Unable to install on Windows - curl mysys2 error

[grab-a-byte]

Using the command from https://www.haskell.org/ghcup/# for windows, I consistently without fail get the error of the following.

...Msys2 doesn't exist, installing into C:\\ghcup\msys64
Starting installation in 5 seconds, this may take a while...
Downloading Msys2 archive 20221216...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
Exception: Exec: Error executing command curl.exe with arguments '-o C:\Users\mrpar\AppData\Local\Temp\\msys2-base-x86_64-20221216.sfx.exe https://repo.msys2.org/distrib/x86_64/msys2-base-x86_64-20221216.sfx.exe'

I found the following on Stack overflow however this doesnt seem to do the trick. https://stackoverflow.com/questions/75018725/cant-update-ghc-on-windows

Really unsure what to do next. I have installed previously on other machines with the Haskell Platform when it was the main way to install with no issues so having to swap to this new experience and having things break is not the greatest

[chreekat]

Does https://www.haskell.org/ghcup/guide/#certificate-authority-errors-curl look like it might be relevant?

[hasufell]

Try: https://www.haskell.org/ghcup/guide/#certificate-authority-errors-curl

[grab-a-byte]

New error now Which states the following

Get-FileWCSynchronous 57.09 MB  00:00:06
Exception: Exec: Error executing command C:\WINDOWS\system32\taskkill.exe with arguments '/F /FI "MODULES eq msys-2.0.dll"'

Happens even when running as Admin

Also curious why this isnt the default command if it's known to cause issues.

[hasufell]

Seems like something is wrong on your machine and e.g. antivirus or windows defender is killing processes (msys2 installation) before it can finish.

[grab-a-byte]

I've disable antivirus and I'm still getting the same error.

[grab-a-byte]

See the above screenshot for the error

[hasufell]

See the above screenshot for the error

I don't see the error here

[grab-a-byte]

All the parts that say error at the start. It does this over and over for about 30 seconds then bombs out failing.

[chreekat]

Those particular messages are red herrings coming from gpg. Don't you love programs that say "error" when there's no error?

[hasufell]

Those seem to be network issues, managed company network, proxy configuration or other stuff.

I'm not sure you'll be able to make stack worl either. What's failing here is pacman installing stuff (part of msys2), which is needed by GHC toolchain.

[ingun37]

I ran into the same problem and fixed by using Powershell 5 instead of 7.

[grab-a-byte]

Is there any way to use the old Haskell Platform to install instead? It seemed a lot more stable than this.

[chreekat]

@parkeradam it sucks that things didn't just work perfectly for you. GHCup is the only decent modern tool for getting set up with a Haskell toolchain. I don't even use it or maintain it, I just know nearly everybody else has great experiences (e.g. this post) so I'm a big fan.

The particular kind of problem you are having has to do with the way your Windows is configured. It will cause a problem no matter what tool you try to use. I would recommend showing your problems to an Windows administrator and asking them for advice. If you figure it out, it would be great to let us know what the problem is, so we can document this particular case and save the next person some frustration. GHCup is optimized for the usual use case, but the goal is to support everybody, no matter their circumstance. Good luck.

[grab-a-byte]

I honestly have no idea what would be causing it. I use Windows 11 Pro with a personal account and I don't have anything changed. I'm not under a policy for anything and I have tried to run as admin also so i'm at an absolute loss as to what could be causing it. It is a shame, hopefully it'll be fixed soon but I also dont understand why there isnt a native toolchain like most other languages i've used (node js, golang, rust, zig, etc etc)

[hasufell]

Is there any way to use the old Haskell Platform to install instead? It seemed a lot more stable than this.

No, the Haskell Platform is discontinued.

You can try following the manual step by step installation guide and then precisely track down which step fails: https://www.haskell.org/ghcup/install/#windows_1

It appears to be pacman... which is part of msys2. This is outside of GHCup's responsibilities. We do not maintain pacman or msys2. We just use it. And so will all other tools that want to use GHC.

[grab-a-byte]

I think i'll leave this then as it's not been as pleasant of a experience as the last time I tried with the Haskell Platform. I appreciate you all trying to help however.

[axman6]

Just to add another data point to this issue, we've just had someone on #haskell on IRC who was running into the same issue. They said they were on Windows 10 Home. They haven't resolved their issue either, but it seems like installations on windows might be somewhat broken because windows doesn't like the haskell.org certificate.

[grab-a-byte]

I've literally reinstalled windows 11 from fresh since I filed this and it seems to have been resolved but I did have to run the install command about 3 times before it actually installed so I do believe there is likely an issue somewhere in the install process.

