Skip to content

Checksum of yanked version causing crate download to fail #11412

New issue
New issue
Closed
#11447
Closed
Checksum of yanked version causing crate download to fail#11412
#11447
Labels
A-registriesArea: registriesA-semverArea: semver specifications, version matching, etc.C-bugCategory: bugS-needs-mentorStatus: Issue or feature is accepted, but needs a team member to commit to helping and reviewing.
@tomb-msft

Description

@tomb-msft
tomb-msft
opened on Nov 23, 2022

Problem

The package ndk-sys has a latest version 0.4.0 and a more recent yanked version 0.4.0+25.0.8775105. Cargo is downloading the 0.4.0 crate, but comparing the hash with the checksum of the yanked version, and therefore failing with a "failed to verify checksum of ndk-sys v0.4.0" error.

It seems to be a sporadic issue - sometimes the download will complete successfully, sometimes it will fail due to the checksum not matching.

This happens even though the lockfile has the correct version and checksum for v0.4.0.

Checksum of 0.4.0: 21d83ec9c63ec5bf950200a8e508bdad6659972187b625469f58ef8c08e29046
Checksum of 0.4.0+25.0.8775105: f74ddd54b7da8d38d399faf43472ac9759f1a028a45c83154bff603e0f56385a

Steps

  1. Create a new binary package with cargo init.
  2. Add ndk-sys v0.4.0 to the package's dependencies: 
    [dependencies]
ndk-sys = "0.4.0"
  3. Clear your Cargo cache: 
    cargo install cargo-cache && cargo cache --remove-dir registry-crate-cache
  4. Fetch the dependencies for the new crate: 
    cargo fetch
  5. Cargo will (sometimes) fail with the error: 
    error: failed to verify the checksum of `ndk-sys v0.4.0`
  6. Verify that the lockfile has version 0.4.0 and checksum 21d83ec9c63ec5bf950200a8e508bdad6659972187b625469f58ef8c08e29046

You might need to repeat steps 3 and 4 a few times.

Possible Solution(s)

No response

Notes

As far as I can tell it's not a crates.io issue. The download can fail multiple times then sporadically start working without a crates.io index update, and with identical .crate files being downloaded (checked with a proxy).

I added some logging to Cargo which was how I validated it was using the checksum of the yanked version:

diff --git a/src/cargo/sources/registry/download.rs b/src/cargo/sources/registry/download.rs
index cc39d7c11..6f35fb9e1 100644
--- a/src/cargo/sources/registry/download.rs
+++ b/src/cargo/sources/registry/download.rs
@@ -84,6 +84,10 @@ pub(super) fn finish_download(
 ) -> CargoResult<File> {
     // Verify what we just downloaded
     let actual = Sha256::new().update(data).finish_hex();
+
+    println!("actual sha256: {}", actual);
+    println!("expected sha256: {}", checksum);
+
     if actual != checksum {
         anyhow::bail!("failed to verify the checksum of `{}`", pkg)
     }

Version

cargo 1.65.0 (4bc8f24d3 2022-10-20)
release: 1.65.0
commit-hash: 4bc8f24d3e899462e43621aab981f6383a370365
commit-date: 2022-10-20
host: x86_64-unknown-linux-gnu
libgit2: 1.5.0 (sys:0.15.0 vendored)
libcurl: 7.83.1-DEV (sys:0.4.55+curl-7.83.1 vendored ssl:OpenSSL/1.1.1q)
os: Ubuntu 20.04 (focal) [64-bit]

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-registriesArea: registriesA-semverArea: semver specifications, version matching, etc.C-bugCategory: bugS-needs-mentorStatus: Issue or feature is accepted, but needs a team member to commit to helping and reviewing.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions