Failing to install bootstrap when using github credentials

[Zaar Hai]

Hi guys,

I have a strange issue when trying to use jspm install with credentials - I can not install bootstrap from github, but can install other packages.

If I remove the JSPM_GITHUB_AUTH_TOKEN variable, the install goes fine.

What I did is to create a new github user, generate a token and use it with jspm. Here is what fails:

$ JSPM_GITHUB_AUTH_TOKEN=<secret> ./node_modules/.bin/jspm install github:twbs/bootstrap

Package.json file does not exist, create it? [yes]:

Would you like jspm to prefix the jspm package.json properties under jspm? [yes]:

Enter server baseURL (public folder path) [./]:

Enter jspm packages folder [./jspm_packages]:

Enter config file path [./config.js]:

Configuration file config.js doesn't exist, create it? [yes]:

Enter client baseURL (public folder URL) [/]:

Do you wish to use a transpiler? [yes]:

Which ES6 transpiler would you like to use, Babel, TypeScript or Traceur? [babel]:

     Looking up github:twbs/bootstrap

     Updating registry cache...

     Downloading github:twbs/boot...@3.3.6

     Looking up npm:jquery

     Downloading npm:jqu...@2.2.4

warn Error on download for github:twbs/bootstrap

     Error: end of central directory record signature not found

         at /tmp/blah/node_modules/jspm/node_modules/jspm-github/node_modules/yauzl/index.js:172:14

         at /tmp/blah/node_modules/jspm/node_modules/jspm-github/node_modules/yauzl/index.js:517:5

         at /tmp/blah/node_modules/jspm/node_modules/jspm-github/node_modules/yauzl/node_modules/fd-slicer/index.js:32:7

         at FSReqWrap.wrapper [as oncomplete] (fs.js:576:17)

err  Error downloading github:twbs/bootstrap.

warn Installation changes not saved.

The token is correct - I've tested it with jspm registry config github; additionally this works fine: JSPM_GITHUB_AUTH_TOKEN=<secret> ./node_modules/.bin/jspm install github:github/fetch

Any ideas?

Full reproduction:

ssh to clean ubuntu 14.04 machine:

$ curl -sL https://deb.nodesource.com/setup_4.x | sudo -E bash -

$ sudo apt-get install -y nodejs

$ npm -v

2.15.5

$ mkdir /tmp/blah; cd /tmp/blah

$ npm install jspm

npm WARN deprecated mini...@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue

js...@0.16.39 node_modules/jspm

├── grace...@4.1.4

├── sem...@5.2.0

├── n...@2.0.0

├── ch...@1.1.3 (escape-str...@1.0.5, ansi-...@2.2.1, support...@2.0.0, strip...@3.0.1, has-...@2.0.0)

├── jspm-r...@0.4.1 (sem...@4.3.6)

├── mini...@3.0.2 (brace-e...@1.1.5)

├── gl...@6.0.4 (path-is-...@1.0.0, inhe...@2.0.1, on...@1.3.3, infl...@1.0.5)

├── rs...@3.2.1

├── proper-...@1.1.2 (ext...@3.0.0, err-...@1.1.1, re...@0.9.0)

├── mkd...@0.5.1 (mini...@0.0.8)

├── rim...@2.5.2 (gl...@7.0.5)

├── lif...@2.2.4 (rec...@0.6.2, ext...@3.0.0, flagged...@0.3.2, findu...@0.3.0, res...@1.1.7)

├── jspm-...@0.13.14 (ne...@0.1.4, expand...@1.2.2, wh...@1.2.10, ya...@2.6.0, rim...@2.3.4, t...@2.2.1, req...@2.53.0)

├── syst...@0.19.31 (wh...@3.7.7)

├── ugli...@2.6.4 (as...@0.2.10, uglify-to-...@1.0.2, sourc...@0.5.6, ya...@3.10.0)

├── req...@2.72.0 (aws-...@0.6.0, tunnel...@0.4.3, oauth...@0.8.2, foreve...@0.6.1, is-typ...@1.0.0, case...@0.11.0, string...@0.0.5, aw...@1.4.1, isst...@0.1.2, json-stri...@5.0.1, ext...@3.0.0, tough-...@2.2.2, node...@1.4.7, q...@6.1.0, combine...@1.0.5, mime-...@2.1.11, form...@1.0.0-rc4, ha...@3.1.3, b...@1.1.2, http-si...@1.1.1, har-va...@2.0.6)

