FS#72612 - [nss] nss-3.72.tar.gz fails sha256sums verification

Attached to Project: Arch Linux
Opened by kpcyrd (kpcyrd) - Tuesday, 02 November 2021, 12:55 GMT
Last edited by Jan Alexander Steffens (heftig) - Tuesday, 23 November 2021, 17:16 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

The checksum pinned in the PKGBUILD doesn't seem to match the current tar ball, possibly due to re-tagging:

```
==> Retrieving sources...
-> Downloading nss-3.72.tar.gz...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- 0:00:07 --:--:-- 0
5 80.0M 5 4909k 0 0 560k 0 0:02:26 0:00:08 0:02:18 988k
100 80.0M 100 80.0M 0 0 9043k 0 0:00:09 0:00:09 --:--:-- 18.7M
-> Found certdata2pem.py
-> Found bundle.sh
==> WARNING: Skipping verification of source file PGP signatures.
==> Validating source files with sha256sums...
nss-3.72.tar.gz ... FAILED
certdata2pem.py ... Passed
bundle.sh ... Passed
==> ERROR: One or more files did not pass the validity check!
[1m[34m ->[0m[1m Delete snapshot for nss_3686495...[0m
```

Steps to reproduce:

rebuildctl -H 'https://reproducible.archlinux.org' pkgs log --name nss | tail
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Tuesday, 23 November 2021, 17:16 GMT
Reason for closing:  Fixed
Additional comments about closing:  nss 3.72-2
Comment by . (-_-) - Tuesday, 23 November 2021, 16:11 GMT
there is still a hash mismatch.
Comment by Jan Alexander Steffens (heftig) - Tuesday, 23 November 2021, 17:15 GMT
Compared the old and the new tarball. Archive contents are identical, the old file had about 2M of garbage after the end of the archive.

Loading...