Warning message on download of feature *.esa.ac file when installing features yet feature verification seems to succeed

[scottkurz]

Using:

• liberty-maven-plugin v3.10
• Open Liberty 23.0.0.12
• Eclipse OpenJ9 VM, version 17.0.3+7 (en_US)
• Maven v3.8.8
• Windows 11

I get the first time (the feature is downloaded) following running dev mode

[INFO] Configuration features have been added: [cloudant-1.0]
[INFO] Running liberty:install-feature
[INFO] Feature signature verify option: enforce
[INFO] Parsing the server file for features and includes: tempConfig10310779532609883731\server.xml
[INFO] Parsing the server file for features and includes: tempConfig10310779532609883731\configDropins/overrides/liberty-plugin-variable-config.xml
[INFO] plugin listed esa: []

[INFO] Resolving features... 
Downloading from central: https://repo.maven.apache.org/maven2/io/openliberty/features/cloudant-1.0/23.0.0.12/cloudant-1.0-23.0.0.12.esa
Downloaded from central: https://repo.maven.apache.org/maven2/io/openliberty/features/cloudant-1.0/23.0.0.12/cloudant-1.0-23.0.0.12.esa (124 kB at 269 kB/s)
Downloading from central: https://repo.maven.apache.org/maven2/io/openliberty/features/cloudant-1.0/23.0.0.12/cloudant-1.0-23.0.0.12.esa.asc
[WARNING] Could not validate integrity of download from https://repo.maven.apache.org/maven2/io/openliberty/features/cloudant-1.0/23.0.0.12/cloudant-1.0-23.0.0.12.esa.asc
org.eclipse.aether.transfer.ChecksumFailureException: Checksum validation failed, no checksums available
    at org.eclipse.aether.internal.impl.AbstractChecksumPolicy.onNoMoreChecksums (AbstractChecksumPolicy.java:64)
    at org.eclipse.aether.connector.basic.ChecksumValidator.validate (ChecksumValidator.java:107)
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector$GetTaskRunner.runTask (BasicRepositoryConnector.java:460)
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector$TaskRunner.run (BasicRepositoryConnector.java:364)
    at org.eclipse.aether.util.concurrency.RunnableErrorForwarder$1.run (RunnableErrorForwarder.java:75)
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector$DirectExecutor.execute (BasicRepositoryConnector.java:628)
    at org.eclipse.aether.connector.basic.BasicRepositoryConnector.get (BasicRepositoryConnector.java:262)
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads (DefaultArtifactResolver.java:514)
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve (DefaultArtifactResolver.java:402)
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts (DefaultArtifactResolver.java:229)
    at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifact (DefaultArtifactResolver.java:207)
    at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveArtifact (DefaultRepositorySystem.java:262)
    at io.openliberty.tools.maven.AbstractLibertySupport.resolveArtifactFile (AbstractLibertySupport.java:602)
    at io.openliberty.tools.maven.AbstractLibertySupport.resolveArtifactItem (AbstractLibertySupport.java:570)
    at io.openliberty.tools.maven.AbstractLibertySupport.createArtifact (AbstractLibertySupport.java:522)
    at io.openliberty.tools.maven.AbstractLibertySupport.getResolvedArtifact (AbstractLibertySupport.java:202)
    at io.openliberty.tools.maven.AbstractLibertySupport.getArtifact (AbstractLibertySupport.java:174)
    at io.openliberty.tools.maven.AbstractLibertySupport.getArtifact (AbstractLibertySupport.java:277)
    at io.openliberty.tools.maven.AbstractLibertySupport.getArtifact (AbstractLibertySupport.java:247)
    at io.openliberty.tools.maven.InstallFeatureSupport$InstallFeatureMojoUtil.downloadArtifact (InstallFeatureSupport.java:116)
    at io.openliberty.tools.maven.InstallFeatureSupport$InstallFeatureMojoUtil.downloadSignature (InstallFeatureSupport.java:124)
    at io.openliberty.tools.common.plugins.util.InstallFeatureUtil.downloadEsaArtifact (InstallFeatureUtil.java:508)
    at io.openliberty.tools.common.plugins.util.InstallFeatureUtil.downloadEsas (InstallFeatureUtil.java:529)
    at io.openliberty.tools.common.plugins.util.InstallFeatureUtil.installFeatures (InstallFeatureUtil.java:735)
    at io.openliberty.tools.maven.server.InstallFeatureMojo.installFeatures (InstallFeatureMojo.java:115)
    at io.openliberty.tools.maven.server.InstallFeatureMojo.doInstallFeatures (InstallFeatureMojo.java:77)
    at io.openliberty.tools.maven.server.InstallFeatureMojo.execute (InstallFeatureMojo.java:68)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.twdata.maven.mojoexecutor.MojoExecutor.executeMojo (MojoExecutor.java:120)
    at io.openliberty.tools.maven.server.StartDebugMojoSupport.runLibertyMojo (StartDebugMojoSupport.java:380)
    at io.openliberty.tools.maven.server.StartDebugMojoSupport.runLibertyMojoInstallFeature (StartDebugMojoSupport.java:362)
    at io.openliberty.tools.maven.server.DevMojo.runLibertyMojoInstallFeature (DevMojo.java:1971)
    at io.openliberty.tools.maven.server.DevMojo$DevMojoUtil.installFeatures (DevMojo.java:1136)
    at io.openliberty.tools.common.plugins.util.DevUtil.installFeaturesToTempDir (DevUtil.java:4622)
    at io.openliberty.tools.common.plugins.util.DevUtil.processConfigFileChange (DevUtil.java:4372)
    at io.openliberty.tools.common.plugins.util.DevUtil.processFileChanges (DevUtil.java:4230)
    at io.openliberty.tools.common.plugins.util.DevUtil.watchFiles (DevUtil.java:3158)
    at io.openliberty.tools.maven.server.DevMojo.doDevMode (DevMojo.java:1543)
    at io.openliberty.tools.maven.server.DevMojo.execute (DevMojo.java:1564)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:299)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:193)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:106)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:963)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:296)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:199)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:77)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:568)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
[WARNING] Checksum validation failed, no checksums available from central for https://repo.maven.apache.org/maven2/io/openliberty/features/cloudant-1.0/23.0.0.12/cloudant-1.0-23.0.0.12.esa.asc
Downloaded from central: https://repo.maven.apache.org/maven2/io/openliberty/features/cloudant-1.0/23.0.0.12/cloudant-1.0-23.0.0.12.esa.asc (853 B at 17 kB/s)
[INFO] Downloading public key(s) for signature verification
[INFO] Verifying features
<---------------------> 0.00%
All features were successfully verified.

