Magento2: The checksum verification of the file failed (downloaded from https://repo.magento.com/archives/vertex/sdk/vertex-sdk-1.0.0.0.zip)

Hi @andkirby. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

• [ ] Summary of the issue
• [ ] Information on your environment
• [ ] Steps to reproduce
• [ ] Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento-engcom-team give me $VERSION instance

where $VERSION is version tags (starting from 2.2.0+) or develop branches (for example: 2.3-develop).
For more details, please, review the Magento Contributor Assistant documentation.

@andkirby do you confirm that you was able to reproduce the issue on vanilla Magento instance following steps to reproduce?

• [ ] yes
• [ ] no

After the command composer update vertex/sdk we have gotten following changes in shasum:

• klarna/module-core:4.5.2: b434a11d52d99870d56d448386c4722287941a0f => c78a12a5a07994a88502eb09729605bc192d5840
• klarna/module-kp:5.5.1: a99c65ebe2a6af8ec806cf8d6a7c75e39c4a18e7 => 6d3f2da488e6d009ab233c403e9293307095bbf7
• klarna/module-ordermanagement: 022eee35916f78bfc8dd67e2f73304f735580d96 => 84b12ec97c86d08129aca53bd612051f15e90874
• vertex/sdk:1.0.0: f57d48ec0d4f79bef9daefa5364c1e67d621e22c => 6c7ed091879e66d75faf95fed7e48751693c68c7

Hi @engcom-backlog-nazar. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [ ] 4. Verify that the issue is reproducible on 2.3-develop branch

  Details

  - Add the comment @magento-engcom-team give me 2.3-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!
  

• [ ] 5. Verify that the issue is reproducible on 2.2-develop branch.

  Details

  - Add the comment @magento-engcom-team give me 2.2-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.2-develop branch, please add the label Reproduced on 2.2.x

• [ ] 6. Add label Issue: Confirmed once verification is complete.

• [ ] 7. Make sure that automatic system confirms that report has been added to the backlog.

Hi @andkirby , thank you for you report, The GitHub issue tracker is intended for Magento Core technical issues only.
Please refer to the Community Forums or the Magento Stack Exchange site for advice or general discussion about this issue.

@engcom-backlog-nazar This should be considered a Magento Core Technical issue.

That package is hosted on repo.magento.com and it's a default Magento dependency.
This is not the first time that some weird operation performed on repo.magento.com breaks existing installations, see #16129. Probably there is some procedure (manual or automatic) that is failing.

@giacmir ok, i'm understand, but now i'm try to update vertex and have no error with checksum.

The issue happens when you have vertex/sdk already in composer.lock from before the checksum on server changed. If you install or update it now you won't have any error.

What I'm reporting is that in some occasions packages in repo.magento.com change their content without a change in the version number (possibily some git push --tags --force?). This causes existing installations to fail when package is re-downloaded from the same composer.lock with the old checksum.

If you install Magento now it works, if you installed it, say, three days ago and today you do a composer install of the old instance it will fail.

@giacmir thanks now clear. I'm leave this open

In case someone is looking for a temporary workaround:

curl -S https://<public key>:<private key>@repo.magento.com/packages.json > /tmp/packages.json
cat /tmp/packages.json | python -m json.tool | grep -A 20 '"vertex/sdk": {' | grep shasum

Update your composer.lock vertex/sdk entry with that sha and you should be good to go.

Cannot find vertex/sdk package on project deploy:

$ composer create-project --repository-url=https://repo.magento.com/ magento/project-community-edition=2.3.* --stability=beta
Installing magento/project-community-edition (2.3.0-beta32)
...

  Problem 1
    - vertex/module-tax 2.2.1-beta3 requires vertex/sdk ^1.0.0 -> no matching package found.
    - magento/product-community-edition 2.3.0-beta32 requires vertex/module-tax 2.2.1-beta3 -> satisfiable by vertex/module-tax[2.2.1-beta3].
    - Installation request for magento/product-community-edition 2.3.0-beta32 -> satisfiable by magento/product-community-edition[2.3.0-beta32].
...

