Mismatch in SHA256 of CPPTOML package

[GaNiziolek]

I am building watchman from source in a docker image.

FROM ubuntu:22.04

RUN apt update && \
    apt install -y \
        git \
        curl \
        cargo \
        python3 \
        libssl-dev \
        g++ \
        extra-cmake-modules

RUN curl -L https://api.github.com/repos/facebook/watchman/tarball | tar xzvf - --one-top-level="watchman" --strip-components 1    

WORKDIR /watchman

RUN ./install-system-packages.sh 
RUN ./autogen.sh 
RUN mkdir -p /usr/local/{bin,lib} /usr/local/var/run/watchman 
RUN cp built/bin/* /usr/local/bin
RUN cp built/lib/* /usr/local/lib || true
RUN chmod 755 /usr/local/bin/watchman
RUN chmod 2777 /usr/local/var/run/watchman
RUN rm -rf /tmp/*

but this give me an error in the RUN ./autogen.sh step:

+ PREFIX=/usr/local
+ python3 build/fbcode_builder/getdeps.py build --allow-system-packages --src-dir=. --project-install-prefix=watchman:/usr/local watchman
Building on {distro=ubuntu, distro_vers=22.04, fb=off, fbsource=off, os=linux, shared_libs=off, test=on}
Testing ENV[BOOST_ROOT_1_69_0]: None
Assessing cpptoml...
Download with https://github.com/chadaustin/cpptoml/archive/refs/tags/v0.1.2.tar.gz -> /tmp/fbcode_builder_getdeps-ZwatchmanZbuildZfbcode_builder-root/downloads/cpptoml-v0.1.2.tar.gz ...
 downloading 47413 of (Unknown)  [Complete in 0.625771 seconds]
Access-Control-Allow-Origin: https://render.githubusercontent.com
content-disposition: attachment; filename=cpptoml-0.1.2.tar.gz
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/x-gzip
ETag: "2ef91305ef2e2d46b1f75a1735b92ff36574b5abae2307d5dcf7c036e24f45eb"
Strict-Transport-Security: max-age=31536000
Vary: Authorization,Accept-Encoding,Origin
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
Date: Mon, 30 Jan 2023 19:20:22 GMT
Transfer-Encoding: chunked
X-GitHub-Request-Id: 9484:1D02:08ED:1B00:63D81876
connection: close

Traceback (most recent call last):
  File "/watchman/build/fbcode_builder/getdeps.py", line 1283, in <module>
    sys.exit(main())
  File "/watchman/build/fbcode_builder/getdeps.py", line 1266, in main
    return args.func(args)
  File "/watchman/build/fbcode_builder/getdeps.py", line 109, in run
    self.run_project_cmd(args, loader, manifest)
  File "/watchman/build/fbcode_builder/getdeps.py", line 577, in run_project_cmd
    reconfigure, sources_changed = self.compute_source_change_status(
  File "/watchman/build/fbcode_builder/getdeps.py", line 714, in compute_source_change_status
    change_status = fetcher.update()
  File "/watchman/build/fbcode_builder/getdeps/fetcher.py", line 809, in update
    self._download()
  File "/watchman/build/fbcode_builder/getdeps/fetcher.py", line 773, in _download
    self._verify_hash()
  File "/watchman/build/fbcode_builder/getdeps/fetcher.py", line 759, in _verify_hash
    raise Exception(
Exception: https://github.com/chadaustin/cpptoml/archive/refs/tags/v0.1.2.tar.gz: expected sha256 beda37e94f9746874436c8090c045fd80ae6f8a51f7c668c932a2b110a4fc277 but got 7e1acacc622a60aa7955c9d53cfbcb66e6787ccc3e3233418a4b810d06de8a1c

I have checked the SHA256 sum and surprisingly i got 2 sums:

$ curl -s https://github.com/chadaustin/cpptoml/archive/refs/tags/v0.1.2.tar.gz | sha256sum
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -

and with the L flag

$ curl -sL https://github.com/chadaustin/cpptoml/archive/refs/tags/v0.1.2.tar.gz | sha256sum
7e1acacc622a60aa7955c9d53cfbcb66e6787ccc3e3233418a4b810d06de8a1c  -

In the help of the CURL command says that -L flag follow the redirects in the URL

$ curl --help all | grep '\-L'
 -L, --location           Follow redirects

but it is curious that in the manifest file of cpptoml (watchman/build/fbcode_builder/manifests/cpptoml) package is informed another SHA256 HASH

[download]
url = https://github.com/chadaustin/cpptoml/archive/refs/tags/v0.1.2.tar.gz
sha256 = beda37e94f9746874436c8090c045fd80ae6f8a51f7c668c932a2b110a4fc277

So we have 3 hashes for the same file:

• beda37e94f9746874436c8090c045fd80ae6f8a51f7c668c932a2b110a4fc277 -> informed in the manifest of the package

• e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 -> CURL

• 7e1acacc622a60aa7955c9d53cfbcb66e6787ccc3e3233418a4b810d06de8a1c -> CURL with the -L flag

How has this never thrown an error before?

[fanzeyi]

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 is empty hash.

$ printf '' | gsha256sum
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

I still get beda37e94f9746874436c8090c045fd80ae6f8a51f7c668c932a2b110a4fc277 when I run:

$ curl -sL https://github.com/chadaustin/cpptoml/archive/refs/tags/v0.1.2.tar.gz | gsha256sum
beda37e94f9746874436c8090c045fd80ae6f8a51f7c668c932a2b110a4fc277 -

You may want to check your network environment.