magento2: The checksum verification of the file failed (downloaded from https://repo.magento.com/archives/vertex/sdk/vertex-sdk-1.0.0.0.zip)

Summary (*)

Magento v2.2.5

We are trying to install vertex/sdk package within Magento2 regular installation from exist composer.lock file. This packages requires magento/product-community-edition package through "vertex/module-tax": "^2.1.2". And we got an exception:

  - Installing magento/module-wishlist-analytics (100.2.1): Downloading (100%)
  - Installing vertex/sdk (1.0.0): Downloading (100%)

  [UnexpectedValueException]
  The checksum verification of the file failed (downloaded from https://repo.magento.com/archives/vertex/sdk/vertex-sdk-1.0.0.0.zip)

Examples (*)

This package description in composer.lock:

        {
            "name": "vertex/sdk",
            "version": "1.0.0",
            "dist": {
                "type": "zip",
                "url": "https://repo.magento.com/archives/vertex/sdk/vertex-sdk-1.0.0.0.zip",
                "reference": null,
                "shasum": "f57d48ec0d4f79bef9daefa5364c1e67d621e22c"
            },
            "require": {
                "ext-mbstring": "*",
                "ext-openssl": "*",
                "ext-soap": "*",
                "php": "^5.4|^7"
            },
            "require-dev": {
                "php": "^7.1",
                "phpmd/phpmd": "^2.6",
                "phpunit/phpunit": "^7.2",
                "squizlabs/php_codesniffer": "^3.3"
            },
            "type": "library",
            "autoload": {
                "psr-4": {
                    "Vertex\\": "src/"
                }
            },
            "license": [
                "proprietary"
            ],
            "description": "Tools for communicating with Vertex Cloud and Vertex O-Series"
        },

Proposed solution

Please provide information why an archive has been updated and expected shasum value. Just for the record, the current shasum is c78a12a5a07994a88502eb09729605bc192d5840. Thank you.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 8
  • Comments: 22 (11 by maintainers)

Most upvoted comments

To make it work (this is not fix, this is to bypass someone’s bad decisions):

  1. rm -rf vendor/vertex
  2. rm -rf ~/.cache/composer/files/vertex or rm -rf ~/.composer/cache/files/vertex (depeneds on OS)
  3. composer update vertex/module-tax

That will download new zip, with different checksum. I’m pissed of changing module files without changing the version, that is bad practise and it’s not only for the vertex package. I had problems with magento/composer package in the past.

That problem blocked our team for a good chunk of time and I understand the frustration of developers on that subject, especially those, who use deployment process installing packages on infrastructure with multiple machines.

I think it is ridiculous that such things are happening.

+9
dudzio12 on Mar 8, 2019

In case someone is looking for a temporary workaround:

curl -S https://<public key>:<private key>@repo.magento.com/packages.json > /tmp/packages.json
cat /tmp/packages.json | python -m json.tool | grep -A 20 '"vertex/sdk": {' | grep shasum

Update your composer.lock vertex/sdk entry with that sha and you should be good to go.

+8
MichaelThessel on Nov 22, 2018

@engcom-backlog-nazar This should be considered a Magento Core Technical issue.

That package is hosted on repo.magento.com and it’s a default Magento dependency. This is not the first time that some weird operation performed on repo.magento.com breaks existing installations, see #16129. Probably there is some procedure (manual or automatic) that is failing.

+8
giacmir on Nov 21, 2018

This package vertex/sdk 1.0.0 hasn’t been changed since ~ Nov 19th, but it is likely that the same version was overridden which was live. We are looking into the publication process if an identical package and version is being re-zipped and overwriting it even if there are no changes.

Note: re-zipping same contents can change the shasum of the zip file even if there were no changes.

The correct shasum here is 6c7ed091879e66d75faf95fed7e48751693c68c7

If you are running into shasum error here, try composer clear-cache and/or updating the composer.lock file with the aforesaid shasum for this package.

+4
ravmenon on Jan 10, 2019

The issue happens when you have vertex/sdk already in composer.lock from before the checksum on server changed. If you install or update it now you won’t have any error.

What I’m reporting is that in some occasions packages in repo.magento.com change their content without a change in the version number (possibily some git push --tags --force?). This causes existing installations to fail when package is re-downloaded from the same composer.lock with the old checksum.

If you install Magento now it works, if you installed it, say, three days ago and today you do a composer install of the old instance it will fail.

+4
giacmir on Nov 21, 2018

Magento 2.3.0 is here:

Installing magento/project-community-edition (2.3.0)
  - Installing magento/project-community-edition (2.3.0): Downloading (100%)         
Created project in /home/alexg/instance/sample_mage2_app/work
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 390 installs, 0 updates, 0 removals

no more vertex/sdk ^1.0.0 failure for now.

+1
flancer64 on Nov 28, 2018
Read more comments on GitHub
← magento2: "Template file 'header.html' is not found" error while trying to save Design Configuration.
magento2: The customer group is not changed automatically when VAT is removed from the address →