May be this idea is right: "_Probably there is some procedure (manual or automatic) that is failing._"

The same...

I've decided to create archive as a workaround.
1) archive vendor/vertex/sdk into ZIP file
2) put it into some path like modules/archives
3) add this path as artifact in composer.json

{
    "repositories": {
        "archives": {
            "type": "artifact",
            "url": "./modules/archives"
        }
    }
}

4) run composer update vertex/sdk to update your composer.lock file

If you lost source files -- I can share.

@MichaelThessel, there is a bit easier way to update your composer.lock file -- just run:

composer update vertex/sdk

Actually, there are several broken packages.

Magento 2.3.0 is here:

Installing magento/project-community-edition (2.3.0)
  - Installing magento/project-community-edition (2.3.0): Downloading (100%)         
Created project in /home/alexg/instance/sample_mage2_app/work
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 390 installs, 0 updates, 0 removals

no more vertex/sdk ^1.0.0 failure for now.

I started my project with the 2.3 beta (now running the actual 2.3 version) and just had the checksum mismatch happen to me. It was fixed by deleting the vendor/vertex/sdk which somehow forced composer to re-download the actual package and update with the correct checksum. The composer update vertex/sdk did not seem to update my checksum because it was using the old one.

The @MichaelThessel trick is also a good one to check if everything is fine.

Why we have to go through all that is beyond me, though.

Hi @dmytro-ch. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [x] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• [x] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• [x] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• [x] 4. Verify that the issue is reproducible on 2.3-develop branch

  Details

  - Add the comment @magento-engcom-team give me 2.3-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and _stop verification process here_!
  

• [ ] 5. Verify that the issue is reproducible on 2.2-develop branch.

  Details

  - Add the comment @magento-engcom-team give me 2.2-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.2-develop branch, please add the label Reproduced on 2.2.x

• [x] 6. Add label Issue: Confirmed once verification is complete.

• [x] 7. Make sure that automatic system confirms that report has been added to the backlog.

@dmytro-ch Thank you for verifying the issue. Based on the provided information internal tickets MAGETWO-97308 were created

This package vertex/sdk 1.0.0 hasn't been changed since ~ Nov 19th, but it is likely that the same version was overridden which was live. We are looking into the publication process if an identical package and version is being re-zipped and overwriting it even if there are no changes.

Note: re-zipping same contents can change the shasum of the zip file even if there were no changes.

The correct shasum here is 6c7ed091879e66d75faf95fed7e48751693c68c7

If you are running into shasum error here, try composer clear-cache and/or updating the composer.lock file with the aforesaid shasum for this package.

This issue is not reproducible on 2.3
Tested on different servers with the same shasum in composer.lock and it passed through.

To make it work (this is not fix, this is to bypass someone's bad decisions):

1. rm -rf vendor/vertex
2. rm -rf ~/.cache/composer/files/vertex or rm -rf ~/.composer/cache/files/vertex (depeneds on OS)
3. composer update vertex/module-tax

That will download new zip, with different checksum. I'm pissed of changing module files without changing the version, that is bad practise and it's not only for the vertex package. I had problems with magento/composer package in the past.

That problem blocked our team for a good chunk of time and I understand the frustration of developers on that subject, especially those, who use deployment process installing packages on infrastructure with multiple machines.

I think it is ridiculous that such things are happening.

@rafael-shkembi - It happened to me yesterday on 2.3 instance.

Personally I think, that this issue is Magento independent and can only be truly fixed by applying the authors of the package to good practices. The bad part is that they cannot roll back it, because one half of developers updated the package and second half have not and one package cannot exist in two checksum simultaneously. We can only have hope that this will never happen again.

Hello @andkirby and @dudzio12

It seems this issue has been already fixed and cannot be reproduced on the latest codebase.
I am closing this issue but
If you still faced this issue on 2.3.3 feel free to reopen or create new Issue with all required details according to Issue reporting guidelines

Hi @sdzhepa, thanks for the update. That's about composer repository only.
And it was fixed ages ago. ;)