Skip to content
This repository has been archived by the owner on Apr 14, 2021. It is now read-only.

Explain how to resolve checksum mismatches #5075

Closed
indirect opened this issue Oct 11, 2016 · 0 comments · Fixed by #5119
Closed

Explain how to resolve checksum mismatches #5075

indirect opened this issue Oct 11, 2016 · 0 comments · Fixed by #5119
Labels
contribution: small contribution: unclaimed status: ready type: documentation
Milestone
1.14 - Better Pla...

Comments

@indirect
Copy link
Member

In PR #4851, we started checking .gem file checksums against the checksum provided in the compact index. However, if the checksums don't match, this is potentially a breaking change.

Based on the principle of empowering users to resolve their own errors, we should print the full path to the failing .gem, suggest deleting the gem with the bad checksum, and explain that if they are sure they want to install this gem despite the checksum not matching, they can run bundle config disable.checksum_validaiton true to turn off checksum checking.

The error message to be changed is inside rubygems_gem_installer.rb.
@hmistry hmistry mentioned this issue Oct 24, 2016
Merged
bundlerbot added a commit that referenced this issue Nov 19, 2016
@bundlerbot
Auto merge of #5119 - hmistry:explain-checksum-mismatch, r=segiddins
d465225 
Improve gem checksum mismatch error message

Improve gem checksum mismatch error message by telling users how to resolve it.

Old message:

```
The checksum for the downloaded `rack-1.0.0.gem` did not match the checksum given by the API. This means that the contents of the gem appear to be different from what was uploaded, and could be an indicator of a security issue.
(The expected SHA256 checksum was "abababababababababababababababababababababab", but the checksum for the downloaded gem was "BR6Oc6Gqnq93u1aIVX4m6DvTHaFgFxdYaLUfa4ekJKI=".)
Bundler cannot continue installing rack (1.0.0).
```

New message:

```
Bundler cannot continue installing rack (1.0.0).
The checksum for the downloaded `rack-1.0.0.gem` does not match the checksum given by the server. This means the contents of the downloaded gem is different from what was uploaded to the server, and could be a potential security issue.

To resolve this issue:
1. delete the downloaded gem located at: `full-path/gems/rack-1.0.0/rack-1.0.0.gem`
2. run `bundle install`

If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following:
1. run `bundle config disable.checksum_validaiton true` to turn off checksum verification
2. run `bundle install`

(More info: The expected SHA256 checksum was "abababababababababababababababababababababab", but the checksum for the downloaded gem was "PbfaoemSetv76QdcxuoP0ggZ0TZhMELlMMWURJoX+dw=".)
```

Closes #5075
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
contribution: small contribution: unclaimed status: ready type: documentation
Projects
None yet
Milestone
1.14 - Better Platform Support - Mino...
Development

Successfully merging a pull request may close this issue.

Improve gem checksum mismatch error message
1 participant
@indirect