boost: Error installing boost Verification checksum was incorrect

Ok, created a simple patch for this for RN 0.73.1, but everyone could do this

1. Install patch-package:

   npm install --save-dev patch-package postinstall-postinstall
   

2. Modify boost.podspec:

change

# Copyright (c) Meta Platforms, Inc. and affiliates.
#
# This source code is licensed under the MIT license found in the
# LICENSE file in the root directory of this source tree.

Pod::Spec.new do |spec|
  spec.name = 'boost'
  spec.version = '1.83.0'
  spec.license = { :type => 'Boost Software License', :file => "LICENSE_1_0.txt" }
  spec.homepage = 'http://www.boost.org'
  spec.summary = 'Boost provides free peer-reviewed portable C++ source libraries.'
  spec.authors = 'Rene Rivera'
  spec.source = { :http => 'https://boostorg.jfrog.io/artifactory/main/release/1.83.0/source/boost_1_83_0.tar.bz2',
                  :sha256 => '6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e' }

  # Pinning to the same version as React.podspec.
  spec.platforms = min_supported_versions
  spec.requires_arc = false

  spec.module_name = 'boost'
  spec.header_dir = 'boost'
  spec.preserve_path = 'boost'
end

to

# Copyright (c) Meta Platforms, Inc. and affiliates.
#
# This source code is licensed under the MIT license found in the
# LICENSE file in the root directory of this source tree.

Pod::Spec.new do |spec|
  spec.name = 'boost'
  spec.version = '1.83.0'
  spec.license = { :type => 'Boost Software License', :file => "LICENSE_1_0.txt" }
  spec.homepage = 'http://www.boost.org'
  spec.summary = 'Boost provides free peer-reviewed portable C++ source libraries.'
  spec.authors = 'Rene Rivera'
  # Patched due to issue https://github.com/boostorg/boost/issues/843
  spec.source = { :http => 'https://sourceforge.net/projects/boost/files/boost/1.83.0/boost_1_83_0.tar.bz2',
                  :sha256 => '6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e' }

  # Pinning to the same version as React.podspec.
  spec.platforms = min_supported_versions
  spec.requires_arc = false

  spec.module_name = 'boost'
  spec.header_dir = 'boost'
  spec.preserve_path = 'boost'
end

1. Create a Patch:

   • Run npx patch-package react-native to create a patch file based on your changes. This command generates a patch file in a directory called patches/.

2. Apply the Patch Automatically:

   • Modify your package.json to apply the patch after installation. Add the following to your scripts section:

     "scripts": {
       "postinstall": "patch-package"
     }
     

   • Now, whenever you run npm install, patch-package will automatically apply the patch to the boost.podspec file.

Changing the checksum without knowing what happened isn’t a good solution. The checksum ensures the integrity and authenticity of your downloaded file, protecting against corrupted, incomplete, or maliciously altered files. If you bypass the checksum verification, you risk introducing security vulnerabilities, stability issues, or subtle bugs in your application. These can be challenging to diagnose and may compromise your application or user data.

So there’s a reason why they use checksums and it’s up to you all if you want to skip it 😅

move to node_modules/react-native/third-party-podspecs. Only change line spec.source = { :http => ‘https://boostorg.jfrog.io/artifactory/main/release/1.83.0/source/boost_1_83_0.tar.bz2’, :sha256 => ‘6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e’ } to spec.source = { :http => ‘https://sourceforge.net/projects/boost/files/boost/1.83.0/boost_1_83_0.tar.bz2’, :sha256 => ‘6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e’ }

Maybe jfrog close their server

@wswebcreation just frustrated that I started a new app with react-native 73 and still having the boost error issue. Going back to 72.5 with @Roshdy

I saw you removed your comment, but I understand it’s frustrating. I wanted my GHA workflow to work before the end of the year, as one of my last projects of 2023 and was also a bit frustrated, but these things can happen. Nothing works flawless in this world (not talking about RN specifically 😂), we all work with open source and can’t “demand” flawless code. We can “demand” ourselves to help and come up with fixes/patches and so on to unblock ourselves and others 😅

facing the same issue with react-native 0.68.1. any workaround for this?

Yes:

1. Go to node_modules/react-native/third-party-podspecs from the root of your project
2. check the boost.podspec for the version you need to use
3. check https://sourceforge.net/projects/boost/files/boost/ for the link of the file you need to have
4. get the checksum
5. Follow the steps from https://github.com/boostorg/boost/issues/843#issuecomment-1872943124

jfrog started working again. We can download boost file from jfrog without error now.

