The artifactory trusty repository is corrupt

Question

The checksums in the Packages.bz2 file in jfrog's trusty repository for artifactory don't match the packages. This causes mirroring and installations to fail. Checked 19-Jul-2018 0606 UTC

$ curl -s https://jfrog.bintray.com/artifactory- 
debs/dists/trusty/main/binary-amd64/Packages.bz2|bzcat|grep -A2 -F jfrog-artifactory-oss-6.1.0.deb
Filename: pool/main/j/jfrog-artifactory-oss-deb/jfrog-artifactory-oss-6.1.0.deb
SHA1: dfe6d0cce9c3ca946d27b8dd1cf080e0ef6b9818
SHA256: c88e6f2f183426721ce3273642e0df00abce2150c7ca67afe1a69b175e9775f6

$ curl -s https://jfrog.bintray.com/artifactory-debs/pool/main/j/jfrog-artifactory-oss-deb/jfrog-artifactory-oss-6.1.0.deb | sha1sum
da39a3ee5e6b4b0d3255bfef95601890afd80709  -
$ curl -s https://jfrog.bintray.com/artifactory-debs/pool/main/j/jfrog-artifactory-oss-deb/jfrog-artifactory-oss-6.1.0.deb | sha256sum
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -

Edit:

As has been kindly pointed out by Royg, I was missing the -L flag to curl in order to follow bintray's redirects. However, that then exposes an issue with the package for version 4.3.1:

$ curl -sL https://jfrog.bintray.com/artifactory-debs/dists/trusty/main/binary-amd64/Packages.bz2 | bzcat | grep -A2 -F jfrog-artifactory-oss-4.3.1.deb
Filename: pool/main/j/jfrog-artifactory-oss-deb/jfrog-artifactory-oss-4.3.1.deb
SHA1: dc8b12436f309b538f6b80b4027b797e3cfce897
SHA256: 8cad6699ff17866b93a02124254ba3fb9a3ca2036048161b9bd3a49c8257831f

$ curl -sL https://jfrog.bintray.com/artifactory-debs/pool/main/j/jfrog-artifactory-oss-deb/jfrog-artifactory-oss-4.3.1.deb | sha1sum
575dc3debd016ff3a21e635625de266a6b0c2e48  -

score 0 · Accepted Answer · answered Jul 20 '18 at 08:29

0

You are missing the redirect option in your curl -L or --location.

If you try the curl command to the artifact with -v or --verbose you can seen that Bintray is redirecting you to the CDN nearest you. That means that you are sha1sum and sha256sum on empty artifact, that is why the checksum doesn't match.

$ curl https://jfrog.bintray.com/artifactory-debs/pool/main/j/jfrog-artifactory-oss-deb/jfrog-artifactory-oss-6.1.0.deb -vL | sha1sum dfe6d0cce9c3ca946d27b8dd1cf080e0ef6b9818 - $ curl https://jfrog.bintray.com/artifactory-debs/pool/main/j/jfrog-artifactory-oss-deb/jfrog-artifactory-oss-6.1.0.deb -vL | sha256sum c88e6f2f183426721ce3273642e0df00abce2150c7ca67afe1a69b175e9775f6 -

answered Jul 20 '18 at 08:29

Royg

1,665
1
13
20

1

OK well thanks for pointing out my glaring error.. now the plot thickens.. the thing which initially triggered this 'discovery' was a failure when mirroring the repo using aptly `ERROR: unable to update: download errors: https://jfrog.bintray.com/artifactory-debs/pool/main/j/jfrog-artifactory-oss-deb/jfrog-artifactory-oss-4.3.1.deb: sha1 hash mismatch "575dc3debd016ff3a21e635625de266a6b0c2e48" != "dc8b12436f309b538f6b80b4027b797e3cfce897" ` I'll do some more digging – Russell Howe Jul 20 '18 at 09:08
It looks like only `jfrog-artifactory-oss-4.3.1.deb` has this issue, checksum matches on 4.3.0 and 4.3.2, you can contact Bintray's support. – Royg Jul 20 '18 at 09:33

The artifactory trusty repository is corrupt

1 Answers1