Checksum validation fail using Maven


Since around 1 week there has been some issues with Maven central repo denying access to Travis builds (see Continuous maven repo 403).

The fix as of today consists in using google mirror of Maven central. However using this mirror, I get checksum validation failures in some of my builds. This include, for instance, the preesm/graphiti project, with :

I could reproduce locally playing with local maven settings ( ). When I use the default central repository, the build runs fine.


Hello again,

Below are 2 notes about the current build failures of the Graphiti project on travis:

Note: Since less than 1 week, Oracle certificates expired (or something is wrong with travis openjdk9 setup script), leading to failures way before the one described in first post. This does not happen if build is triggered somewhere else.

Note2: Also, the main Eclipse mirror used to build the project (the only French Eclipse mirror, closest to the work place) went down few days ago, also leading to failures before the one described in first post. Latest updates on the graphiti github repo develop branch includes the fix to use another (still online) mirror.

Cascade of upstream issues this week :< is helpful, you should be able to replicate it locally by the following in your ~/.m2/settings.xml file:

      <name>Google Maven Central</name>

I’ll look into the missing files – if that’s all it is, I should be able to fix in an hour or two, but figuring out why might take longer. Will update the issue in 30 min.

@antoine-morvan I’ve verified that the checksums do exist and appear to match. Could you try executing again and seeing if there is still a problem?

@BanzaiMan Is it possible that a bad .m2 cache occured? Is it possible to rerun maven with the -X option to see what might be going on?

Our VMs start with a base image with nothing in ~/.m2, so I am doubtful that the cache comes into play. It is possible to run mvn with -X; it is best done by @antoine-morvan by tweaking .travis.yml.


I enabled -X on a branch, but I fear it’ll exceed the log size limit (see mavenDebug branch … but the openjdk9 certs :<).

Even locally I clear my cache before change the remote repos to make sure other people can continue build the project anywhere. And the travis build do not cache the local repo either to enforce that behavior.

Also, in case you missed it, the build script uses the -C option : “-C,–strict-checksums : Fail the build if checksums don’t match”.

@lesv Clearing repo and running again locally. Updating soon with result.


@lesv Still failing locally with cleared repo and google as mirror of central:

Could not transfer artifact org.apache.maven.reporting:maven-reporting-impl:pom:2.3 from/to google-maven-central ( Checksum validation failed, no checksums available -> [Help 1]

I running out of the office today, and will be out for a few days for the holidays. You might wish to roll back to using the maven-central repo for now.

      <name>Maven Central</name>

Looking at the mirror, I see:


And on Maven-Central repo1 I see:

maven-reporting-impl-2.3-javadoc.jar              2014-09-14 15:42     59624      
maven-reporting-impl-2.3-javadoc.jar.asc          2014-09-14 15:42       181      
maven-reporting-impl-2.3-javadoc.jar.asc.md5      2014-09-14 15:42        32      
maven-reporting-impl-2.3-javadoc.jar.asc.sha1     2014-09-14 15:42        40      
maven-reporting-impl-2.3-javadoc.jar.md5          2014-09-14 15:42        32      
maven-reporting-impl-2.3-javadoc.jar.sha1         2014-09-14 15:42        40       2014-09-14 15:42     28693  2014-09-14 15:42       181  2014-09-14 15:42        32  2014-09-14 15:42        40  2014-09-14 15:42        32  2014-09-14 15:42        40      
maven-reporting-impl-2.3-sources.jar              2014-09-14 15:42     15630      
maven-reporting-impl-2.3-sources.jar.asc          2014-09-14 15:42       181      
maven-reporting-impl-2.3-sources.jar.asc.md5      2014-09-14 15:42        32      
maven-reporting-impl-2.3-sources.jar.asc.sha1     2014-09-14 15:42        40      
maven-reporting-impl-2.3-sources.jar.md5          2014-09-14 15:42        32      
maven-reporting-impl-2.3-sources.jar.sha1         2014-09-14 15:42        40      
maven-reporting-impl-2.3.jar                      2014-09-14 15:42     17978      
maven-reporting-impl-2.3.jar.asc                  2014-09-14 15:42       181      
maven-reporting-impl-2.3.jar.asc.md5              2014-09-14 15:42        32      
maven-reporting-impl-2.3.jar.asc.sha1             2014-09-14 15:42        40      
maven-reporting-impl-2.3.jar.md5                  2014-09-14 15:42        32      
maven-reporting-impl-2.3.jar.sha1                 2014-09-14 15:42        40      
maven-reporting-impl-2.3.pom                      2014-09-14 15:42      5000      
maven-reporting-impl-2.3.pom.asc                  2014-09-14 15:42       181      
maven-reporting-impl-2.3.pom.asc.md5              2014-09-14 15:42        32      
maven-reporting-impl-2.3.pom.asc.sha1             2014-09-14 15:42        40      
maven-reporting-impl-2.3.pom.md5                  2014-09-14 15:42        32      
maven-reporting-impl-2.3.pom.sha1                 2014-09-14 15:42        40      

