Closed johnthcall closed 5 years ago
jeffkl
commented
5 years ago NuGet generates the SHA512 hash and places it in the .nupkg.sha512 file. The SHA should represent a hash of the contents of the package and the path to the package should have no impact on the hash.
Can you please provide an example with a zip file of the single package from your machine and your team member's machine? I suspect that the packages are actually different so the hashes are different.
johnthcall
commented
5 years ago Attached two versions as they exist in nuget folder on my machine in a coworkers. As you can see the sha512 file contents are the same but the file names are different. When generating NugetAssetsLock.props our machines update the hashfile tag to match our systems casing. bond.csharp.Lower.zip Bond.CSharp.Camel.zip
jeffkl
commented
5 years ago Okay thanks that helps me narrow down the problem. Does the Path metadata also have different casing? Can you attach the two NuGetAssetsLock.props if you have a chance?
jeffkl
commented
5 years ago I'm pretty sure the path in the assets file is always lowercased, so I've sent a PR to fix the issue: https://github.com/CommonBuildToolset/CBT.Modules/pull/281
johnthcall
commented
5 years ago Hey Jeff, here is what the Bond.CSharp section of the NugetAssetsLock.props looks like for both of us.
<PackageReference Include="Bond.CSharp">
<Version>[3.0.6]</Version>
<Sha512>Tpfg8llC5n4sNmrOWe6+QkM9/hwIUPjj9GE5tgN9DxZ1INPSqpAZeJBi2ZSCZM0p8u2fZU0AF+Z/b0BbTGaZfA==</Sha512>
<Path>bond.csharp/3.0.6</Path>
<HashFile>Bond.CSharp.3.0.6.nupkg.sha512</HashFile>
</PackageReference><PackageReference Include="Bond.CSharp">
<Version>[3.0.6]</Version>
<Sha512>Tpfg8llC5n4sNmrOWe6+QkM9/hwIUPjj9GE5tgN9DxZ1INPSqpAZeJBi2ZSCZM0p8u2fZU0AF+Z/b0BbTGaZfA==</Sha512>
<Path>bond.csharp/3.0.6</Path>
<HashFile>bond.csharp.3.0.6.nupkg.sha512</HashFile>
</PackageReference>Perfect, thank you. My PR will fix this. I'll get a package pushed soon
jeffkl
commented
5 years ago Fix has been released: https://github.com/CommonBuildToolset/CBT.Modules/releases/tag/NuGet.Deterministic.2.0.25
Thanks for reporting the issue!
One some of my teams machines some nuget packages are downloaded in Camel case as "System.ComponentModel.EventBasedAsync.4.0.11.nupkg.sha512" in others it is lowercased "system.componentmodel.eventbasedasync.4.0.11.nupkg.sha512" When each team member builds the NuGetAssetsLock.props file is regenerated so the HashFile matches with their casing. This is causing PR's where the hash field is changing between casing. It doesn't appear the hashfield is case sensitive, when generated can it always be lowercased?