search

badaix / snapcast

Synchronous multiroom audio player
GNU General Public License v3.0
6.05k stars 451 forks source link

SHA256 Mismatch on Homebrew Install #1262

Closed mww012 closed 1 month ago

mww012 commented 1 month ago

Describe the bug Not sure if this is a Snapcast packaging issue or a Homebrew issue. If it's Homebrew just let me know and I'll work with them.

Installing Snapcast via Homebrew (brew install snapcast) produces a sha256 mismatch and aborts the install.

Steps to Reproduce

  1. Run brew install snapcast
  2. Wait for install to fail

Environment details

Attach logfile if applicable N/A


Error: snapcast: SHA256 mismatch
Expected: ce7edf2db19835c0c4c2bf47af3bc3088a4740144df10fead9e7fb2741b8b51e
  Actual: 7911037dd4b06fe98166db1d49a7cd83ccf131210d5aaad47507bfa0cfc31407

Troubleshooting Steps Taken:

I don't have a lot of experience with Homebrew so I may be off base here.

I've received this error on multiple machines. I've tried clearing the brew cache as recommended at the end of the failed install. No luck there.

I did some digging and downloaded the Homebrew package manually. Running sha256sum against that file produces the 7911... hash. However, looking at the snapcast.rb code, line 5 has the expected hash as ce7e...

It looks like the snapcast.rb file just needs to be updated with the correct hash. If I can offer any other helpful info let me know.

owldown commented 1 month ago

I'm having the same issue on MacOS

badaix commented 1 month ago

Yes, looks like the snapcast.rb is using the wrong checksum. This issue must be fixed in the homebrew project, you should file an issue at homebrew or make a PR.

mww012 commented 1 month ago

I've opened an issue with the homebrew-core repo. I'll make a PR as well.

https://github.com/Homebrew/homebrew-core/issues/177612

SMillerDev commented 1 month ago

Since the checksum is checked in CI it appears that the release was at some point using that checksum. The git manual says re-tagging is "the insane thing" to do, so it would be good to check if it's that or the release has been compromised.

mww012 commented 1 month ago

@SMillerDev That's fair. Homebrew is pulling from https://github.com/badaix/snapcast/archive/refs/tags/v0.28.0.tar.gz . @badaix do you think this was just an oversight somewhere or something more malicious?

badaix commented 1 month ago

Sorry, this was my fault, as far as I remember I found a bug in context of Snapdroid, which pulls tagged versions of Snapcast in the CI build, I fixed the bug and moved the tag. I wasn't aware that other third parties are triggering on tags. Very important insight, I will not do this in future, but rather make another dot release instead for fixes.

mww012 commented 1 month ago

Thanks for checking into this! There's definitely a lot of moving pieces between all this stuff. Should I close the homebrew-core issue and wait for a dot release? Or is there something we still need to do with them?