├── jspm...@0.26.8 (wh...@1.2.10, gl...@5.0.15, t...@1.0.3, rm...@1.1.0, res...@1.1.7, req...@2.58.0)

├── tra...@0.0.105 (comm...@2.9.0, sem...@4.3.6, gl...@5.0.15, source-ma...@0.2.10)

├── cor...@1.2.6

└── systemjs...@0.15.22 (data-uri-...@0.0.4, sourc...@0.5.6, gl...@7.0.5, blue...@3.4.1, rol...@0.30.0, es6-templa...@2.0.0, babel-plugin-transform-...@6.9.0, babel...@6.10.4)

$ ./node_modules/.bin/jspm -v

0.16.39

Running against local jspm install.

$ JSPM_GITHUB_AUTH_TOKEN=<secret> ./node_modules/.bin/jspm install github:twbs/bootstrap

Package.json file does not exist, create it? [yes]:

Would you like jspm to prefix the jspm package.json properties under jspm? [yes]:

Enter server baseURL (public folder path) [./]:

Enter jspm packages folder [./jspm_packages]:

Enter config file path [./config.js]:

Configuration file config.js doesn't exist, create it? [yes]:

Enter client baseURL (public folder URL) [/]:

Do you wish to use a transpiler? [yes]:

Which ES6 transpiler would you like to use, Babel, TypeScript or Traceur? [babel]:

     Looking up github:twbs/bootstrap

     Updating registry cache...

     Downloading github:twbs/boot...@3.3.6

     Looking up npm:jquery

     Downloading npm:jqu...@2.2.4

warn Error on download for github:twbs/bootstrap

     Error: end of central directory record signature not found

         at /tmp/blah/node_modules/jspm/node_modules/jspm-github/node_modules/yauzl/index.js:172:14

         at /tmp/blah/node_modules/jspm/node_modules/jspm-github/node_modules/yauzl/index.js:517:5

         at /tmp/blah/node_modules/jspm/node_modules/jspm-github/node_modules/yauzl/node_modules/fd-slicer/index.js:32:7

         at FSReqWrap.wrapper [as oncomplete] (fs.js:576:17)

err  Error downloading github:twbs/bootstrap.

warn Installation changes not saved.

[Zaar Hai]

One more thing. After the failing install, I see this erroneous contents of the cached zip file:

$ cat ~/.jspm/github-cache/release-twbs#bootstrap-v3.3.6.zip 

<?xml version="1.0" encoding="UTF-8"?>

<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>AKIAISTNZFOVBIJMK3TQ</AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256

20160628T193021Z

20160628/us-east-1/s3/aws4_request

d84f57f40f1846db11747d45ca7d1d2e8f78f1d8864764156f240cb13e2bd2a2</StringToSign><SignatureProvided>c32fb82979ac8a31ac93f6da0f971639fedd788a3dfde1f94671ed2d142939b9</SignatureProvided><StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 31 36 30 36 32 38 54 31 39 33 30 32 31 5a 0a 32 30 31 36 30 36 32 38 2f 75 73 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 64 38 34 66 35 37 66 34 30 66 31 38 34 36 64 62 31 31 37 34 37 64 34 35 63 61 37 64 31 64 32 65 38 66 37 38 66 31 64 38 38 36 34 37 36 34 31 35 36 66 32 34 30 63 62 31 33 65 32 62 64 32 61 32</StringToSignBytes><CanonicalRequest>GET

/releases/2126244/694749aa-92a0-11e5-987f-3a6c976e303d.zip

X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAISTNZFOVBIJMK3TQ%2F20160628%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20160628T193021Z&amp;X-Amz-Expires=300&amp;X-Amz-SignedHeaders=host&amp;actor_id=18699566&amp;response-content-disposition=attachment%3B%20filename%3Dbootstrap-3.3.6-dist.zip&amp;response-content-type=application%2Foctet-stream%3Faccess_token%3De0b8995a9a30ed51c032d5a30318cd3a90505094

