What are Client Checksum, Server Checksum, and Checksum Policy in local repositories?

JFrog Support
2016-10-06 13:38

Generally, there are two checksums of interest: one which is calculated by Artifactory (based on the file content) and another that is provided by the client upon deployment.  These checksums should be the same, ensuring that the binary's data integrity.

For each repository, you can configure a checksum policy; based on this policy, Artifactory will know how to behave in the event that the checksum calculated by Artifactory does not match the checksum that was provided by the client.


The two checksum policy choices are as follows:

1. Verify against client checksums – this is the default checksum policy for local repositories.

With this policy, if/when the client deploys the checksum as header with the file, Artifactory will calculate the file's checksum and then compare the client uploaded checksum and the Artifactory calculated checksum.


If a checksum was not provided along with the file during deployment, then the following message will be displayed:

Client did not publish a checksum value.

If you trust the uploaded artifact you can accept the actual checksum by clicking the 'Fix Checksum' button.


By clicking the “Fix Checksum” button, you are instructing Artifactory to trust the checksums that were generated by Artifactory itself, so there will be no comparison of the client checksums and the server checksums to check if the file content is valid.


If a checksum is not provided, and you do not address the problem by using "Fix Checksum," then when a client attempts to send a get request to access that checksum file, Artifactory will return a 404 (not found) error.

In the case that the submitted checksum does not match Artifactory's generated checksum, Artifactory will return a 409 (conflict) error until a valid checksum is deployed.


Important note:

It's quite easy/common for files to become corrupted during file transfer or even after deployment; by using this Checksum-Policy option (making sure that the client's provided checksum matches the one calculated by Artifactory), the user is ensuring the file's data-integrity has not been compromised.


2. Trust server generated checksums.

Artifactory will not verify checksums sent by clients and will trust the server's locally calculated checksums. An uploaded artifact is immediately available for use, but integrity might be compromised.

This policy is a bit more risky, since the server will never compare the checksum that Artifactory calculated based on the file content to the checksum that the client uploaded.


Here's an example of how to deploy a file using Curl with the checksum header but without the actual bytes:

curl -uadmin:password -T file.jar -H "X-Checksum-Sha1:c9a355147857198da3bdb3f24c4e90bd98a61e8b""http://localhost:8081/artifactory/libs-release-local/file.jar" -i