Using Maven checksums - CodeArtifact

Using Maven checksums

When a Maven artifact is published to an AWS CodeArtifact repository, the checksum associated with each asset or file in the package is used to validate the upload. Examples of assets are jar, pom, and war files. For each asset, the Maven artifact contains multiple checksum files that use the asset name with an additional extension, such as md5 or sha1. For example, the checksum files for a file named my-maven-package.jar might be my-maven-package.jar.md5 and my-maven-package.jar.sh1.


Maven uses the term artifact. In this guide, a Maven package is the same as a Maven artifact. For more information, see AWS CodeArtifact package.

Every Maven artifact also contains a maven-metadata.xml file. This file must be uploaded for a publish to succeed. If a checksum mismatch is detected during the upload of any artifact file, the publish stops. This might prevent the maven-metadata.xml from being uploaded. When that happens, the status of the Maven artifact is set to Unfinished. You cannot download assets that are part of a package with this status.

Keep the following in mind in the event of a checksum mismatch when you publish a Maven package:

  • If the checksum mismatch occurs before maven-metadata.xml is uploaded, the status of the package is not set to Unfinished. The package is not visible and its assets cannot be consumed. When this happens, try one of the following, and then try to download the asset again.

    • Run the command that publishes the Maven artifact again. This might work if a network issue corrupted the checksum file during download. If the network issue is resolved for the retry, the checksum matches and the download is successful.

    • If republishing the Maven artifact doesn't work, delete the package and then republish it. For more information, see DeletePackageVersions in the AWS CodeArtifact API Reference.

  • If the checksum mismatch occurs after maven-metadata.xml is uploaded, the status of the package is set to Published. You can consume any asset from the package, including those with checksum mismatches. When you download an asset, the checksum generated by AWS CodeArtifact is downloaded with it. If the downloaded file is associated with a checksum mismatch, its downloaded checksum file might not match the checksum that was uploaded when the package was published.