MD5 sum of the packages are wrong
Closed this issue · 7 comments
The MD5 sums of archives are wrong in the composer.lock file. So basically, the following composer error is displayed when running composer install:
[UnexpectedValueException]
The checksum verification of the file failed (downloaded from ../../artifact/my-package_0.0.2.zip)
To reproduce it, we'll need to simply delete the application's vendor directory and clear the composer cache.
If you are getting that error then you have probably made a change to the packages composer.json without incrementing the package version.
Which version of composer are you using and which platform are you running it on?
@gavinlove here's the command lines to reproduce it with the todo example:
git clone git@github.com:mybuilder/conductor.git
cd conductor/examples/todo
composer install
cd app/cli
composer install
rm -rf vendor ~/.composer/cache/files/mybuilder/todo-package ../../artifact/*
composer install
And I'm using composer 1.0.0-alpha10 on OS X. I'm pretty sure that it's just because the ZIP artifacts are zipped again, and the zip archive might contain some timestamp-related informations...
Jep, known issue. When re-ziping the same file it produces a different checksum. Currently we just commit all the artifacts with the change-set. Not ideal but does the trick and the artifact files aren't that big either.
Looks like this is a common problem with statis as well. composer/composer#1496
And which is still in discussion in composer/composer#2540. I'm really not fond of committing artifacts to be honest, but that looks to be the only way right now.
I think we can fix this by setting shasum to "" during fixing of composer.lock after update/install for packages installed using conductor.