Double-pushed jar has checksum validation error

[Chris Ford]

Hi,

I just pushed a new version of a small library I'm writing called Leipzig. It had all the required metadata, so I saw and pressed the "promote" button.

Immediately, I realised that I hadn't updated the README.md, so before announcing the release I updated that and committed - then pushed the jar again so that the "this commit" link would be correct. I got the following error:

Could not transfer artifact leipzig:leipzig:pom:0.2.0 from/to clojars (https://clojars.org/repo/): Access denied to:https://clojars.org/repo/leipzig/leipzig/0.2.0/leipzig-0.2.0.pom, ReasonPhrase:Forbidden.

Failed to deploy artifacts: Could not transfer artifact leipzig:leipzig:pom:0.2.0 from/to clojars (https://clojars.org/repo/): Access denied to: https://clojars.org/repo/leipzig/leipzig/0.2.0/leipzig-0.2.0.pom, ReasonPhrase:Forbidden.

However, the "this commit" link was updated, so I assumed that somehow everything had worked out.

But... when I tried to consume the new jar in another project, I got this error:

Could not transfer artifact leipzig:leipzig:pom:0.2.0 from/to clojars (https://clojars.org/repo/): Checksum validation failed, expected 04024f13f0f71c93797067e42927ba01fd4b981a but is 621409f935fa6cca7b28a8792283c0a31da683dc

Check :dependencies and :repositories for typos.

It's possible the specified jar is not in any repository.

If so, see "Free-floating Jars" under http://j.mp/repeatability

I'm guessing that the metadata and jar might now be out of sync? Is there any way I can fix this? I thought that pushing a new jar would just overwrite everything, but that appears to not be the case.

Cheers,

Chris

[Chris Ford]

I should clarify that I have a GPG key and used "lein deploy clojars" to get the jar up.

[Nelson Morris]

When you did the promotion and leipzig went to the releases repo,
clojars should have made leipzig 0.2.0 immutable. Unfortunately there
is a bug that allowed the pom file to be saved to the classic repo
before checking if it should. Once it was checked an error was sent
back that prevented lein from sending the signature file.

Currently the classic repo has the new pom and old pom signature, the
releases repo contains the old pom file, and old pom signature. I'm
happy to manually revert the pom in the classic repo and suggest a
0.2.1 version for the readme update.

[Chris Ford]

Sounds great. I don't mind doing a point release - I just don't want a broken release up on Clojars.

Thanks!

Chris

[Nelson Morris]

I've rolled back leipzip-0.2.0.pom to what was in the release repo. I
am able to pull it as a dependency with lein -preview10 and lein
master. I tried doing a `lein :deps verify` to make sure the
signature was good (it should be), but it didn't find the key on a
keyserver. I'd recommend pushing it if you haven't already.

gpg: requesting key BA735372 from hkp server keys.gnupg.net
gpgkeys: key BA735372 not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
:no-key [leipzig "0.2.0"]

[Chris Ford]

I'm now able to use the original leipzig-0.2.0 fine. Thanks for your help.

(Sorry for the delay in replying - I was travelling without a laptop).

Chris