MD5 sum of the packages are wrong

[sroze]

The MD5 sums of archives are wrong in the composer.lock file. So basically, the following composer error is displayed when running composer install:

[UnexpectedValueException]
The checksum verification of the file failed (downloaded from ../../artifact/my-package_0.0.2.zip)

To reproduce it, we'll need to simply delete the application's vendor directory and clear the composer cache.

[gavinlove]

If you are getting that error then you have probably made a change to the packages composer.json without incrementing the package version.

[gavinlove]

Which version of composer are you using and which platform are you running it on?

[sroze]

@gavinlove here's the command lines to reproduce it with the todo example:

git clone [email protected]:mybuilder/conductor.git
cd conductor/examples/todo
composer install
cd app/cli
composer install
rm -rf vendor ~/.composer/cache/files/mybuilder/todo-package ../../artifact/*
composer install

And I'm using composer 1.0.0-alpha10 on OS X. I'm pretty sure that it's just because the ZIP artifacts are zipped again, and the zip archive might contain some timestamp-related informations...

[CyExy]

Jep, known issue. When re-ziping the same file it produces a different checksum. Currently we just commit all the artifacts with the change-set. Not ideal but does the trick and the artifact files aren't that big either.

[gavinlove]

Looks like this is a common problem with statis as well. composer/composer#1496

[sroze]

And which is still in discussion in composer/composer#2540. I'm really not fond of committing artifacts to be honest, but that looks to be the only way right now.

[jurajseffer]

I think we can fix this by setting shasum to "" during fixing of composer.lock after update/install for packages installed using conductor.