curl checksum error

Fri Dec 20 01:34:45 PST 2013

On Dec 19, 2013, at 20:40, Jeremy Lavergne wrote:

> Kok-Yong Tan wrote:
> 
>> --->  Verifying checksum(s) for curl-ca-bundle
>> DEBUG: Executing org.macports.checksum (curl-ca-bundle)
>> --->  Checksumming curl-7.19.7.tar.bz2
>> DEBUG: Correct (md5) checksum for curl-7.19.7.tar.bz2
>> DEBUG: Correct (sha1) checksum for curl-7.19.7.tar.bz2
>> DEBUG: Correct (rmd160) checksum for curl-7.19.7.tar.bz2
>> --->  Checksumming certdata-1.57.txt
>> Error: Checksum (md5) mismatch for certdata-1.57.txt
>> Portfile checksum: certdata-1.57.txt md5
>> 85e459aa8dcdddda6438216b67c6b7bb
>> Distfile checksum: certdata-1.57.txt md5
>> 3eb8b780f5bcce60bee40f66b9ad23c4
>> Error: Checksum (sha1) mismatch for certdata-1.57.txt
>> Portfile checksum: certdata-1.57.txt sha1
>> 678d65dd3c1d1243d58668377ca945b17f33fba0
>> Distfile checksum: certdata-1.57.txt sha1
>> 07f9f6c8a3be4473497fe89174a32d32eb66bdd7
>> Error: Checksum (rmd160) mismatch for certdata-1.57.txt
>> Portfile checksum: certdata-1.57.txt rmd160
>> 0a935823e5c5f533f987daaec9a845fcce31f186
>> Distfile checksum: certdata-1.57.txt rmd160
>> bc21321abe4cf27418880c4ce8e6ebd329df82a1
> 
> File checksums being incorrect might indicate someone is feeding you a hacked curl package. It means the download shouldn't be trusted.

The curl source code’s checksums verified correctly. The certdata.txt file’s checksums didn’t. certdata.txt is an unversioned distfile upstream (we pull it directly from their repository) so checksum mismatches for this file used to be common, however we fixed that in the port by instructing it to only fetch from that repository for a short while after the port is updated, and to fetch from the MacPorts mirrors thereafter. So presumably the file was simply downloaded incorrectly or incompletely and it should be tried again.

> Clean it (port clean --dist curl) and try again.

Yes, just like that.

Alternately, note that the curl-ca-bundle port will be phased out soon in favor of the certsync port. You can get a head start on this change by installing the certsync port now, instead of the curl-ca-bundle port.