         this.artifactBuildingRequest = artifactBuildingRequest;
@@ -42,21 +49,81 @@ private Optional<String> calculateChecksumInternal(Artifact artifact, ProjectBui
             }
             String filename = artifactId + "-" + version + "." + extension;
 
+            BaseEncoding baseEncoding = BaseEncoding.base16();
+            HttpClient client = HttpClient.newBuilder()
+                    .followRedirects(HttpClient.Redirect.ALWAYS)
+                    .build();
+
             for (ArtifactRepository repository : buildingRequest.getRemoteRepositories()) {
-                String url = repository.getUrl().replaceAll("/$", "") + "/" + groupId + "/" + artifactId + "/" + version
-                        + "/" + filename + "." + checksumAlgorithm;
+                String artifactUrl = repository.getUrl().replaceAll("/$", "") + "/" + groupId + "/" + artifactId + "/"
+                        + version + "/" + filename;
+                String checksumUrl = artifactUrl + "." + checksumAlgorithm;
 
-                LOGGER.debug("Checking: " + url);
+                LOGGER.debug("Checking: " + checksumUrl);
 
-                HttpClient client = HttpClient.newBuilder()
-                        .followRedirects(HttpClient.Redirect.ALWAYS)
-                        .build();
-                HttpRequest request =
-                        HttpRequest.newBuilder().uri(URI.create(url)).build();
-                HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+                HttpRequest checksumRequest =
+                        HttpRequest.newBuilder().uri(URI.create(checksumUrl)).build();
+                HttpResponse<String> checksumResponse =
+                        client.send(checksumRequest, HttpResponse.BodyHandlers.ofString());
 
-                if (response.statusCode() >= 200 && response.statusCode() < 300) {
-                    return Optional.of(response.body().strip());
+                if (checksumResponse.statusCode() >= 200 && checksumResponse.statusCode() < 300) {
+                    return Optional.of(checksumResponse.body().strip());
+                }
+
+                if (checksumResponse.statusCode() == 404) {
+                    HttpRequest artifactRequest = HttpRequest.newBuilder()
+                            .uri(URI.create(artifactUrl))
+                            .build();
+                    HttpResponse<byte[]> artifactResponse =
+                            client.send(artifactRequest, HttpResponse.BodyHandlers.ofByteArray());
+
+                    if (artifactResponse.statusCode() < 200 || artifactResponse.statusCode() >= 300) {
+                        continue;
+                    }
+
+                    LOGGER.info("Unable to find " + checksumAlgorithm + " checksum for " + artifact.getGroupId() + ":"
+                            + artifactId + ":" + version + " on remote. Downloading and calculating locally.");
+
+                    // Fallback to and verify downloaded artifact with sha1
+                    HttpRequest artifactVerificationRequest = HttpRequest.newBuilder()
+                            .uri(URI.create(artifactUrl + ".sha1"))
+                            .build();
+                    HttpResponse<String> artifactVerificationResponse =
+                            client.send(artifactVerificationRequest, HttpResponse.BodyHandlers.ofString());
+
+                    // Extract first part of string to handle sha1sum format, `hash_in_hex /path/to/file`.
+                    // For example provided by:
+                    //     https://repo.maven.apache.org/maven2/com/martiansoftware/jsap/2.1/jsap-2.1.jar.sha1
+                    //     https://repo.maven.apache.org/maven2/javax/inject/javax.inject/1/javax.inject-1.jar.sha1
+                    String artifactVerification =
+                            artifactVerificationResponse.body().strip();
+                    int spaceIndex = artifactVerification.indexOf(" ");
+                    artifactVerification =
+                            spaceIndex == -1 ? artifactVerification : artifactVerification.substring(0, spaceIndex);
+
+                    if (artifactVerificationResponse.statusCode() >= 200
+                            && artifactVerificationResponse.statusCode() < 300) {
+                        MessageDigest verificationMessageDigest = MessageDigest.getInstance("sha1");
+                        String sha1 = baseEncoding
+                                .encode(verificationMessageDigest.digest(artifactResponse.body()))
+                                .toLowerCase(Locale.ROOT);
+
+                        if (!sha1.equals(artifactVerification)) {
+                            LOGGER.error("Invalid sha1 checksum for: " + artifactUrl);
+                            throw new RuntimeException("Invalid sha1 checksum for '" + artifact.getGroupId() + ":"
+                                    + artifactId + ":" + version + "'. Checksum found at '" + artifactUrl
+                                    + ".sha1' does not match calculated checksum of downloaded file. Remote checksum = '"
+                                    + artifactVerification + "'. Locally calculated checksum = '" + sha1 + "'.");
+                        }
+                    } else {
+                        LOGGER.warn("Unable to find sha1 to verify download of: " + artifactUrl);
+                    }
+
+                    MessageDigest messageDigest = MessageDigest.getInstance(checksumAlgorithm);
+                    String checksum = baseEncoding
+                            .encode(messageDigest.digest(artifactResponse.body()))
+                            .toLowerCase(Locale.ROOT);
+                    return Optional.of(checksum);
                 }
             }
 
@@ -80,15 +147,16 @@ private Optional<ResolvedUrl> getResolvedFieldInternal(Artifact artifact, Projec
             }
             String filename = artifactId + "-" + version + "." + extension;
 
