Safeguard
DevSecOps

How to Download Maven for Windows and Verify It Safely

To download Maven for Windows, grab the binary zip from the official Apache site, verify its checksum, and set JAVA_HOME plus PATH. Here is the full, safe walkthrough.

Karan Patel
Platform Engineer
6 min read

To download Maven for Windows, download the binary zip archive from the official Apache Maven site, verify its published checksum, extract it, and add its bin directory to your PATH — that sequence gets you a working, tamper-checked install in about five minutes. Maven is the dependency and build manager most Java projects rely on, and because it runs during every build and pulls artifacts from remote repositories, where and how you obtain it is a security decision, not just a convenience. This guide covers the Maven download for Windows end to end, including the verification step most tutorials skip.

Where should you download Maven for Windows?

You should perform any Apache Maven download for Windows from exactly one place: maven.apache.org/download.cgi, the official project download page. Third-party "download portals," random blog mirrors, and bundled installer sites are where tampered or outdated binaries live, and a compromised build tool sits in the most privileged spot in your pipeline. Treat the source of your build tooling with the same suspicion you would treat any dependency.

On that page, Maven is distributed as a plain zip archive rather than a Windows .msi installer, which is normal — Maven is a Java application and does not need a native installer. Choose the "Binary zip archive," which has a filename in the form apache-maven-3.9.x-bin.zip, where 3.9.x is the current release the page lists. Grab the latest 3.9 line unless a project pins you to something specific. Note the SHA-512 checksum link next to the download; you will need it in a moment.

What do you need before installing?

Before you install, you need a JDK, because Maven is a Java tool and will not run without one. The Maven 3.9 line requires JDK 8 or above to execute, and most current projects target a newer LTS release such as JDK 17 or JDK 21. Install a full JDK, not just a JRE — Maven and the compiler plugin need the development kit's tools, and a JRE alone will fail with cryptic errors.

Confirm Java is present and note its install path by opening PowerShell and running:

java -version

If that command is not recognized, install a JDK first. The path where it lands — something like C:\Program Files\Eclipse Adoptium\jdk-21 — is what you will set JAVA_HOME to shortly. Getting JAVA_HOME right is the single most common cause of a Maven install that "won't work," so do not skip verifying it.

How do you verify the download before extracting it?

You verify the download by computing its SHA-512 hash and comparing it to the value Apache publishes, which confirms the file arrived intact and untampered. Windows ships with certutil, so no extra tooling is needed. From the folder containing your download, run:

certutil -hashfile apache-maven-3.9.x-bin.zip SHA512

Compare the output, character for character, against the .sha512 value linked on the download page. If they match, the archive is authentic; if they do not, delete it and download again from the official site. This step takes fifteen seconds and defends against corrupted transfers and man-in-the-middle tampering alike. Build tools are a classic supply-chain target precisely because they run with full trust inside CI, so verifying the hash of anything you install into that environment is a habit worth keeping — the same logic applies to every artifact your builds later pull down.

How do you install and configure Maven on Windows?

You install Maven on Windows by extracting the verified zip to a stable location and wiring up two environment variables. Extract the archive to a path without spaces or version churn — C:\Program Files\Apache\maven or C:\tools\maven both work. Avoid extracting into your Downloads folder, where it is easy to delete by accident.

Next, set the environment variables. Open "Edit the system environment variables," then "Environment Variables," and add:

  • JAVA_HOME pointing at your JDK install root (the directory that contains bin, not the bin directory itself).
  • Append %JAVA_HOME%\bin and C:\Program Files\Apache\maven\bin to your Path.

You can also do it from an elevated PowerShell session:

[Environment]::SetEnvironmentVariable("JAVA_HOME", "C:\Program Files\Eclipse Adoptium\jdk-21", "Machine")
$maven = "C:\Program Files\Apache\maven\bin"
$path = [Environment]::GetEnvironmentVariable("Path", "Machine")
[Environment]::SetEnvironmentVariable("Path", "$path;$maven", "Machine")

Open a new terminal after making these changes — existing terminals keep the old environment. That "open a new window" step catches almost everyone the first time they set up Maven on Windows.

How do you confirm Maven works?

You confirm Maven works by running its version command in a fresh terminal:

mvn -v

A healthy install prints the Maven version, the Java version it is using, and the resolved JAVA_HOME. If you see "mvn is not recognized," your PATH entry did not take — reopen the terminal, and double-check the bin path. If Maven runs but reports the wrong or no Java, fix JAVA_HOME. Once mvn -v looks right, build any project with mvn clean install and watch Maven resolve dependencies into your local repository at %USERPROFILE%\.m2\repository.

That local repository is worth a security note. Every dependency Maven downloads lands there and gets compiled into your artifacts, which means Maven is quietly assembling your software supply chain on every build. Knowing which of those transitive dependencies carry known vulnerabilities is a job for software composition analysis rather than Maven itself, and it is the natural next step once your build tool is running. Our security academy covers how to wire dependency scanning into a Maven pipeline.

FAQ

Is there an MSI installer for Maven on Windows?

No, and you do not need one. Apache distributes Maven as a binary zip archive because it is a Java application that runs from any directory once extracted. Download the zip, verify it, extract it, and add its bin folder to your PATH — that is the supported install path on Windows.

Which JDK version does Maven need?

The Maven 3.9 line requires JDK 8 or above to run. In practice most teams install a current LTS release such as JDK 17 or 21, both of which work fine. Install a full JDK rather than just a JRE, and point JAVA_HOME at the JDK's root directory.

Why does mvn -v say the command is not recognized?

That almost always means the Maven bin directory is not on your PATH, or you are using a terminal that was open before you changed the environment variables. Confirm the PATH entry points at the bin folder inside your extracted Maven directory, then open a brand-new terminal and try again.

Do I really need to check the checksum?

Yes. It takes seconds with certutil -hashfile and it verifies the archive was not corrupted or tampered with in transit. Your build tool runs with full trust inside every build, so confirming its integrity before installation is a cheap, worthwhile supply-chain precaution.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.