conan-io / conan-center-index

Recipes for the ConanCenter repository
https://conan.io/center
MIT License
958 stars 1.76k forks source link

[package] ConanException: sha256 signature failed (Seems lots of github projects are being affeted) #15571

Closed offa closed 1 year ago

offa commented 1 year ago

Description

Installation of Catch2 v3.3.0 fails due to hash mismatches since today:

catch2/3.3.0: Configuring sources in /github/home/.conan/data/catch2/3.3.0/_/_/source/src
ERROR: catch2/3.3.0: Error in source() method, line 92
    get(self, **self.conan_data["sources"][self.version], destination=self.source_folder, strip_root=True)
    ConanException: sha256 signature failed for 'v3.3.0.tar.gz' file. 
 Provided signature: fe2f29a54ca775c2dd04bb97ffb79d398e6210e3caa174348b5cd3b7e4ca887d  
 Computed signature: 48f06c98e685ac809db092364a7ef5604ed51f3e9edacca1b4beb84cdd147038

Package and Environment Details

Conan profile

Default Linux (GCC / Clang), Windows (MSVC) and Mac OS (Clang)

Steps to reproduce

  1. Install catch2/3.3.0
  2. Installation fails with hash mismatch

Logs

Click to expand log ``` catch2/3.3.0: Configuring sources in /github/home/.conan/data/catch2/3.3.0/_/_/source/src ERROR: catch2/3.3.0: Error in source() method, line 92 get(self, **self.conan_data["sources"][self.version], destination=self.source_folder, strip_root=True) ConanException: sha256 signature failed for 'v3.3.0.tar.gz' file. Provided signature: fe2f29a54ca775c2dd04bb97ffb79d398e6210e3caa174348b5cd3b7e4ca887d Computed signature: 48f06c98e685ac809db092364a7ef5604ed51f3e9edacca1b4beb84cdd147038 ```
kbarry-aurora commented 1 year ago

I'm also seeing this for some other packages: libpqxx/7.7.4, fmt/8.1.1, protobuf/3.21.4

libpqxx/7.7.4: Configuring sources in /root/.conan/data/libpqxx/7.7.4/_/_/source/src
ERROR: libpqxx/7.7.4: Error in source() method, line 99
    get(self, **self.conan_data["sources"][self.version], destination=self.source_folder, strip_root=True)
    ConanException: sha256 signature failed for '7.7.4.tar.gz' file. 
 Provided signature: 65b0a06fffd565a19edacedada1dcfa0c1ecd782cead0ee067b19e2464875c36  
 Computed signature: 17cb5d8e35018698b0cf162400546e1038aa09be4e444d59869307b7f4070e24
fmt/8.1.1: Configuring sources in /root/.conan/data/fmt/8.1.1/_/_/source/src
ERROR: fmt/8.1.1: Error in source() method, line 96
    get(self, **self.conan_data["sources"][self.version],
    ConanException: sha256 signature failed for '8.1.1.tar.gz' file. 
 Provided signature: 3d794d3cf67633b34b2771eb9f073bde87e846e0d395d254df7b211ef1ec7346  
 Computed signature: 48104b18e6779d4f04dea35a0a3845b102a04bab3cd111a98275b7a89e05e567
protobuf/3.21.4: Configuring sources in /root/.conan/data/protobuf/3.21.4/_/_/source/src
ERROR: protobuf/3.21.4: Error in source() method, line 86
    get(self, **self.conan_data["sources"][self.version], strip_root=True)
    ConanException: sha256 signature failed for 'v3.21.4.tar.gz' file. 
 Provided signature: 85d42d4485f36f8cec3e475a3b9e841d7d78523cd775de3a86dba77081f4ca25  
 Computed signature: efdaaf08f34af3b6cd906e59e181e3e30589a2fc2cc9d89036f92d529b9fe1cd
SpaceIm commented 1 year ago

Yes, all auto generated tarball from github seem to be affected.

prince-chrismc commented 1 year ago

Thanks for reporting, I am pinning this issue since it's kinda beyond our control 😱

prince-chrismc commented 1 year ago

15574 #15575 #15576 I also seen on clack b2 is affected

daniel-heater-imprivata commented 1 year ago

@prince-chrismc Is the response going to be to update all of the affect SHA in Conan or do we know that yet?

fpelliccioni commented 1 year ago

Do you know if the issue is just with .tar.gz files? What about .zip files? Is it a Github issue?

SpaceIm commented 1 year ago

https://github.com/bazel-contrib/SIG-rules-authors/issues/11#issuecomment-1409362685

ericriff commented 1 year ago

It looks like a generalized issue on GitHub https://github.com/orgs/community/discussions/45830

SpaceIm commented 1 year ago

https://github.blog/changelog/2023-01-30-git-archive-checksums-may-change/

prince-chrismc commented 1 year ago

RIP

ericriff commented 1 year ago

I hope they roll this back or every packaging system will be broken

Hopobcn commented 1 year ago

https://github.com/orgs/community/discussions/45830#discussioncomment-4823531

Hey,

I'm one of the engineers in the Git Systems org at GitHub. I think there's been a misinterpretation of what we guarantee as far as stability.

If you generate a release for a particular tag, and you upload your own assets, such as a tarball or binaries, we'll guarantee those don't change. However, the automated "Source code (tar.gz)" and "Source code (zip)" links, as well as any automated archives we generate, aren't guaranteed to be stable. That's because Git doesn't guarantee stability here and we rely on Git to generate those archives on the fly, so as we upgrade, things may change.

If you need a stable source code archive, please generate a release and upload your own archive as part of this process, and then you can reference those with stable hashes.

To give you an example as to what's stable and what's not, if you look at the latest Git LFS release at https://github.com/git-lfs/git-lfs/releases/tag/v3.3.0, all of the Assets entries except the two "Source code" links at the bottom are guaranteed to be stable (since those two are autogenerated). You'll notice we ship our own stable tarball and signed hashes as part of the assets, and that works.

I apologize for the confusion here, and hopefully this clarifies things.

ouch..

Is this an opportunity to mirror everything? :-D

SpaceIm commented 1 year ago

This is why conan-center must always try to dowwload stable archives instead of autogenerated github tarball, but lot of projects don't generate source code tarball of their releases... Yet, my understanding is that current issue only changed checksum of autogenerated .tar.gz, .tar.zip should not be affected (anybody can confirm?).

ericriff commented 1 year ago

What about projects that don't even do releases?

SpaceIm commented 1 year ago

No hope for these projects.

ericriff commented 1 year ago

The amount of backslash on github is huge. The broke a lot of things with this. Hopefully they roll it back. This comment gets me lol https://github.com/bazel-contrib/SIG-rules-authors/issues/11#issuecomment-1409404725

ericriff commented 1 year ago

yay https://github.com/orgs/community/discussions/45830#discussioncomment-4823799

hizkifw commented 1 year ago

Looks like the rollback is finished, I'm seeing my packages build again.

offa commented 1 year ago

Indeed, it works again.

SpaceIm commented 1 year ago

https://github.com/orgs/community/discussions/46034