[ghost]

I got this issue as well. It's complaining about not being able to check the certificate. Since this problem still hasn't been solved, I guess this program is hopeless.

The website was also terrible in explaining how to install it. If I didn't have some background in similar installations, then I wouldn't have even been able to make even an attempt at installing. It really sucks when explanations are crappy.

[hasufell]

I got this issue as well. It's complaining about not being able to check the certificate.

I'm not maintaining those website certificate. There has been recurring issues with it. So the people in power will have to be contacted.

There are ways to ignore faulty certificates. We could have a switch for that.

However, I think I've explained multiple times in this thread that you can disable curl: https://www.haskell.org/ghcup/guide/#certificate-authority-errors-curl

This is documented clearly in the troubleshooting guide.

Since this problem still hasn't been solved, I guess this program is hopeless.

You can use chocolatey instead.

The website was also terrible in explaining how to install it.

This is too vague to have any user report value for me. It's literally a single command. The troubleshooting guide shows you alternative commands.

And finally, there's a very verbose step by step manual installation guide where you can get to the bottom of the issue: https://www.haskell.org/ghcup/install/#manual-installation

So, if you expect me to invest time in this, you should give better info.

I'm an unpaid volunteer.

[ghost]

Yeah, I executed what you wrote and guess what the response was?? The files are infected. There is good a reason why antivirus blocks dowloading this program!!!!!! Thanks a lot for the virusses!!!!

Installing is also not a single command! You've really lost touch with the basics if you can't even understand this fact. It even indicates that you don't really understand what you're actually doing. I had to get help on google as this site was super unclear. Actually write down the steps that you need to do to install the program instead of "claiming" it is a single command.

If you wanna be an unpaid volunteer, then that's your choice. I have nothing to do with it.

[axman6]

@SarahSchrijvers This is an incredibly disrespectful way to interact with anyone, let alone people who want to help you. The root cause of this problem appears to be something Microsoft have done, which can't be worked around easily. I'm sorry that you've run into this issue, you're getting angry at the wrong people. If you have any concrete evidence there is a security problem with what you have downloaded, please share it - antivirus software often has false positives but if somehow something has happened to the artefacts provided by the project I'm sure they would like to inspect them.

If you can provide any more details about what errors you're running into, then maybe we can help. But keep in mind that the developers have no control over how curl operates, and absolutely no control over how Microsoft manage their certificates, and if they have misconfigured them it's outside the developer's control. As you've see above, some people have had success running the command several times - something that indicates this is a very tricky problem to track down and resolve, particularly if they can't replicate if themselves.

Whatever you do, please reconsider your tone, you're talking to human beings who have worked hard to provide you with tools for free, who have friends and family just like you, and don't need some disrespectful person ruining their day by blaming them for problems outside their control.

[hasufell]

The files are infected

Please report that to the msys2 developers: https://www.msys2.org/contact/

It happens very frequently that windows antivirus flags programs incorrectly. This has happened before in other cases and it was usually resolved by reporting it to Microsoft.

Thanks a lot for the virusses!!!!

GHCup is affiliated with the Haskell Foundation and as such also collaborates with the Haskell Security Response team.

I can ask @frasertweedale from that team to look into this, but I'm pretty certain this is either an issue with msys2 or antivirus flagging files incorrectly. GHCup is used in thousands of CIs, including github actions and their virtual images. If it would install viruses, this wouldn't have gone unnoticed.

One way forward could be to host msys2 tarballs on our own servers and verify the hashes properly (which we unfortunately don't do for msys2, since it used to point to a mutable tarball). I'll do that shortly.

Installing is also not a single command! You've really lost touch with the basics if you can't even understand this fact.

You are right, it's technically two, in one line. Does that bother you? Why does it matter? What did you actually do?

If you wanna be an unpaid volunteer, then that's your choice. I have nothing to do with it.

No, I think I don't want, so if you need further assistance, please donate first.

[hasufell]

One way forward could be to host msys2 tarballs on our own servers and verify the hashes properly (which we unfortunately don't do for msys2, since it used to point to a mutable tarball). I'll do that shortly.

Done:

• https://github.com/haskell/ghcup-hs/pull/857
• script updated: https://haskell.org/ghcup/sh/bootstrap-haskell.ps1
• https://downloads.haskell.org/~ghcup/msys2/
  • you can cross-check it with the upstream gpg signature... the key is documented here

[hasufell]

I also opened an audit request for GHCup download practices: https://github.com/haskell/ghcup-hs/issues/858

[ghost]

@axmant6 Nothing what I said was disrespectful. I didn't even insult anyone. I'm completely justified to react in this way. I will not be bullied by people, even online.

