ARTIFACTORY: How to Prevent "Overwrite" When Using Deploy Artifact by Checksum

ARTIFACTORY: How to Prevent "Overwrite" When Using Deploy Artifact by Checksum
Products
Frog_Artifactory
Content Type
REST_API
AuthorFullName__c
Jian Sun
articleNumber
000006716
FirstPublishedDate
2025-12-18T08:27:49Z
lastModifiedDate
2025-12-18
Introduction 

The Deploy Artifact by Checksum Rest API is used to deploy an artifact to the specified destination by checking if the artifact content already exists in Artifactory.
If Artifactory already contains an user-readable artifact with the same checksum, the artifact content is copied to the new location and returns a response without requiring content transfer.
Otherwise, a 404 error is returned to indicate that content upload is expected to deploy the artifact.
The Workflow of the API:

User-added image 

For example, set the X-Checksum-Deploy header to true and call the API:

User-added image 

But sometimes, it looks like a wrong  “Overwrite” when calling the API without the overwrite permission.  The scenario likes:
  • A file already exists in the same target path as the destination in the API call
  • Call the API with the same checksum of the file, with the same path as destination
  • The Response will be “201 Created”
  • The timestamp of file’s “Last Modified” property will be updated to the time of API calling
  • It looks like the file is overwritten because the “Last Modified” timestamp is updated, even the user who calls the API has no overwrite permission on the file. That will cause confusion on the permission management.
For example:

User-added image 

Root Cause   

The API re-associates the already existing binaries when checksums match.
This operation does not trigger overwrite/delete permission checks but updates the metadata such as “Last Modified”, even if the file content does not change, and the user who calls the API has no related permissions. 


Resolution 

To prevent any form of re-deployment (including metadata updates) when the target path already exists—even if the checksum is identical—enable the following server-side property.
Edit $JFROG_HOME/artifactory/var/etc/artifactory/artifactory.system.properties

artifactory.enforce.permission.check.on.identical.checksum.deploy=true

 

Restart Artifactory to apply the change.

Now after the setting,
  • If a file exists in the target path
  • AND the checksum is identical
  • AND the user have no Overwrite/Delete permission
  • The Artifactory will return “403 Forbidden”
  • and there are no metadata updates, no reassociation, and no “overwrite” behaviours.
For example:

User-added image