host:github-cloud.s3.amazonaws.com

host

UNSIGNED-PAYLOAD</CanonicalRequest><CanonicalRequestBytes>47 45 54 0a 2f 72 65 6c 65 61 73 65 73 2f 32 31 32 36 32 34 34 2f 36 39 34 37 34 39 61 61 2d 39 32 61 30 2d 31 31 65 35 2d 39 38 37 66 2d 33 61 36 63 39 37 36 65 33 30 33 64 2e 7a 69 70 0a 58 2d 41 6d 7a 2d 41 6c 67 6f 72 69 74 68 6d 3d 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 26 58 2d 41 6d 7a 2d 43 72 65 64 65 6e 74 69 61 6c 3d 41 4b 49 41 49 53 54 4e 5a 46 4f 56 42 49 4a 4d 4b 33 54 51 25 32 46 32 30 31 36 30 36 32 38 25 32 46 75 73 2d 65 61 73 74 2d 31 25 32 46 73 33 25 32 46 61 77 73 34 5f 72 65 71 75 65 73 74 26 58 2d 41 6d 7a 2d 44 61 74 65 3d 32 30 31 36 30 36 32 38 54 31 39 33 30 32 31 5a 26 58 2d 41 6d 7a 2d 45 78 70 69 72 65 73 3d 33 30 30 26 58 2d 41 6d 7a 2d 53 69 67 6e 65 64 48 65 61 64 65 72 73 3d 68 6f 73 74 26 61 63 74 6f 72 5f 69 64 3d 31 38 36 39 39 35 36 36 26 72 65 73 70 6f 6e 73 65 2d 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3d 61 74 74 61 63 68 6d 65 6e 74 25 33 42 25 32 30 66 69 6c 65 6e 61 6d 65 25 33 44 62 6f 6f 74 73 74 72 61 70 2d 33 2e 33 2e 36 2d 64 69 73 74 2e 7a 69 70 26 72 65 73 70 6f 6e 73 65 2d 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3d 61 70 70 6c 69 63 61 74 69 6f 6e 25 32 46 6f 63 74 65 74 2d 73 74 72 65 61 6d 25 33 46 61 63 63 65 73 73 5f 74 6f 6b 65 6e 25 33 44 65 30 62 38 39 39 35 61 39 61 33 30 65 64 35 31 63 30 33 32 64 35 61 33 30 33 31 38 63 64 33 61 39 30 35 30 35 30 39 34 0a 68 6f 73 74 3a 67 69 74 68 75 62 2d 63 6c 6f 75 64 2e 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 0a 68 6f 73 74 0a 55 4e 53 49 47 4e 45 44 2d 50 41 59 4c 4f 41 44</CanonicalRequestBytes><RequestId>A0768E8B2321C910</RequestId><HostId>TXTvWXMGx4laQjQRPQZbuUFX7v+lctj26YLVOCibVL+waYc4XOfJYaNH5F7VTqcLjMz0Tn+NzWE=</HostId></Error>

└── systemjs...@0.15.22 (data-uri-...@0.0.4, sourc...@0.5.6, gl...@7.0.5, blue...@3.4.1, rol...@0.30.0, es6-templa...@2.0.0, babel-plugin-transform-es2015-modules-...@6.9.0, babel...@6.10.4)

[Guy Bedford]

I've added a possible fix in https://github.com/jspm/github/commit/3cb8416d5997b5f6c24d8643a1f104643be64f42.

Do you think you could try and patch `path/to/node_modules/jspm/node_modules/jspm-github/github.js` to contain this change and see if that helps with the issue here?

└── systemjs...@0.15.22 (data-uri-...@0.0.4, sourc...@0.5.6, gl...@7.0.5, blue...@3.4.1, rol...@0.30.0, es6-templa...@2.0.0, babel-plugin-transform-...@6.9.0, babel...@6.10.4)

--
You received this message because you are subscribed to the Google Groups "jspm" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jspm-io+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Zaar Hai]

Indeed worked wonders!

└── systemjs...@0.15.22 (data-uri-...@0.0.4, sourc...@0.5.6, gl...@7.0.5, blue...@3.4.1, rol...@0.30.0, es6-templa...@2.0.0, babel-plugin-transform-es2015-modules-...@6.9.0, babel...@6.10.4)

[Guy Bedford]

Thanks for confirming, this fix has been released.

└── systemjs...@0.15.22 (data-uri-...@0.0.4, sourc...@0.5.6, gl...@7.0.5, blue...@3.4.1, rol...@0.30.0, es6-templa...@2.0.0, babel-plugin-transform-...@6.9.0, babel...@6.10.4)