libgcrypt SHA256 mismatch?
Kurt Buff
kurt.buff at gmail.com
Thu Sep 29 17:21:16 UTC 2011
On Wed, Sep 28, 2011 at 18:45, Lars Eighner <portsuser at larseighner.com> wrote:
> On Wed, 28 Sep 2011, Kurt Buff wrote:
>
>> All,
>>
>> I've just spun up a new 8.2-RELEASE VM, and gotten a fresh ports tree.
>> I tried to install XFCE4, but it has ended with an error:
>>
>> ===> Verifying install for gcrypt.18 in /usr/ports/security/libgcrypt
>> ===> License GPLv2 LGPL21 accepted by the user
>> ===> Extracting for libgcrypt-1.5.0
>> => SHA256 Checksum mismatch for libgcrypt-1.5.0.tar.bz2.
>> ===> Refetch for 1 more times files: libgcrypt-1.5.0.tar.bz2
>> ===> License GPLv2 LGPL21 accepted by the user
>> => libgcrypt-1.5.0.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
>> => Attempting to fetch
>> http://gnupg.org.favoritelinks.net/libgcrypt/libgcrypt-1.5.0.tar.bz2
>> fetch:
>> http://gnupg.org.favoritelinks.net/libgcrypt/libgcrypt-1.5.0.tar.bz2:
>> size unknown
>> fetch:
>> http://gnupg.org.favoritelinks.net/libgcrypt/libgcrypt-1.5.0.tar.bz2:
>> size of remote file is not known
>> libgcrypt-1.5.0.tar.bz2 4634 B 5734 kBps
>> ===> License GPLv2 LGPL21 accepted by the user
>> => SHA256 Checksum mismatch for libgcrypt-1.5.0.tar.bz2.
>> ===> Giving up on fetching files: libgcrypt-1.5.0.tar.bz2
>> Make sure the Makefile and distinfo file
>> (/usr/ports/security/libgcrypt/distinfo)
>> are up to date. If you are absolutely sure you want to override this
>> check, type "make NO_CHECKSUM=yes [other args]".
>>
>>
>> Anyone else run into this?
>
> The source file is being truncated because fetch loses its connection for
> one reason or another. Many servers now cut you off if you are at dial-up
> speeds because "net fairness" means broadband users always go to the front
> of the line.
>
> You can make a shell script to fetch the file and keep running it until you
> finally get the whole file a piece at a time or you can try ftp. When you
> have the whole source file (check it against distinfo) place it in
> /usr/ports/distfiles. Things should go fine.
>
> "Checksum mismatch" nearly always means a truncated file. I cannot ever
> remember seeing it otherwise. Do not override it with NO_CHECKSUM. That
> will be useless with a truncated file and worse than useless if a security
> port really has been tampered with.
Interesting. I found out what the problem is, but haven't figured out
how to work around it.
As a test, I put the URL
(http://gnupg.org.favoritelinks.net/libgcrypt/libgcrypt-1.5.0.tar.bz2)
into a web browser, and found that it's being blocked by our web
filter, because the site is marked as also serving adult content. The
supposed tarball in /usr/ports/distfiles is the response from the web
filter, so it's junk.
After repeated fetches, that is the only site my machine is using to
grab the tarball. How to I tell the machine to vary its download sites
(if indeed there are alternatives?)
In the Makefile I see the line
MASTER_SITES= ${MASTER_SITE_GNUPG}
which I'd bet controls how it finds what sites to visit, but don't
know anything beyond that.
Thanks,
Kurt
More information about the freebsd-questions
mailing list