Artifact arquillian-bom-1.7.0.Final Throws Checksum Validation Error in Maven 3.6.3

[arieki]

Issue Overview

I use maven version 3.6.3.
I run maven command using --strict-checksums and it throws checksum validation error

Current Behaviour

[DEBUG] Using transporter WagonTransporter with priority -1.0 for https://repo.maven.apache.org/maven2
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://repo.maven.apache.org/maven2
Downloading from central: https://repo.maven.apache.org/maven2/org/jboss/arquillian/arquillian-bom/1.7.0.Final/arquillian-bom-1.7.0.Final.pom
[WARNING] Checksum validation failed, expected 2811ba27a71a8bda0602161ffe2f6e1429da8068 but is 36257165a0945753efb3f9d473d86c6f4c6c6f6e from central for https://repo.maven.apache.org/maven2/org/jboss/arquillian/arquillian-bom/1.7.0.Final/arquillian-bom-1.7.0.Final.pom
[DEBUG] Writing tracking file /root/.m2/repository/org/jboss/arquillian/arquillian-bom/1.7.0.Final/arquillian-bom-1.7.0.Final.pom.lastUpdated


[ERROR] Non-resolvable import POM: Could not transfer artifact org.jboss.arquillian:arquillian-bom:pom:1.7.0.Final from/to central (https://repo.maven.apache.org/maven2): Checksum validation failed, expected 2811ba27a71a8bda0602161ffe2f6e1429da8068 but is 36257165a0945753efb3f9d473d86c6f4c6c6f6e @ fish.payara.microprofile:tck-suite-parent:1.1-SNAPSHOT, /home/workspace/MicroProfile-TCK-Runners/pom.xml, line 453

Steps To Reproduce

1. Include arquillian-bom dependency

<dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.jboss.arquillian</groupId>
                <artifactId>arquillian-bom</artifactId>
                <version>1.7.0.Final</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>
         </dependencies>
</dependencyManagement>

2. Run maven command using --strict-checksums

Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
Maven home: /home/tools/apache-maven-3.6.3
Java version: 11.0.19, vendor: Azul Systems, Inc., runtime: /usr/lib/jvm/zulu11
Default locale: en, platform encoding: UTF-8
OS name: "linux", version: "5.10.0-11-amd64", arch: "amd64", family: "unix"

[chengfang]

@arieki thanks for reporting the issue. It will be fixed in next release (1.7.1).

[OHaase]

Hello @chengfang

A new release is not helpful if an external project has a dependency on Arquillian 1.7.0. The wrong checksums are blocking a build on strict artifact provision. It would very helpful to update the checksums on maven central for the version 1.7.0.

Thanks a lot

Oliver

[PierreBtz]

@chengfang I also am hitting the same issue as Oliver. Do you think updating the checksums in Maven central is feasible?

[chengfang]

@OHaase @PierreBtz as I understand it, the checksum of deployed artifacts in maven central is final and cannot be modified, likely for security reasons. We'll release the next micro version soon to help people ease the upgrade.

[lprimak]

@chengfang @bartoszmajsak This is super critical. Current version of maven (3.9.4) fails the build by default now.
Please release the next version ASAP because it's blocking innumerable amount of people. Thank you.

Also, the checksum might be able to get changed if submitted to Sonatype via their JIRA issue.

[phillipross]

Just cut a v1.7.1.Final release with checksum 😂

[chengfang]

Thanks for all the feedback. Working on it.

[chengfang]

1.7.1.Final was released today 2023-08-15. It may take a few hours to sync up with central. Using jboss repo, it's available at https://repository.jboss.org/nexus/content/groups/public/org/jboss/arquillian/arquillian-bom/1.7.1.Final/ or similar url for other artifacts in this release.

[lprimak]

Works! You can close this issue