Doesn’t work. It just hangs “installing boost (1.76.0)” Using sourceforge

# Copyright (c) Meta Platforms, Inc. and affiliates.
#
# This source code is licensed under the MIT license found in the
# LICENSE file in the root directory of this source tree.

Pod::Spec.new do |spec|
  spec.name = 'boost'
  spec.version = '1.76.0'
  spec.license = { :type => 'Boost Software License', :file => "LICENSE_1_0.txt" }
  spec.homepage = 'http://www.boost.org'
  spec.summary = 'Boost provides free peer-reviewed portable C++ source libraries.'
  spec.authors = 'Rene Rivera'
  spec.source = { :http => 'https://sourceforge.net/projects/boost/files/boost/1.76.0/boost_1_76_0.tar.bz2',
                  :sha256 => 'f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41' }

  # Pinning to the same version as React.podspec.
  spec.platforms = { :ios => '11.0' }
  spec.requires_arc = false

  spec.module_name = 'boost'
  spec.header_dir = 'boost'
  spec.preserve_path = 'boost'
end

I have the same issue with React Native 0.72.7

Error installing boost Verification checksum was incorrect, expected f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41, got 5e89103d9b70bba5c91a794126b169cb67654be2051f90cf7c22ba6893ede0ff

boost version 1.76.0

It started to happen again today…

@wswebcreation

Ok, created a simple patch for this for RN 0.73.1, but everyone could do this

1. Install patch-package:

   npm install --save-dev patch-package postinstall-postinstall
   

2. Modify boost.podspec:

change

# Copyright (c) Meta Platforms, Inc. and affiliates.
#
# This source code is licensed under the MIT license found in the
# LICENSE file in the root directory of this source tree.

Pod::Spec.new do |spec|
  spec.name = 'boost'
  spec.version = '1.83.0'
  spec.license = { :type => 'Boost Software License', :file => "LICENSE_1_0.txt" }
  spec.homepage = 'http://www.boost.org'
  spec.summary = 'Boost provides free peer-reviewed portable C++ source libraries.'
  spec.authors = 'Rene Rivera'
  spec.source = { :http => 'https://boostorg.jfrog.io/artifactory/main/release/1.83.0/source/boost_1_83_0.tar.bz2',
                  :sha256 => '6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e' }

  # Pinning to the same version as React.podspec.
  spec.platforms = min_supported_versions
  spec.requires_arc = false

  spec.module_name = 'boost'
  spec.header_dir = 'boost'
  spec.preserve_path = 'boost'
end

to

# Copyright (c) Meta Platforms, Inc. and affiliates.
#
# This source code is licensed under the MIT license found in the
# LICENSE file in the root directory of this source tree.

Pod::Spec.new do |spec|
  spec.name = 'boost'
  spec.version = '1.83.0'
  spec.license = { :type => 'Boost Software License', :file => "LICENSE_1_0.txt" }
  spec.homepage = 'http://www.boost.org'
  spec.summary = 'Boost provides free peer-reviewed portable C++ source libraries.'
  spec.authors = 'Rene Rivera'
  # Patched due to issue https://github.com/boostorg/boost/issues/843
  spec.source = { :http => 'https://sourceforge.net/projects/boost/files/boost/1.83.0/boost_1_83_0.tar.bz2',
                  :sha256 => '6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e' }

  # Pinning to the same version as React.podspec.
  spec.platforms = min_supported_versions
  spec.requires_arc = false

  spec.module_name = 'boost'
  spec.header_dir = 'boost'
  spec.preserve_path = 'boost'
end

1. Create a Patch:

   • Run npx patch-package react-native to create a patch file based on your changes. This command generates a patch file in a directory called patches/.

2. Apply the Patch Automatically:

   • Modify your package.json to apply the patch after installation. Add the following to your scripts section:

     "scripts": {
       "postinstall": "patch-package"
     }
     

   • Now, whenever you run npm install, patch-package will automatically apply the patch to the boost.podspec file.

@wswebcreation Thanks this works for me.

Doesn’t work. It just hangs “installing boost (1.76.0)” Using sourceforge

# Copyright (c) Meta Platforms, Inc. and affiliates.
#
# This source code is licensed under the MIT license found in the
# LICENSE file in the root directory of this source tree.

