Artifacts in a Maven repository have MD5 and SHA1 hash values. Where are the hash values generated, during build time by the local Maven installation or by the repository server after the artifacts have been uploaded?
The .md5 and the .sha1 hashes are generated by Maven's Artifact handling code just before deployment (though bugs in 2.1.0 and 2.2.0 resulted in the hashes being computed earlier which is why those specific versions deploy incorrect hashes and are considered a bad idea to use)
If you want to validate artifact authenticity it's the gpg signatures that all recent (at least the last 2 years) releases in central are required to have as well.
Consider the .md5 and .sha1 hashes as verification that the artifact is intact, and the gpg as verification that the artifact is authentic