java - Lock dependencies by secure checksum in Maven -

when distribute source project pom can define dependencies version strings. build download dependencies if not in local repository, verify checksums of downloaded files metadata same repository (-c).

however build download dependencies number of public repositories (and proxies) , users @ mercy of public services if return unmodified files.

i have way record checksums of build dependencies , ship them pom (so sure files unaltered dont need ship copy of local repository builders).

is there maven way this? similiar that, there easy way archive dependencies (copy of local repository used artifacts , metadata files) can repeat build when central repositories fail or ship them offline customers?

(both without need repository proxy if possible. know can build that, wonder if there infrastructure in maven already. maybe shipping local repository contain metadata files or similiar?)

nb: not looking createchecksum on generated artifacts, on locking checksums of used dependencies. found maven-create-checksums plugin, no corresponding verifyer.

there bitcoinjenforcerrules, appears plugin maven's enforcer plugin (that's right it's plugin plugin). works similar gradle-witness, means compares checksum of (hopefully) all used artifact dependencies list have created.

while it's better nothing, ideal solution if 1 set checksum (or openpg key used sign pom in case it's snapshot artifact) pom of direct dependencies, , pom of dependencies contain checksum of it's artifacts, , checksum (/openpg key, if snapshot) of pom of direct dependencies, , on. note if checksums used, should tied particular maven repository, since same (non-changing, i.e. non-snapshot) artifact may have different checksums in different repositories.