Pod::Spec.new do |spec|
  spec.name = 'boost'
  spec.version = '1.76.0'
  spec.license = { :type => 'Boost Software License', :file => "LICENSE_1_0.txt" }
  spec.homepage = 'http://www.boost.org'
  spec.summary = 'Boost provides free peer-reviewed portable C++ source libraries.'
  spec.authors = 'Rene Rivera'
  spec.source = { :http => 'https://sourceforge.net/projects/boost/files/boost/1.76.0/boost_1_76_0.tar.bz2',
                  :sha256 => 'f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41' }

  # Pinning to the same version as React.podspec.
  spec.platforms = { :ios => '11.0' }
  spec.requires_arc = false

  spec.module_name = 'boost'
  spec.header_dir = 'boost'
  spec.preserve_path = 'boost'
end

Try running with verbose, pod install --verbose. Boost is 100+ MB ish depending on your connection.

Hey all, Nicola here from the React Native team. Here is the official recommendation on how to overcome this failure:

• https://github.com/facebook/react-native/issues/42180

Ok is it just me??? I DON’T WANT AND SHOULD NOT HAVE TO DO ANY OF THIS. It should just work are you kidding me REACT NATIVE???

@tyler-canton

😳, what do you mean? I believe this is just you:

1. it’s already solved
2. it’s a 3rd party dependency/issue
3. it’s “open source”

everyone is doing it’s best here, during the weekend/evening/spare time.

I would expect a more professional and reasonable response from a, assuming, “professional” developer.

If you believe this could have been prevented then please help and keep these demotivating replies where they belong

Yes. It just started again about an hour ago. Working to get it fixed…

I’m developing a Mobile app with React Native (0.73.1) and for building the app I need to install the pods. The pods contains installing boos, see this file.

I get the following error

Installing boost (1.83.0)

[!] Error installing boost
Verification checksum was incorrect, expected 6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e, got 5e89103d9b70bba5c91a794126b169cb67654be2051f90cf7c22ba6893ede0ff

When I check this site I see the checksum should be 6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e

When I do this on my Mac

curl -sL https://boostorg.jfrog.io/artifactory/main/release/1.83.0/source/boost_1_83_0.tar.bz2 | shasum -a 256

5e89103d9b70bba5c91a794126b169cb67654be2051f90cf7c22ba6893ede0ff  -

I get a different checksum

Please let me know what I need to provide more to debug this

Facing the same issue on M1 machine

@sdarwin Thanks. I confirm that the checksum is same.

$ curl -sL https://archives.boost.io/release/1.76.0/source/boost_1_76_0.tar.bz2 | shasum -a 256
f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41  -

Thanks, how temporary is this? Can we rely on this for the coming future, or do you have a TTL on this?

spec.source = { :http => ‘https://sourceforge.net/projects/boost/files/boost/1.83.0/boost_1_83_0.tar.bz2’, :sha256 => ‘6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e’ }

Instead of using sourceforge, using https://archives.boost.io/release works for me

This is still a problem right now it seems…

yes boost jfrog url is now working actually.

This is a temporary mirror site: https://archives.boost.io/release/1.84.0/source/

Hopefully the jfrog links will be restored soon.

I call this patch method in my post-install script, it works fine:

const patchBoostPodspec = () => {
  const boostPodspecPath = `${process.cwd()}/node_modules/react-native/third-party-podspecs/boost.podspec`;
  const originalUrl = 'https://boostorg.jfrog.io/artifactory/main/release/1.76.0/source/boost_1_76_0.tar.bz2';
  const patchedUrl = 'https://sourceforge.net/projects/boost/files/boost/1.76.0/boost_1_76_0.tar.bz2';

  if (!fs.existsSync(boostPodspecPath)) {
    // boost.podspec does not exist, skipping patch
    return;
  }

  let boostPodspec = fs.readFileSync(boostPodspecPath, 'utf8');

  if (!boostPodspec.includes(originalUrl)) {
    // boost.podspec is already patched or the URL is different, skipping patch
    return;
  }

  boostPodspec = boostPodspec.replace(originalUrl, patchedUrl);
  fs.writeFileSync(boostPodspecPath, boostPodspec, 'utf8');
};

...

patchBoostPodspec();

though installing from sourceforge is extremely slow

I temporarily fixed the bug, but when will this be resolved?

Just replace 83 with 76 and 6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e with f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41

https://github.com/boostorg/boost/issues/843#issuecomment-1872918846

I have the same issue with React Native 0.72.7

Error installing boost Verification checksum was incorrect, expected f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41, got 5e89103d9b70bba5c91a794126b169cb67654be2051f90cf7c22ba6893ede0ff

boost version 1.76.0

Guys!