As far as I can tell, everything works fine, however.

If I run dev mode a 2nd time with the same features, things proceed smoothly, without error messages.

If I upgrade Maven to v3.9.5 (a version I just happened to try), the message disappears, even for a newly-downloaded feature.

QUESTIONS

1. Why the warning message (though this seems to have been addressed by the Maven distro).
2. Is this really the right behavior for the default 'enforce' option? The 'verify' parm doc mentions:

   Specifies how features must be verified during a process or an installation. Supported values are enforce, skip, all, and warn. If this option is not specified, the default value is enforce.

   • enforce: Verifies the signatures of all Liberty features except for user features. It checks the integrity and authenticity of the features that are provided by the Liberty framework.

The behavior I saw aligns with more how I'd expect warn to work, however.

[jjiwooLim]

Hi, the warning message on download is irrelevant to feature signature verification. The checksum of the artifact is validated when resolving (downloading) the feature using the Maven api. Then the tool downloads the Liberty public key and starts verifying the feature signature.

I couldn't find the good reason why this checksum validation failed, but in this post they were able to resolve the issue by upgrading the maven version like you already mentioned.

[scottkurz]

Thanks for the update. It sounds like the only thing left is to decide if we formally raise the minimum supported Maven version. (Not sure what version this would be exactly. ) It doesn't seem worth it to me since this is just a warning message anyway, and things basically work.

[jjiwooLim]

I agree, when I tried the warning messages went away with Maven v3.9.0.

[yeekangc]

Issue for starter to update Maven version: https://github.com/OpenLiberty/start.openliberty.io/issues/241