Digest verification failed on update

SUSE_p3t3 · September 29, 2023, 2:41am

Hi, I’ve been using openSUSE Tumbleweed for about a year or so, and love it.

I refresh & download the packages daily with the following commands:

sudo zypper ref
sudo zypper dup -d

Then, when I want to actually install the updates a week or two later, I simply do the following:

sudo zypper dup

Recently, each time I download (dup -d), I’ve been getting the below error. I select [discard] then [ignore] for dup -d to download all the other packages. But this error isn’t going away:

Warning: Digest verification failed for file 'qemu-ipxe-1.0.0+-2.1.noarch.rpm'
[/var/tmp/AP_0x2N1Ebe/noarch/qemu-ipxe-1.0.0+-2.1.noarch.rpm]

  expected 431bb3fefe4893ddc6f3425321.....
  but got  7c6bafd38382bf6d8e8c35d54b.....

Accepting packages with wrong checksums can lead to a corrupted system and in extreme cases even to a system compromise.

However if you made certain that the file with checksum '7c6b..' is secure, correct
and should be used within this operation, enter the first 4 characters of the checksum
to unblock using this file on your own risk. Empty input will discard the file.

Unblock or discard? [7c6b/...? shows all options] (discard):

I thought these packages in question would eventually update on the server and fix itself, but it still hasn’t. It’s been 2 weeks or so.

The packages with the checksum problem include:
qemu-ipxe-1.0.0±2.1.noarch.rpm
qemu-seabios-1.16.2_3_gd478f380-2.1.noarch.rpm
qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch.rpm

I had been thinking of changing mirrors, but having a quick read, it’s not appear to be that straight forwards. I believe you have to go into Yast Software Repository and manually change the url of each repo, or do it via the /etc files. So, I’d rather stay with the same mirror (I think). Thanks.

hendersj · September 29, 2023, 4:08am

Have you tried removing the pre-downloaded file and letting it download again?

What’s the output of zypper lr -d? Sounds like you maybe have a lot of repos, so it would be useful to (a) verify what they are, and (b) determine which repo it is that these files are coming from.

karlmistelberger · September 29, 2023, 4:17am

Run zypper clean --all and retry.

SUSE_p3t3 · September 29, 2023, 9:16am

Thanks, I tried zypper clean --all but the problem still exists.

SUSE_p3t3 · September 29, 2023, 9:24am

More info…

zypper lr -d

#  | Alias                            | Name    | Enabled | GPG Check | Refresh | Priority | Type   | URI                                                                                 | Service
---+----------------------------------+---------+---------+-----------+---------+----------+--------+-------------------------------------------------------------------------------------+--------
 1 | NVIDIA                           | NVIDIA  | Yes     | (r ) Yes  | Yes     |  199     | rpm-md | https://download.nvidia.com/opensuse/tumbleweed                                     | 
 2 | VLC                              | VLC     | Yes     | (r ) Yes  | Yes     |  199     | rpm-md | https://download.videolan.org/SuSE/Tumbleweed                                       | 
 3 | brave-browser                    | brave-> | Yes     | (r ) Yes  | Yes     |  199     | rpm-md | https://brave-browser-rpm-release.s3.brave.com/x86_64/                              | 
 4 | download.opensuse.org-non-oss    | Main -> | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/tumbleweed/repo/non-oss/                               | 
 5 | download.opensuse.org-oss        | Main -> | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/tumbleweed/repo/oss/                                   | 
 6 | download.opensuse.org-tumbleweed | Main -> | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | http://download.opensuse.org/update/tumbleweed/                                     | 
 7 | electronics                      | Elect-> | Yes     | (r ) Yes  | Yes     |  199     | rpm-md | https://download.opensuse.org/repositories/electronics/openSUSE_Tumbleweed/         | 
 8 | microsoft-edge                   | Micro-> | Yes     | (r ) Yes  | Yes     |  199     | rpm-md | https://packages.microsoft.com/yumrepos/edge                                        | 
 9 | network_im_signal                | netwo-> | Yes     | (r ) Yes  | Yes     |  199     | rpm-md | https://download.opensuse.org/repositories/network:/im:/signal/openSUSE_Tumbleweed/ | 
10 | openh264                         | openh-> | Yes     | (r ) Yes  | Yes     |   90     | rpm-md | http://codecs.opensuse.org/openh264/openSUSE_Tumbleweed/                            | 
11 | packages-microsoft-com-prod      | packa-> | Yes     | (r ) Yes  | No      |   99     | rpm-md | https://packages.microsoft.com/opensuse/15/prod/                                    | 
12 | packman                          | Packman | Yes     | (r ) Yes  | Yes     |   90     | rpm-md | https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/                | 
13 | repo-debug                       | openS-> | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/debug/tumbleweed/repo/oss/                             | 
14 | repo-source                      | openS-> | No      | ----      | ----    |   99     | NONE   | http://download.opensuse.org/source/tumbleweed/repo/oss/                            | 
15 | security                         | secur-> | Yes     | (r ) Yes  | Yes     |   99     | rpm-md | https://download.opensuse.org/repositories/security/openSUSE_Tumbleweed/            | 
16 | vscode                           | vscode  | Yes     | (r ) Yes  | Yes     |  199     | rpm-md | https://packages.microsoft.com/yumrepos/vscode

