Re: trufflehog checksum fail
I did read the FAQ and did clean (--all all) and try again, only to fail again. Only after the selfupdate did it work. I guess I'm not motivated enough to try against the bad version manually at this time. I am not worried about trufflehog working with any specific go version. Of course once it's built it doesn't matter what version of go I have installed. And I'm not worried about using a non-latest version of trufflehog. I do in fact want the latest, I just neglected to selfupdate first. But I figured even without selfupdate, the install of the older version _should have worked_. I thought it was worth reporting. What I'm most worried about is that `port install trufflehog` blindly updated my installed go without asking or telling me first. Generally speaking, when I update package X, I believe port is generally good at telling me it also needs to upgrade Y and Z before blindly proceeding to do more than I explicitly asked it to do. But I suspect that because trufflehog is built locally from source, it needed to upgrade a *build* dependency and for that it didn't bother to confirm first. thanks On Wed, Aug 2, 2023 at 6:21 AM Dave Allured - NOAA Affiliate < dave.allu...@noaa.gov> wrote: > Please read about checksum failures and when to build from source, in the > Macports FAQ. I would guess that you experienced either an intermittent > server outage, or a stealth update. You can self diagnose this by trying a > manual download with curl. Examine the result file. > > Macports is designed to keep users in sync with the latest versions. > Please read about how to use older port versions in the HOWTO section. In > general, using a down level version is not recommended, especially for a > security tool. But it is possible. > > I would not worry about the golang update. Either version of trufflehog > will probably work just fine with either version of golang. > > > On Tue, Aug 1, 2023 at 9:38 PM Frank Cusack via macports-users < > macports-users@lists.macports.org> wrote: > >> excuse the long copy paste at the end, but this way you can see exactly >> what happened. >> >> `sudo port install trufflehog` failed with source checksum failures. i >> don't know if the checksums were actually bad or if this is an anomaly when >> fetching the non-latest version. it does mean that i can never install that >> version of trufflehog, which is sad. >> >> anyway i got a hint to update first, so than after `selfupdate` (only! no >> port upgrades!) and another `sudo port install trufflehog` it worked. >> >> BUT it updated my golang!! this reminds me of brew. :( :~( >> >> I guess trufflehog is built from source? and it is hard coded to require >> go-1.20.7? ok, fine but you shouldn't be updating my runtime (vs buildtime) >> packages at least not without the Y/n prompt like on other implicit >> upgrades. >> >> I then discovered I merely had to activate the older version. OK, but the >> install/build process should have done this at the end, since I didn't >> request that upgrade. >> >> 1. did the failed version (3.45.3) of trufflehog actually have some error >> with checksum? or is this a macports anomaly. >> 2. do you agree macports has a bug re: forced, non-prompted, build deps >> upgrades? >> >> thanks >> >> [frank@mbp:~]$ sudo port install trufflehog >> Password: >> ---> Computing dependencies for trufflehog >> ---> Fetching archive for trufflehog >> ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from >> https://packages.macports.org/trufflehog >> ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from >> http://mirror.fcix.net/macports/packages/trufflehog >> ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from >> https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog >> ---> Fetching distfiles for trufflehog >> ---> Attempting to fetch trufflehog-3.45.3.tar.gz from >> https://distfiles.macports.org/go >> ---> Attempting to fetch trufflehog-3.45.3.tar.gz from >> https://github.com/trufflesecurity/trufflehog/archive/v3.45.3 >> ---> Verifying checksums for trufflehog >> Error: Checksum (rmd160) mismatch for trufflehog-3.45.3.tar.gz >> Error: Checksum (sha256) mismatch for trufflehog-3.45.3.tar.gz >> Error: Checksum (size) mismatch for trufflehog-3.45.3.tar.gz >> Error: Failed to checksum trufflehog: Unable to verify file checksums >> Error: See >> /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_trufflehog/trufflehog/main.log >
trufflehog checksum fail
