conan-center-index: [package] ConanException: sha256 signature failed (Seems lots of github projects are being affeted)

Description

Installation of Catch2 v3.3.0 fails due to hash mismatches since today:

catch2/3.3.0: Configuring sources in /github/home/.conan/data/catch2/3.3.0/_/_/source/src
ERROR: catch2/3.3.0: Error in source() method, line 92
	get(self, **self.conan_data["sources"][self.version], destination=self.source_folder, strip_root=True)
	ConanException: sha256 signature failed for 'v3.3.0.tar.gz' file. 
 Provided signature: fe2f29a54ca775c2dd04bb97ffb79d398e6210e3caa174348b5cd3b7e4ca887d  
 Computed signature: 48f06c98e685ac809db092364a7ef5604ed51f3e9edacca1b4beb84cdd147038

Package and Environment Details

  • Package Name/Version: catch2/3.3.0
  • Operating System+version: Linux (various) / Windows / Mac OS
  • Compiler+version: Linux (various GCC and Clang) / MSVC / OS X Clang
  • Docker image: N/A
  • Conan version: conan 1.57.0
  • Python version: Python 3.10

Conan profile

Default Linux (GCC / Clang), Windows (MSVC) and Mac OS (Clang)

Steps to reproduce

  1. Install catch2/3.3.0
  2. Installation fails with hash mismatch

Logs

Click to expand log 
catch2/3.3.0: Configuring sources in /github/home/.conan/data/catch2/3.3.0/_/_/source/src
ERROR: catch2/3.3.0: Error in source() method, line 92
	get(self, **self.conan_data["sources"][self.version], destination=self.source_folder, strip_root=True)
	ConanException: sha256 signature failed for 'v3.3.0.tar.gz' file. 
 Provided signature: fe2f29a54ca775c2dd04bb97ffb79d398e6210e3caa174348b5cd3b7e4ca887d  
 Computed signature: 48f06c98e685ac809db092364a7ef5604ed51f3e9edacca1b4beb84cdd147038

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Reactions: 10
  • Comments: 20 (16 by maintainers)

Most upvoted comments

Looks like the rollback is finished, I’m seeing my packages build again.

+4
hizkifw on Jan 31, 2023

Thanks for reporting, I am pinning this issue since it’s kinda beyond our control 😱

+3
prince-chrismc on Jan 30, 2023

I’m also seeing this for some other packages: libpqxx/7.7.4, fmt/8.1.1, protobuf/3.21.4

libpqxx/7.7.4: Configuring sources in /root/.conan/data/libpqxx/7.7.4/_/_/source/src
ERROR: libpqxx/7.7.4: Error in source() method, line 99
	get(self, **self.conan_data["sources"][self.version], destination=self.source_folder, strip_root=True)
	ConanException: sha256 signature failed for '7.7.4.tar.gz' file. 
 Provided signature: 65b0a06fffd565a19edacedada1dcfa0c1ecd782cead0ee067b19e2464875c36  
 Computed signature: 17cb5d8e35018698b0cf162400546e1038aa09be4e444d59869307b7f4070e24

fmt/8.1.1: Configuring sources in /root/.conan/data/fmt/8.1.1/_/_/source/src
ERROR: fmt/8.1.1: Error in source() method, line 96
	get(self, **self.conan_data["sources"][self.version],
	ConanException: sha256 signature failed for '8.1.1.tar.gz' file. 
 Provided signature: 3d794d3cf67633b34b2771eb9f073bde87e846e0d395d254df7b211ef1ec7346  
 Computed signature: 48104b18e6779d4f04dea35a0a3845b102a04bab3cd111a98275b7a89e05e567

protobuf/3.21.4: Configuring sources in /root/.conan/data/protobuf/3.21.4/_/_/source/src
ERROR: protobuf/3.21.4: Error in source() method, line 86
	get(self, **self.conan_data["sources"][self.version], strip_root=True)
	ConanException: sha256 signature failed for 'v3.21.4.tar.gz' file. 
 Provided signature: 85d42d4485f36f8cec3e475a3b9e841d7d78523cd775de3a86dba77081f4ca25  
 Computed signature: efdaaf08f34af3b6cd906e59e181e3e30589a2fc2cc9d89036f92d529b9fe1cd
+3
kbarry-aurora on Jan 30, 2023

https://github.com/orgs/community/discussions/46034

+2
SpaceIm on Feb 2, 2023

The amount of backslash on github is huge. The broke a lot of things with this. Hopefully they roll it back. This comment gets me lol https://github.com/bazel-contrib/SIG-rules-authors/issues/11#issuecomment-1409404725

+2
ericriff on Jan 30, 2023

yay https://github.com/orgs/community/discussions/45830#discussioncomment-4823799

+1
ericriff on Jan 30, 2023

https://github.com/orgs/community/discussions/45830#discussioncomment-4823531

Hey,

I’m one of the engineers in the Git Systems org at GitHub. I think there’s been a misinterpretation of what we guarantee as far as stability.

If you generate a release for a particular tag, and you upload your own assets, such as a tarball or binaries, we’ll guarantee those don’t change. However, the automated “Source code (tar.gz)” and “Source code (zip)” links, as well as any automated archives we generate, aren’t guaranteed to be stable. That’s because Git doesn’t guarantee stability here and we rely on Git to generate those archives on the fly, so as we upgrade, things may change.

If you need a stable source code archive, please generate a release and upload your own archive as part of this process, and then you can reference those with stable hashes.

To give you an example as to what’s stable and what’s not, if you look at the latest Git LFS release at https://github.com/git-lfs/git-lfs/releases/tag/v3.3.0, all of the Assets entries except the two “Source code” links at the bottom are guaranteed to be stable (since those two are autogenerated). You’ll notice we ship our own stable tarball and signed hashes as part of the assets, and that works.

I apologize for the confusion here, and hopefully this clarifies things.

ouch…

Is this an opportunity to mirror everything? 😄

+1
Hopobcn on Jan 30, 2023

It looks like a generalized issue on GitHub https://github.com/orgs/community/discussions/45830

+1
ericriff on Jan 30, 2023

https://github.com/bazel-contrib/SIG-rules-authors/issues/11#issuecomment-1409362685

+1
SpaceIm on Jan 30, 2023
Read more comments on GitHub
← conan-center-index: [package] conan-boost: cant install the boost::mpi library
conan-center-index: [package] emsdk/3.1.23: Cannot compile if emscripten headers are required. →