Homebrew-core: highlight 3.35: SHA256 seems to have changed

Created on 1 Mar 2017 · 11Comments · Source: Homebrew/homebrew-core

Please follow the general troubleshooting steps first:

[x] Ran brew update and retried your prior step?
[x] Ran brew doctor, fixed as many issues as possible and retried your prior step?
[x] Confirmed this is a problem with specific formulae and not Homebrew/brew? If it's a general Homebrew/brew problem please file this issue at https://github.com/Homebrew/brew/issues/new

Bug reports:

highlight source builds now fail due to a SHA256 mismatch:

==> Verifying highlight-3.35.tar.bz2 checksum
Error: SHA256 mismatch
Expected: 29b2111531230317fc6228b5f15ad0839448f20d65256279ac68d08319fa7a75
Actual: 8a14b49f5e0c07daa9f40b4ce674baa00bb20061079473a5d386656f6d236d05
Archive: /Users/rhogg/Library/Caches/Homebrew/highlight-3.35.tar.bz2
To retry an incomplete download, remove the file above.

The actual checksum is listed on the highlight homepage; I didn't see any reference to this change but didn't look too thoroughly.

brew doctor
Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry and just ignore them. Thanks!

Warning: You have unlinked kegs in your Cellar
Leaving kegs unlinked can lead to build-trouble and cause brews that depend on
those kegs to fail to run properly once built. Run `brew link` on these:
  [email protected]
  httpd24
  php70

Warning: Some installed formula are missing dependencies.
You should `brew install` the missing dependencies:
  brew install let-alist php55

Run `brew missing` for more details.

Warning: Some keg-only formula are linked into the Cellar.
Linking a keg-only formula, such as gettext, into the cellar with
`brew link <formula>` will cause other formulae to detect them during
the `./configure` step. This may cause problems when compiling those
other formulae.

Binaries provided by keg-only formulae may override system binaries
with other strange results.

You may wish to `brew unlink` these brews:
  [email protected]
bob@work:Homebrew rhogg (master $)$ brew config
HOMEBREW_VERSION: 1.1.10-432-ge02223960
ORIGIN: https://github.com/Homebrew/brew
HEAD: e022239608ca535fa3b56305eff8dd091b3fc008
Last commit: 3 hours ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: 6f58fd1f1a2aeaf8b0004f78ea65e43fb44cd740
Core tap last commit: 2 hours ago
HOMEBREW_PREFIX: /usr/local
HOMEBREW_REPOSITORY: /usr/local/Homebrew
HOMEBREW_CELLAR: /usr/local/Cellar
HOMEBREW_BOTTLE_DOMAIN: https://homebrew.bintray.com
CPU: octa-core 64-bit haswell
Homebrew Ruby: 2.0.0-p648
Clang: 8.0 build 800
Git: 2.12.0 => /usr/local/bin/git
Perl: /usr/bin/perl
Python: /usr/local/bin/python => /usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/bin/python2.7
Ruby: /usr/local/bin/ruby => /usr/local/Cellar/ruby/2.4.0/bin/ruby
Java: 1.8.0_102
macOS: 10.11.6-x86_64
Xcode: N/A
CLT: 8.2.0.0.1.1480973914
X11: 2.7.11 => /opt/X11

upstream issue

Source

rwhogg

👍1

Most helpful comment

Request for an updated tag made Sat Mar 11 17:44:47 UTC 2017

JCount on 11 Mar 2017

👍4

All 11 comments

It is signed with a "valid" gpg key, except that it expired February 12, 2017, so I am leery of unconditionally accepting the unexplained change to the SHA256.

The output of gpg2 --verify (using a keyserver):

gpg: Good signature from "Andre Simon (Saalen) <[email protected]>" [expired]
gpg: Note: signature key 50FE0279D805A7C7 expired Sun Feb 12 14:28:52 2017 EST
gpg: Note: This key has expired!
Primary key fingerprint: B8C5 5574 187F 4918 0EDC  7637 50FE 0279 D805 A7C7
gpg: binary signature, digest algorithm SHA256, key algorithm rsa2048

JCount on 1 Mar 2017

It is signed with a "valid" gpg key, except that it expired February 12, 2017, so I am leery of unconditionally accepting the unexplained change to the SHA256.

Yikes! Yeah, I wouldn't accept it without explanation either. (After all, if we did, what security would the checksums offer?)

rwhogg on 1 Mar 2017

This looks to be the source of the issue. It appears that svn r196 was created without modifying the version number and then the repository was redistributed as a drop in replacement.

JCount on 2 Mar 2017

@ilovezfs any thoughts regarding what course of action should be taken?

JCount on 2 Mar 2017

I think we should request a version change plus a new tarball signed with a non-expired signature.

ilovezfs on 5 Mar 2017

Request for an updated tag made Sat Mar 11 17:44:47 UTC 2017

JCount on 11 Mar 2017

👍4

For everyone else having issues upgrading their packages: using brew pin highlight made Homebrew exclude highlight from being upgraded and making the whole upgrade fail because of the checksum mismatch.