Maven lacks native lock-file support, leading to non-reproducible builds and heightened supply-chain security risks in the Java ecosystem. To address this, we propose the first comprehensive lock-file solution for Maven: it performs static dependency analysis to generate a lock file containing exact versions and cryptographic checksums of both direct and transitive dependencies, enabling precise version pinning and integrity verification. We design a lightweight Maven plugin that automates lock-file generation, validation, and deterministic environment reconstruction. Our approach requires minimal configuration and guarantees 100% build reproducibility for historical artifacts. Evaluated on multiple real-world projects, it successfully identified tampered dependencies. This work bridges a critical gap in Java build reproducibility and supply-chain security, delivering the first production-ready, lock-file-based solution for the Maven ecosystem.

Modern software projects depend on many third-party libraries, complicating reproducible and secure builds. Several package managers address this with the generation of a lockfile that freezes dependency versions and can be used to verify the integrity of dependencies. Yet, Maven, one of the most important package managers in the Java ecosystem, lacks native support for a lockfile. We present Maven-Lockfile to generate and update lockfiles, with support for rebuilding projects from past versions. Our lockfiles capture all direct and transitive dependencies with their checksums, enabling high integrity builds. Our evaluation shows that Maven-Lockfile can reproduce builds from historical commits and is able to detect tampered artifacts. With minimal configuration, Maven-Lockfile equips Java projects with modern build integrity and build reproducibility, and fosters future research on software supply chain security in Java.