Next step, find out where these packages come from. Choosing one of them…

zypper info qemu-ipxe

Information for package qemu-ipxe:
----------------------------------
Repository     : Main Repository (OSS)
Name           : qemu-ipxe
Version        : 1.0.0+-2.1
Arch           : noarch
Vendor         : openSUSE
Installed Size : 1.6 MiB
Installed      : Yes
Status         : out-of-date (version 1.0.0+-1.2 installed)
Source package : qemu-8.1.0-2.1.src
Upstream URL   : https://www.qemu.org/
Summary        : PXE ROMs for QEMU NICs
Description    : 
    Provides Preboot Execution Environment (PXE) ROM support for various emulated
    network adapters available with QEMU.

So, it’s from the main repo!
I’m trying to think about what else I can try.

PS: zypper clean --all removed all downloaded files from zypper dup -d. But the problem still persists.

karlmistelberger · September 29, 2023, 9:33am

Could be a broken database. Rebuild:

erlangen:~ # time rpm --rebuilddb 
real    0m1.166s
user    0m0.810s
sys     0m0.336s
erlangen:~ #

SUSE_p3t3 · September 29, 2023, 10:02am

Thanks, I’ve just tried the rpm rebuild and the problem persists.

I’m thinking I may have to give in and accept the new package with the different checksum, and hope my system doesn’t get compromised. But I’ll try a few more things first, before giving in…

(according to the error message, I could just give in…)

SUSE_p3t3:

However if you made certain that the file with checksum '7c6b..' is secure, correct
and should be used within this operation, enter the first 4 characters of the checksum
to unblock using this file on your own risk. Empty input will discard the file.

karlmistelberger · September 29, 2023, 10:16am

No checksum problems when installing from:

erlangen:~ # repos
#  | Alias                               | Enabled | GPG Check | Refresh | Priority | URI
---+-------------------------------------+---------+-----------+---------+----------+-------------------------------------------------------------------------------------------------------
 7 | Packman                             | Yes     | (r ) Yes  | Yes     |   90     | http://ftp.fau.de/packman/suse/openSUSE_Tumbleweed/
23 | non-oss                             | Yes     | (r ) Yes  | Yes     |   99     | https://download.opensuse.org/tumbleweed/repo/non-oss/
25 | oss                                 | Yes     | (r ) Yes  | Yes     |   99     | https://download.opensuse.org/tumbleweed/repo/oss/
32 | update                              | Yes     | (r ) Yes  | Yes     |   99     | https://download.opensuse.org/update/tumbleweed/
 erlangen:~ #

erlangen:~ # zypper -n in qemu-ipxe qemu-seabios qemu-vgabios
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following 3 NEW packages are going to be installed:
  qemu-ipxe qemu-seabios qemu-vgabios

3 new packages to install.
Overall download size: 419.9 KiB. Already cached: 1.2 MiB. After the operation, additional 2.4 MiB will be used.
Continue? [y/n/v/...? shows all options] (y): y
In cache qemu-ipxe-1.0.0+-2.1.noarch.rpm                                                                                                                                                                                (1/3),   1.2 MiB    
Retrieving: qemu-seabios-1.16.2_3_gd478f380-2.1.noarch (Haupt-Repository (OSS))                                                                                                                                         (2/3), 256.1 KiB    
Retrieving: qemu-seabios-1.16.2_3_gd478f380-2.1.noarch.rpm ...............................................................................................................................................................[done (2.8 MiB/s)]
Retrieving: qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch (Haupt-Repository (OSS))                                                                                                                                         (3/3), 163.8 KiB    
Retrieving: qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch.rpm ...........................................................................................................................................................................[done]

Checking for file conflicts: .........................................................................................................................................................................................................[done]
(1/3) Installing: qemu-ipxe-1.0.0+-2.1.noarch ........................................................................................................................................................................................[done]
(2/3) Installing: qemu-seabios-1.16.2_3_gd478f380-2.1.noarch .........................................................................................................................................................................[done]
(3/3) Installing: qemu-vgabios-1.16.2_3_gd478f380-2.1.noarch .........................................................................................................................................................................[done]
erlangen:~ #

You may need to double check your repo list.

SUSE_p3t3 · September 29, 2023, 11:08am

I agree, it feels like it’s a repo list issue. I’ll concentrate on this.
If I solve it, I’ll post my findings.

Thanks for your help.

SUSE_p3t3 · October 13, 2023, 9:48pm

Hi Guys, this issue resolved itself. I simply waited (for a several weeks) and the mirror/server must have been eventually updated finally with the correct packages checksums.

I wonder why this even happens. Shouldn’t packages transferred to a mirror be done in a single atomic operation? If one (or more packages) fail, then rollback the entire transfer process, then try again.