DO NOT REPLACE HASHSUM

Replace this url https://boostorg.jfrog.io/artifactory/main/release/1.76.0/source/boost_1_76_0.tar.bz2

with https://sourceforge.net/projects/boost/files/boost/1.76.0/boost_1_76_0.tar.bz2

Facing the same issue now, changing to https://archives.boost.io/release worked

diff --git a/node_modules/react-native/third-party-podspecs/boost.podspec b/node_modules/react-native/third-party-podspecs/boost.podspec
index 3d9331c..b1e2c6a 100644
--- a/node_modules/react-native/third-party-podspecs/boost.podspec
+++ b/node_modules/react-native/third-party-podspecs/boost.podspec
@@ -10,7 +10,7 @@ Pod::Spec.new do |spec|
   spec.homepage = 'http://www.boost.org'
   spec.summary = 'Boost provides free peer-reviewed portable C++ source libraries.'
   spec.authors = 'Rene Rivera'
-  spec.source = { :http => 'https://boostorg.jfrog.io/artifactory/main/release/1.76.0/source/boost_1_76_0.tar.bz2',
+  spec.source = { :http => 'https://sourceforge.net/projects/boost/files/boost/1.76.0/boost_1_76_0.tar.bz2',
                   :sha256 => 'f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41' }
 
   # Pinning to the same version as React.podspec.

This patch fixed the issue for me.

@sdarwin Thanks. I confirm that the checksum is same.

$ curl -sL https://archives.boost.io/release/1.76.0/source/boost_1_76_0.tar.bz2 | shasum -a 256
f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41  -

@agrittiwari @Mitdd9707 try replacing spec.platforms with: spec.platforms = { :ios => '11.0' } and create a patch again using npx patch-package react-native

Not sure if this is the best solution, it works for me.

@OmkarK45 , if you update this file node_modules/react-native/third-party-podspecs/boost.podspec and the issue still occurs, the issues is not with a patch. Try:

• rename Pods dir
• try to install new Pods
• try to remove Podfile.lock and pod install again.

You were right, the issue was with cocoapods version, I installed 1.13 and the error went away

@OmkarK45 , if you update this file node_modules/react-native/third-party-podspecs/boost.podspec and the issue still occurs, the issues is not with a patch. Try:

• rename Pods dir
• try to install new Pods
• try to remove Podfile.lock and pod install again.

spec.source = { :http => ‘https://sourceforge.net/projects/boost/files/boost/1.83.0/boost_1_83_0.tar.bz2’, :sha256 => ‘6478edfe2f3305127cffe8caf73ea0176c53769f4bf1585be237eb30798c3b8e’ }

Instead of using sourceforge, using https://archives.boost.io/release works for me

Replacing it to https://archives.boost.io/release/1.76.0/source/boost_1_76_0.tar.bz2 works Thanks a lot!!!

update cocoapod(brew install cocoapods), worked for me.

Implemented the changes suggested as Suggested above, but it really didn’t solve the problem. Made a patch of it, it doesn’t solve the upstream problem, but crashes the pod install, somehow.

⚠️  Something went wrong running `pod install` in the `ios` directory.
Command `pod install` failed.
└─ Cause: Failed to load 'boost' podspec: 
[!] Invalid `boost.podspec` file: undefined local variable or method `min_supported_versions' for Pod:Module.

 #  from /Users/agrittiwari/wishup/client-app/node_modules/react-native/third-party-podspecs/boost.podspec:17
 #  -------------------------------------------
 #    # Pinning to the same version as React.podspec.
 >    spec.platforms = min_supported_versions
 #    spec.requires_arc = false
 #  -------------------------------------------


pod install --repo-update --ansi exited with non-zero code: 1

Who else is facing incredible slowness in jFrog? it took almost 45 minutes to install boost

same here

What about for build systems like AppCenter, where node_modules are created at build time?

What do you mean?

When AppCenter does a build, it generates does an yarn install to pull in everything in node_modules so editing these files locally, won’t help the build process. Is there a way to override this on yarn install it pulls the correct url?

Try creating patch on your local computer and upload generated patch then modify package.json file to apply patches. This should work.

@ronenempathy

You are not creating a new module, you are creating a patch in your project that will be installed when you do the npm i

The steps mentioned above create the patch, here’s how it looks like in my case

Changing the checksum without knowing what happened doesn’t feel like a good solution. There’s a reason why they use checksums 😅

We are not changing the checksum. Original link is broken, just replacing it with sourceforge link.