excuse the long copy paste at the end, but this way you can see exactly what happened. `sudo port install trufflehog` failed with source checksum failures. i don't know if the checksums were actually bad or if this is an anomaly when fetching the non-latest version. it does mean that i can never install that version of trufflehog, which is sad. anyway i got a hint to update first, so than after `selfupdate` (only! no port upgrades!) and another `sudo port install trufflehog` it worked. BUT it updated my golang!! this reminds me of brew. :( :~( I guess trufflehog is built from source? and it is hard coded to require go-1.20.7? ok, fine but you shouldn't be updating my runtime (vs buildtime) packages at least not without the Y/n prompt like on other implicit upgrades. I then discovered I merely had to activate the older version. OK, but the install/build process should have done this at the end, since I didn't request that upgrade. 1. did the failed version (3.45.3) of trufflehog actually have some error with checksum? or is this a macports anomaly. 2. do you agree macports has a bug re: forced, non-prompted, build deps upgrades? thanks [frank@mbp:~]$ sudo port install trufflehog Password: ---> Computing dependencies for trufflehog ---> Fetching archive for trufflehog ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from https://packages.macports.org/trufflehog ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from http://mirror.fcix.net/macports/packages/trufflehog ---> Attempting to fetch trufflehog-3.45.3_0.darwin_22.x86_64.tbz2 from https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog ---> Fetching distfiles for trufflehog ---> Attempting to fetch trufflehog-3.45.3.tar.gz from https://distfiles.macports.org/go ---> Attempting to fetch trufflehog-3.45.3.tar.gz from https://github.com/trufflesecurity/trufflehog/archive/v3.45.3 ---> Verifying checksums for trufflehog Error: Checksum (rmd160) mismatch for trufflehog-3.45.3.tar.gz Error: Checksum (sha256) mismatch for trufflehog-3.45.3.tar.gz Error: Checksum (size) mismatch for trufflehog-3.45.3.tar.gz Error: Failed to checksum trufflehog: Unable to verify file checksums Error: See /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_security_trufflehog/trufflehog/main.log for details. Error: Follow https://guide.macports.org/#project.tickets if you believe there is a bug. Error: Processing of port trufflehog failed [frank@mbp:~]$ sudo port selfupdate ---> Updating MacPorts base sources using rsync MacPorts base version 2.8.1 installed, MacPorts base version 2.8.1 downloaded. ---> Updating the ports tree ---> MacPorts base is already the latest version The ports tree has been updated. To upgrade your installed ports, you should run port upgrade outdated [frank@mbp:~]$ sudo port install trufflehog Portfile changed since last build; discarding previous state. ---> Fetching archive for go ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from https://packages.macports.org/go ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from http://mirror.fcix.net/macports/packages/go ---> Attempting to fetch go-1.20.7_0.darwin_22.x86_64.tbz2 from https://ywg.ca.packages.macports.org/mirror/macports/packages/go ---> Fetching distfiles for go ---> Attempting to fetch go1.20.7.src.tar.gz from https://distfiles.macports.org/go ---> Attempting to fetch go1.20.7.darwin-amd64.tar.gz from https://distfiles.macports.org/go ---> Verifying checksums for go ---> Extracting go ---> Configuring go ---> Building go ---> Staging go into destroot ---> Installing go @1.20.7_0 ---> Cleaning go ---> Deactivating go @1.20.6_0 ---> Cleaning go ---> Activating go @1.20.7_0 ---> Cleaning go ---> Computing dependencies for trufflehog ---> Fetching archive for trufflehog ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from https://packages.macports.org/trufflehog ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from http://mirror.fcix.net/macports/packages/trufflehog ---> Attempting to fetch trufflehog-3.46.2_0.darwin_22.x86_64.tbz2 from https://ywg.ca.packages.macports.org/mirror/macports/packages/trufflehog ---> Fetching distfiles for trufflehog ---> Attempting to fetch trufflehog-3.46.2.tar.gz from https://distfiles.macports.org/go ---> Verifying checksums for trufflehog ---> Extracting trufflehog ---> Configuring trufflehog ---> Building trufflehog ---> Staging trufflehog into destroot ---> Installing trufflehog @3.46.2_0 ---> Activating trufflehog @3.46.2_0 ---> Cleaning trufflehog ---> Scanning binaries for linking errors ---> No broken files found. ---> No broken ports found. [frank@mbp:~]$ go version go version go1.20.7 darwin/amd64 [frank@mbp:~]$ sudo port activate go @1.20.6_0 ---> Deactivating go @1.20.7_0 ---> Cleaning go ---> Activating go @1.20.6_0 ---> Clea
