BUG #17918: Checksum failed while sync repos for a package

Hi,

Thanks for the report.

It looks like a rsync issue, but please don't skip checksums until I
confirm (which will happen until later tonight(

Regards, Devrim
On Wed, 2023-05-03 at 11:43 +0000, PG Bug reporting form wrote:

The following bug has been logged on the website:

Bug reference:      17918
Logged by:          Sureshkumar G
Email address:      suresh.kumar@d4t4solutions.com
PostgreSQL version: 12.0
Operating system:   CentOS7
Description:       

We're using Foreman satellite server and we tried to sync posgresql 12
repo
from https://download.postgresql.org/ and facing failed checksum error
for
below package

Package: pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm

Error:
"A file located at the url
http://download.postgresql.org/pub/repos/yum/12/redhat/rhel-7.0-x86_64/pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
failed validation due to checksum."

We're validated checksum and looks it both're different.

sha256sum pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
cd752ab10807898f4451c2a9cbf9782f6ed91273b0d62fb0d8746dcfee067bb9
pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm

</package>
<package
pkgid="899efe5f0c404d870c7fd8900b66bb72c54548c0cd5152a60b09d5133514d55
9"
name="pg_auto_failover_12-llvmjit" arch="x86_64">

Can you please look on it and also let me know if any security risk
being
there if we skip checksum for this package?

--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR

Hi,

On Wed, 2023-05-03 at 11:43 +0000, PG Bug reporting form wrote:

The following bug has been logged on the website:

Bug reference:      17918
Logged by:          Sureshkumar G
Email address:      suresh.kumar@d4t4solutions.com
PostgreSQL version: 12.0
Operating system:   CentOS7
Description:       

We're using Foreman satellite server and we tried to sync posgresql 12
repo
from https://download.postgresql.org/ and facing failed checksum error
for
below package

Package: pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm

Error:
"A file located at the url
http://download.postgresql.org/pub/repos/yum/12/redhat/rhel-7.0-x86_64/pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
failed validation due to checksum."

We're validated checksum and looks it both're different.

sha256sum pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm
cd752ab10807898f4451c2a9cbf9782f6ed91273b0d62fb0d8746dcfee067bb9
pg_auto_failover_12-llvmjit-1.6.3-1.rhel7.x86_64.rpm

</package>
<package
pkgid="899efe5f0c404d870c7fd8900b66bb72c54548c0cd5152a60b09d5133514d55
9"
name="pg_auto_failover_12-llvmjit" arch="x86_64">

Can you please look on it and also let me know if any security risk
being
there if we skip checksum for this package?

I can confirm that this is caused by signing unsigned packages last
week, but rsync failing to update main server(s). So this is *not* a
security issue.

However, as a precaution, I removed problematic packages from the
repository. They were too old anyway. I did not want to push updated
checksums for the same packages.

Please let me know if this solves your problem.

Again, thanks for the report.

Regards,
--
Devrim Gündüz
Open Source Solution Architect, PostgreSQL Major Contributor
Twitter: @DevrimGunduz , @DevrimGunduzTR