The way that this program needs to be downloaded isn't normal for windows and it is even less normal that you should have to turn your antivirus off to download it.

You also haven't had to experience the consequences of trying to download your program. My laptop has started constantly freezing up or even crashing, which it never did before I downloaded your program. You know full well that I won't be able to prove this program caused it, besides knowing the issues started once I downloaded the program (maybe a computer expert could prove it, but I have no idea).

I also wouldn't even make such of an issue of it if I didn't need the program for a class at college. I've tried many alternatives, but it always comes down to the same fact: I need the file that I can't download and that my antivirus blocked due to being infected. It's a really sucky prospect that I'm gonna fail a class at college due to not being able to download the computer program needed to complete the course.

[frasertweedale]

Yeah nah, you were quite disrespectful @Anubisnien. You seem to be facing a high pressure and stressful situation, but that does not excuse your attitude.

If you did not already try, perhaps set up a Linux virtual machine in which to do your Haskell work. Then your antivirus would (I guess) not have cause to complain.

[axman6]

@axmant6 Nothing what I said was disrespectful. I didn't even insult anyone. I'm completely justified to react in this way. I will not be bullied by people, even online.

The way that this program needs to be downloaded isn't normal for windows and it is even less normal that you should have to turn your antivirus off to download it.

You also haven't had to experience the consequences of trying to download your program. My laptop has started constantly freezing up or even crashing, which it never did before I downloaded your program. You know full well that I won't be able to prove this program caused it, besides knowing the issues started once I downloaded the program (maybe a computer expert could prove it, but I have no idea).

I also wouldn't even make such of an issue of it if I didn't need the program for a class at college. I've tried many alternatives, but it always comes down to the same fact: I need the file that I can't download and that my antivirus blocked due to being infected. It's a really sucky prospect that I'm gonna fail a class at college due to not being able to download the computer program needed to complete the course.

I'm not going to address all this other than to say: it's not my program, I'm literally only here to help you and others. Also, the community of people teaching Haskell is very small, and we likely know who your lecturer is. There's a pretty good chance they might see this interaction you're having with people in their community. Perhaps rather than making baseless accusations, you could actually share some details, or talk to your lecturer and ask them for help. Fraser's suggestion of using a Linux virtual machine is a good one, if you need references for how to do that, just ask.

Lastly, if you don't think that your behaviour here has been disrespectful, you need to sit down and reevaluate how you interact with other people. I understand you're frustrated, we are here to help you if you show the respect we deserve - you wouldn't behave this way in person, so don't do it online, or you'll find the internet a very lonely place, and no will want to help you.

[hasufell]

Thanks for the support, but as an end-user facing tool maintainer, I'm quite used to negative irrational feedback.

There's one thing that's probably true here, though:

The way that this program needs to be downloaded isn't normal for windows

Ultimately, we really want an .msi installer or something like that. But that's not something I'm going to work on without getting paid or serious boredom.

[chreekat]

It seems clear that (a) msys and/or sloppy intermediate certificate authorities make installing ghcup fail for some people, some of the time (b) a nicer Windows-native install mechanism would be ideal (c) such a thing must wait for some kind of patronage to provide the necessary support.

I am not sure this particular issue needs to stay open to reflect this situation, given the flamey messages sent by now-deleted users that litter the comments. Alternatively, a maintainer/mod should delete them as off topic.

[shin0kaze]

I have the same issue. Maybe somewhere is already downloaded version in zip? Just wanted to give it a try. :(

[mpilgrem]

Sharing my experience on a new Windows 11 laptop:

• The installation of GHCup fails after Starting GHC installer... in the 'MinGW x64' dialog with:

  curl: (60) SSL certificate problem: unable to get local issuer certificate
  More details here: https://curl.se/docs/sslcerts.html
  
  curl failed to verify the legitimacy of the server and therefore could not
  establish a secure connection to it. To learn more about this situation and
  how to fix it, please visit the web page mentioned above.
  "curl -Lf https://downloads.haskell.org/~ghcup/0.1.22.0/x86_64-mingw64-ghcup-0.1.22.0.exe" failed!
  cat: 'https'$'\357\200\272''/www.haskell.org/ghcup/sh/bootstrap-haskell': No such file or directory

• Following https://www.haskell.org/ghcup/guide/#certificate-authority-errors-curl and On windows, you can disable curl like so:, the installation of GHCup fails after Starting GHC installer... in the 'MinGW x64' dialog with:

  --2024-07-04 14:32:54--  https://downloads.haskell.org/~ghcup/0.1.22.0/x86_64-mingw64-ghcup-0.1.22.0.exe
  Loaded CA certificate '/usr/ssl/certs/ca-bundle.crt'
  Resolving downloads.haskell.org (downloads.haskell.org)... 146.112.252.199, 146.112.56.250, 146.112.56.13, ...
  Connecting to downloads.haskell.org (downloads.haskell.org)|146.112.252.199|:443... connected.
  ERROR: The certificate of ‘downloads.haskell.org’ is not trusted.
  ERROR: The certificate of ‘downloads.haskell.org’ doesn't have a known issuer.
  "wget -O /dev/stdout https://downloads.haskell.org/~ghcup/0.1.22.0/x86_64-mingw64-ghcup-0.1.22.0.exe" failed!
  cat: 'https'$'\357\200\272''/www.haskell.org/ghcup/sh/bootstrap-haskell': No such file or directory

• After manually downloading https://downloads.haskell.org/ghcup/0.1.22.0/x86_64-mingw64-ghcup-0.1.22.0.exe as C:\ghcup\bin\ghcup.exe, ghcup list fails with:

  curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012) - The revocation function was unable to check revocation for the certificate.
  [ Warn  ] Could not get download info, trying cached version (this may not be recent!)
  [ ...   ] If this problem persists, consider switching downloader via:
  [ ...   ]     ghcup config set downloader Wget

• After setting ghcup config set downloader Wget, ghcup list fails with:

  [ Info  ] downloading: https://raw.githubusercontent.com/haskell/ghcup-metadata/master/ghcup-0.0.8.yaml as file C:\ghcup\cache\ghcup-0.0.8.yaml
  [ Warn  ] Could not get download info, trying cached version (this may not be recent!)
  [ ...   ] If this problem persists, consider switching downloader via:
  [ ...   ]     ghcup config set downloader Curl

• After manually downloading https://raw.githubusercontent.com/haskell/ghcup-metadata/master/ghcup-0.0.8.yaml as C:\ghcup\cache\ghcup-0.0.8.yaml, ghcup list fails with:

  [ Info  ] downloading: https://downloads.haskell.org/~ghcup/shimgen/shim-2.exe as file C:\ghcup\cache\gs.exe
  --2024-07-04 14:45:55--  https://downloads.haskell.org/~ghcup/shimgen/shim-2.exe
  Loaded CA certificate '/usr/ssl/certs/ca-bundle.crt'
  Resolving downloads.haskell.org (downloads.haskell.org)... 146.112.56.172, 146.112.56.6, 146.112.252.237, ...
  Connecting to downloads.haskell.org (downloads.haskell.org)|146.112.56.172|:443... connected.
  ERROR: The certificate of 'downloads.haskell.org' is not trusted.
  ERROR: The certificate of 'downloads.haskell.org' doesn't have a known issuer.

• After manually downloading https://downloads.haskell.org/~ghcup/shimgen/shim-2.exe as C:\ghcup\cache\gs.exe, ghcup list works. ghcup install hls 2.9.0.0 then fails with:

  [ Info  ] verifying digest of: gs.exe
  [ Info  ] downloading: https://downloads.haskell.org/~ghcup/unofficial-bindists/haskell-language-server/2.9.0.0/haskell-language-server-2.9.0.0-x86_64-mingw64.zip as file C:\ghcup\tmp\ghcup-75ca716de5021f46\haskell-language-server-2.9.0.0-x86_64-mingw64.zip
  --2024-07-04 14:49:24--  https://downloads.haskell.org/~ghcup/unofficial-bindists/haskell-language-server/2.9.0.0/haskell-language-server-2.9.0.0-x86_64-mingw64.zip
  Loaded CA certificate '/usr/ssl/certs/ca-bundle.crt'
  Resolving downloads.haskell.org (downloads.haskell.org)... 146.112.56.250, 146.112.252.199, 146.112.252.226, ...
  Connecting to downloads.haskell.org (downloads.haskell.org)|146.112.56.250|:443... connected.
  ERROR: The certificate of 'downloads.haskell.org' is not trusted.
  ERROR: The certificate of 'downloads.haskell.org' doesn't have a known issuer.

(By way of context, stack works as expected.)