+            HttpClient client = HttpClient.newBuilder()
+                    .followRedirects(HttpClient.Redirect.ALWAYS)
+                    .build();
+
             for (ArtifactRepository repository : buildingRequest.getRemoteRepositories()) {
                 String url = repository.getUrl().replaceAll("/$", "") + "/" + groupId + "/" + artifactId + "/" + version
                         + "/" + filename;
 
                 LOGGER.debug("Checking: " + url);
 
-                HttpClient client = HttpClient.newBuilder()
-                        .followRedirects(HttpClient.Redirect.ALWAYS)
-                        .build();
                 HttpRequest request = HttpRequest.newBuilder()
                         .uri(URI.create(url))
                         .method("HEAD", HttpRequest.BodyPublishers.noBody())
@@ -121,7 +189,7 @@ public String calculatePluginChecksum(Artifact artifact) {
 
     @Override
     public String getDefaultChecksumAlgorithm() {
-        return "sha1";
+        return "SHA-256";
     }
 
     @Override
diff --git a/maven_plugin/src/test/java/it/IntegrationTestsIT.java b/maven_plugin/src/test/java/it/IntegrationTestsIT.java
@@ -384,10 +384,41 @@ public void remoteRepositoryShouldResolve(MavenExecutionResult result) throws Ex
 
     @MavenTest
     public void checksumModeRemote(MavenExecutionResult result) throws Exception {
-        // contract: if checksum mode is remote, maven_lockfile should be able to download .
+        // contract: if checksum mode is remote, maven-lockfile should be able to download and verify sha256 from maven
+        // central and if sha256 is not available, it should be able to .
         assertThat(result).isSuccessful();
-        var lockfileExists = fileExists(result, "lockfile.json");
-        assertThat(lockfileExists).isTrue();
+        var lockfilePath = findFile(result, "lockfile.json");
+        assertThat(lockfilePath).exists();
+        var lockfile = LockFile.readLockFile(lockfilePath);
+
+        // Verify: atlassian-bandana:0.2.0 is hosted on packages.atlassian.com which doesn't provide sha256, sha256 has
+        // to be calculated
+        var dep1Checksum = lockfile.getDependencies().stream()
+                .filter(dependency -> dependency
+                        .getChecksum()
+                        .equals("12357e6d5c5eb6b5ed80bbb98f4ef7b70fcb08520a9f306c4af086c37d6ebc11"))
+                .findAny();
+        assertThat(dep1Checksum).isNotNull();
+        result.getMavenLog();
+
+        // Verify: jsap:2.1 is hosted on repo.maven.apache.org which doesn't provide sha256, and who's sha1 has a
+        // different format (providing `checksum path` instead of `checksum`). Sha1 should still succeed as the
+        // `checksum` is verified aganist up until the first space, thus excluding the path of the file when the
+        // sha1 was generated. Sha256 has to be calculated.
+        var dep2Checksum = lockfile.getDependencies().stream()
+                .filter(dependency -> dependency
+                        .getChecksum()
+                        .equals("331746fa62cfbc3368260c5a2e660936ad11be612308c120a044e120361d474e"))
+                .findAny();
+        assertThat(dep2Checksum).isNotNull();
+
+        // Verify: spoon-core:11.1.0 is hosted on maven central and directly provides sha256 checksums
+        var dep3Checksum = lockfile.getDependencies().stream()
+                .filter(dependency -> dependency
+                        .getChecksum()
+                        .equals("a8ae41ae0a1578a7ef9ce4f8d562813a99e6cc015e8cb3b0482b5470d53f1c6b"))
+                .findAny();
+        assertThat(dep3Checksum).isNotNull();
     }
 
     @MavenTest
@@ -397,7 +428,7 @@ public void resolvedFieldShouldResolve(MavenExecutionResult result) throws Excep
         Path lockFilePath = findFile(result, "lockfile.json");
         assertThat(lockFilePath).exists();
         var lockFile = LockFile.readLockFile(lockFilePath);
-        var atlassinResolved = lockFile.getDependencies().stream()
+        var atlassianResolved = lockFile.getDependencies().stream()
                 .filter(
                         dependency -> dependency
                                 .getResolved()
@@ -413,7 +444,7 @@ public void resolvedFieldShouldResolve(MavenExecutionResult result) throws Excep
                                         ResolvedUrl.of(
                                                 "https://repo.maven.apache.org/maven2/fr/inria/gforge/spoon/spoon-core/10.3.0/spoon-core-10.3.0.jar")))
                 .findAny();
-        assertThat(atlassinResolved).isNotNull();
+        assertThat(atlassianResolved).isNotNull();
         assertThat(mavenCentralResolved).isNotNull();
     }
 }
diff --git a/maven_plugin/src/test/resources-its/it/IntegrationTestsIT/checksumModeRemote/pom.xml b/maven_plugin/src/test/resources-its/it/IntegrationTestsIT/checksumModeRemote/pom.xml
@@ -29,7 +29,7 @@
     <dependency>
       <groupId>fr.inria.gforge.spoon</groupId>
       <artifactId>spoon-core</artifactId>
-      <version>10.3.0</version>
+      <version>11.1.0</version>
     </dependency>
     <dependency>
       <groupId>atlassian-bandana</groupId>
@@ -56,7 +56,7 @@
         </executions>
         <configuration>
           <checksumMode>remote</checksumMode>
-          <checksumAlgorithm>sha1</checksumAlgorithm>
+          <checksumAlgorithm>sha256</checksumAlgorithm>
         </configuration>
       </plugin>
     </plugins>
