Bundler cannot continue installing jekyll-sitemap

[t-richards]

I'm trying to install v1.1.0 via Bundler. This is my Gemfile:

source "https://rubygems.org"
gem "jekyll-sitemap", "~> 1.1.0"

When running $ bundle install, Bundler produces a long scary error message in red and prevents me from installing the gem:

Installing jekyll-sitemap 1.1.0
Bundler cannot continue installing jekyll-sitemap (1.1.0).
The checksum for the downloaded `jekyll-sitemap-1.1.0.gem` does not match the
checksum given by the server. This means the contents of the downloaded gem is
different from what was uploaded to the server, and could be a potential
security issue.

To resolve this issue:
1. delete the downloaded gem located at:
`/home/tom/.gem/ruby/2.4.0/gems/jekyll-sitemap-1.1.0/jekyll-sitemap-1.1.0.gem`
2. run `bundle install`

If you wish to continue installing the downloaded gem, and are certain it does
not pose a security issue despite the mismatching checksum, do the following:
1. run `bundle config disable_checksum_validation true` to turn off checksum
verification
2. run `bundle install`

(More info: The expected SHA256 checksum was
"97e56adea99ebf8ea2d23703782fe5befde354859c2a4846b6429c62fad8ce9c", but the
checksum for the downloaded gem was
"9f656952f621332ad0a4b5394b8a284fde9d17d4087923ab1c49bb231a1241ae".)

I have tried removing the cached .gem file and uninstalling all versions, but this does not solve the problem.

Installing directly via gem is successful, however.

$ gem install jekyll-sitemap -v 1.1.0
Fetching: jekyll-sitemap-1.1.0.gem (100%)
Successfully installed jekyll-sitemap-1.1.0
Parsing documentation for jekyll-sitemap-1.1.0
Installing ri documentation for jekyll-sitemap-1.1.0
Done installing documentation for jekyll-sitemap after 0 seconds
1 gem installed

[JoiW]

Just had the exact same problem occur and same error message, was fine yesterday.

[garethjohnsdesign]

I'm getting the same issue here too, tried the workaround but doesn't seem to work

[benbalter]

@pathawks think this was your release... any idea what's up?

[pathawks]

No idea. I can try to cut a new Gem tonight and try again :shrug:

[reefdog]

That'd be great, @pathawks. Getting this too.

[parkr]

I just pushed up v1.1.1 which has the SHA256 checksum e2dacd4bb0a4decbc7d20c9ee700b6bfa642fd219354177b3afbce4f2674e83a both online and when downloaded.

[pathawks]

Thanks @parkr

[dwradcliffe]

👋 Hey there,

v1.1.0 should work again too.

The root cause for this is a bug in RubyGems.org combined with the way you have Travis publishing the gems. Each job in the Travis build will attempt to push the same gem and when they finish at the same time there's a race condition where one gem file is saved and the sha from the other one is saved. Full details are in that issue.

This is totally our fault but you can prevent this from happening again by only trying to publish the gem from one of the Travis jobs. (You can add a condition like this).

And just to be clear this was not a security issue and the gem was not tampered with. I've gone back and fixed v1.1.0 so the SHA matches and users won't see the warning anymore.

[parkr]

@dwradcliffe Thank you so much for looking into that for us! I think having a dedicated Travis build for pushing gems would make sense to avoid this race. @pathawks, would you be able to tackle that work? Thank you again! ❤️

[jekyllbot]

This issue has been automatically marked as stale because it has not been commented on for at least two months.

The resources of the Jekyll team are limited, and so we are asking for your help.

If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.

If this is a feature request, please consider whether it can be accomplished in another way. If it cannot, please elaborate on why it is core to this project and why you feel more than 80% of users would find this beneficial.

This issue will automatically be closed in two months if no further activity occurs. Thank you for all your contributions.

[pathawks]

would you be able to tackle that work?

If I can find some time, I would very much like to fix this :+1:

[parkr]

:ok_hand: thanks!