This is just an idea I'm writing down to implement later. Imagine a resource that takes a nested resource and a md5 or sha1 value (again, possibly from a resource). This would let you embed checksum checking inside other operations. <copy todir="lib"> <checksummedresource> <source> <url url="http://example.org/something.jar" /> </source> <sha1sum> <url url="https://trusted.resource/something.jar.sha1"/> </sha1sum> </checksummedresource> </copy> We cold use this to do checksum validation in fetch.xml Not sure about the right name for this. <sha1resource> and <md5resource> may be better.