EDIT: I think I have found a solution by reference to https://www.msys2.org/docs/faq/ and https://stackoverflow.com/a/70398349. stack exec -- wget https://downloads.haskell.org/~ghcup/shimgen/shim-2.exe was not working in the same way as above. I then:

1. opened https://downloads.haskell.org in a browser and, via the HTTPS 'padlock', exported each of the *.crt files in the Certificate Hierarchy to the Stack-supplied MSYS2 \etc\pki\ca-trust\source\anchors directory; and
2. in a Stack-supplied MSYS2 MSYS shell window, ran update-ca-trust.

Now, stack exec -- wget https://downloads.haskell.org/~ghcup/shimgen/shim-2.exe works - and so does ghcup list and ghcup install hls 2.9.0.0.

[hasufell]

Wow, that's a horrible user experience.

I don't understand why haskell.org certificates are constantly causing problems.

I'll be evaluating on moving GHCup elsewhere (or rather providing mirrors), but let's see what haskell.org has to say first.

@davean @tomjaguarpaw

[frasertweedale]

fraser% echo | openssl s_client -connect downloads.haskell.org:443 |head -n 10
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2024 Q2
verify return:1
depth=0 CN = *.haskell.org
verify return:1
CONNECTED(00000004) 
---
Certificate chain
 0 s:CN = *.haskell.org
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2024 Q2
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2024 Q2
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----

The user's system or their msys2 distribution lacks trust in GlobalSign for whatever reason. Depending on their environment, it could be a corporate policy or political situation. @mpilgrem are you able to provide more context about your network / corporate environment (e.g. are you joined to an AD domain that controls CA trust policy via Group Policy) or the origin of the Windows build you are using?

[chreekat]

It also looks like the cert was refreshed on 2 July June. If that overlaps with the time of test, maybe there were some downtime or propagation issues.

$ echo | openssl s_client -connect downloads.haskell.org:443 | head -n 14
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2024 Q2
verify return:1
depth=0 CN = *.haskell.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = *.haskell.org
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2024 Q2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun  2 16:50:15 2024 GMT; NotAfter: Jul  4 16:50:14 2025 GMT
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2024 Q2
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 17 03:24:32 2024 GMT; NotAfter: Jan 17 00:00:00 2026 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
DONE

(and apparently my openssl displays the expiries by default)

[chreekat]

Sorry, I can't read. It was refreshed on 2 June. So that's likely a red herring.

[tomjaguarpaw]

I got this issue as well. It's complaining about not being able to check the certificate.

I'm not maintaining those website certificate. There has been recurring issues with it.

I was not aware of these issues. Have we collected a list of issues where the certificate of a site under haskell.org was at fault?

[mpilgrem]

@hasufell, @frasertweedale, @chreekat, I don't consider the experience to be "GHCup's fault" or "haskell.org's fault". Rather, it is explained by the MSYS2 documentation at https://www.msys2.org/docs/faq/. I plan to raise a pull request to add to GHCup's documentation. MSYS2's documentation explains:

• OpenSSL in MSYS2 does not integrate with the Windows system's CA store;
• some organisations install their own custom CA certificate onto the Windows system (so that man-in-the-middle connections are marked as secure); and
• in those cases, the certificates in question have to be identified and then added and trusted 'manually' in the MSYS2 environment.

My new laptop in question was being used in such circumstances. (I did not appreciate that was a possibility until I searched more widely.)

[hasufell]

@mpilgrem so any request via curl/wget will fail in msys2?

[mpilgrem]

@hasufell, I am not an expert in these matters, but I think that is correct unless something is passed to the MSYS2-supplied curl or wget that causes those tools to ignore CA certificates (which would be undesirable). EDIT: Personally, I think that what I experienced can be '90% fixed' by 'documentation', if GHCup is willing to take the time to explain things to its users in terms that technically-inexperienced users can follow. I add the 'in terms that...' because 'CA certificates' as a topic can be daunting.

[Bodigrim]

Sharing my experience on a new Windows 11 laptop: ...

FWIW I had the similar experience on Windows and heard from others the same. I ended up recompiling ghcup to run curl --insecure instead of plain curl. Yes, this is not a ghcup fault proper, rather an underconfigured MSYS, but an escape hatch in ghcup would be very handy.

[frasertweedale]

FWIW I had the similar experience on Windows and heard from others the same. I ended up recompiling ghcup to run curl --insecure instead of plain curl. Yes, this is not a ghcup fault proper, rather an underconfigured MSYS, but an escape hatch in ghcup would be very handy.

:grimacing: I really urge against that, or at least have an uncomfortable amount of very loud warnings / confirmations, if we can't get to a robust solution soon.

[hasufell]

to run curl --insecure instead of plain curl

export GHCUP_CURL_OPTS="--insecure"