SHA256 Mismatch on Homebrew Install

Question

SHA256 Mismatch on Homebrew Install

Closed this issue 4 months ago · 7 comments

Describe the bug
Not sure if this is a Snapcast packaging issue or a Homebrew issue. If it's Homebrew just let me know and I'll work with them.

Installing Snapcast via Homebrew (brew install snapcast) produces a sha256 mismatch and aborts the install.

Steps to Reproduce

Run brew install snapcast
Wait for install to fail

Environment details

OS: Ubuntu server and Fedora SilverBlue
Snapcast version 0.28.0
Instal via Homebrew

Attach logfile if applicable
N/A


Error: snapcast: SHA256 mismatch
Expected: ce7edf2db19835c0c4c2bf47af3bc3088a4740144df10fead9e7fb2741b8b51e
  Actual: 7911037dd4b06fe98166db1d49a7cd83ccf131210d5aaad47507bfa0cfc31407

Troubleshooting Steps Taken:

I don't have a lot of experience with Homebrew so I may be off base here.

I've received this error on multiple machines. I've tried clearing the brew cache as recommended at the end of the failed install. No luck there.

I did some digging and downloaded the Homebrew package manually. Running sha256sum against that file produces the 7911... hash. However, looking at the snapcast.rb code, line 5 has the expected hash as ce7e...

It looks like the snapcast.rb file just needs to be updated with the correct hash. If I can offer any other helpful info let me know.

Answer 1 · 2024-07-16T00:59:56.000Z

I'm having the same issue on MacOS

Answer 2 · 2024-07-16T10:04:38.000Z

Yes, looks like the snapcast.rb is using the wrong checksum. This issue must be fixed in the homebrew project, you should file an issue at homebrew or make a PR.

Answer 3 · 2024-07-17T15:15:18.000Z

I've opened an issue with the homebrew-core repo. I'll make a PR as well.

Homebrew/homebrew-core#177612

Answer 4 · 2024-07-17T15:34:49.000Z

Since the checksum is checked in CI it appears that the release was at some point using that checksum.
The git manual says re-tagging is "the insane thing" to do, so it would be good to check if it's that or the release has been compromised.

Answer 5 · 2024-07-17T16:13:15.000Z

@SMillerDev That's fair. Homebrew is pulling from https://github.com/badaix/snapcast/archive/refs/tags/v0.28.0.tar.gz . @badaix do you think this was just an oversight somewhere or something more malicious?

Answer 6 · 2024-07-19T08:04:40.000Z

Sorry, this was my fault, as far as I remember I found a bug in context of Snapdroid, which pulls tagged versions of Snapcast in the CI build, I fixed the bug and moved the tag.
I wasn't aware that other third parties are triggering on tags. Very important insight, I will not do this in future, but rather make another dot release instead for fixes.

Answer 7 · 2024-07-19T14:06:56.000Z

Thanks for checking into this! There's definitely a lot of moving pieces between all this stuff. Should I close the homebrew-core issue and wait for a dot release? Or is there something we still need to do with them?