I need to ask the folks at Sonatype and the PMC why I would have unexepected files and not have the expected ones.

The other choice is to turn off checksum checking instead of switching back to maven-central is to use lax-checksums mvn -c

Not sure if I can override the Travis VM settings… but that is indeed what we use locally.

I will disable strict checking for now and re-enable after holidays :slight_smile:

I’ve ping’d the central-discussions list again, no one responded to my last email. I’m going to run a few experiments to see if I can use a different source and get this fixed. It will take several days as what I’m dealing with is huge.

1 Like

@lesv Thanks for the update!

It appears like it’s now fixed – you can add back checksums – let me know if you run into problems.

1 Like

Hi, I’m having the same Issue and it’s still failing due unavailable checksums


[ERROR] Failed to execute goal org.apache.maven.plugins:maven-checkstyle-plugin:3.0.0:check (default) on project tyrus-project: Execution default of goal org.apache.maven.plugins:maven-checkstyle-plugin:3.0.0:check failed: Plugin org.apache.maven.plugins:maven-checkstyle-plugin:3.0.0 or one of its dependencies could not be resolved: Failed to collect dependencies at org.apache.maven.plugins:maven-checkstyle-plugin:jar:3.0.0 -> org.apache.maven.reporting:maven-reporting-impl:jar:2.3: Failed to read artifact descriptor for org.apache.maven.reporting:maven-reporting-impl:jar:2.3: Could not transfer artifact org.apache.maven.reporting:maven-reporting-impl:pom:2.3 from/to google-maven-central ( Checksum validation failed, no checksums available -> [Help 1]

Sorry - I spoke too soon. It appears my sync between my VM and the bucket got killed just after midnight, I’ve restarted it, but it takes a while to process 12T. I’ll let you know when it’s actually done.

For the time being, don’t use checksum’s using mvn -C

Going forward Sonatype is working on a new source repository for me to use, I will also let you know when that is completed.


Builds of new branches (1.15-BRANCH) get passed the checksum verification now (as you can see here… at least until it is terminated because “the job exceeded the maximum log length”

But for previously failed branches (master) I now get the following error (

[ERROR] Plugin org.codehaus.mojo:build-helper-maven-plugin:1.8 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.codehaus.mojo:build-helper-maven-plugin:jar:1.8: Could not transfer artifact org.codehaus.mojo:build-helper-maven-plugin:pom:1.8 from/to google-maven-central ( Checksum validation failed, expected dfc6267db807f9c21415b7eef50137742e99c364 but is 74a16507270d0d85a77b15b5f5e97010d193cb9b -> [Help 1]

Any Idea how I can start over with this branch (I already tried deleting caches without any luck)

@BanzaiMan can give you suggestions on the right way to do this. What you are trying for is effectively mvn clean; rm -r ~/.m2

FYI: My update job is still running, so more checksums are correct, but it’s not complete yet. I’ll need to do some cleanup / validation once it finishes.

It looks like the process is finally done. You might try w/o the -C now. Please let me know if there are any issues.

1 Like

I’m afraid the checksums are still wrong.
I tried removing the whole $HOME/.m2 folder (which resulted in downloading the artifacts from maven-central) as well as just removing $HOME/.m2/repository.

It seems the cached checksums are note the problem but rather the checksums returned by the

E.g. try the following

$ curl -s | sha1sum 
74a16507270d0d85a77b15b5f5e97010d193cb9b *-

$ curl -s

As one can see the SHA1 values differ.

In case I try the same with maven-central, I get the following results:

$ curl -s | sha1sum
74a16507270d0d85a77b15b5f5e97010d193cb9b *-

$ curl -s
1 Like

Builds pass with -C :

However I was able to reproduce the issue pinpointed by @nuessgens, meaning some jobs may still fail somewhere…