Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Installing sharp-libvips on Linux Fails with Integrity Check Error #3133

Closed
3 tasks done
karlhorky opened this issue Mar 12, 2022 · 8 comments
Closed
3 tasks done

Installing sharp-libvips on Linux Fails with Integrity Check Error #3133

karlhorky opened this issue Mar 12, 2022 · 8 comments
Labels
installation

Comments

@karlhorky
Copy link

karlhorky commented Mar 12, 2022
edited
Loading

Possible install-time or require-time problem

When installing [email protected] as normal on CI (Render.com), there is an integrity check error with libvips-8.12.2-linux-x64.tar.br (downloaded from GitHub). This has been working as normal for multiple deploys in the last week (with no version changes to sharp or anything else related in the Yarn lockfile).

An integrity check error seems weird - could this be something related to a compromise in GitHub? Just thinking about the numerous hacking attempts that have been going on lately...

  • I have read the documentation relating to installation.
  • I have ensured that the architecture and platform of Node.js used for npm install is the same as the architecture and platform of Node.js used at runtime.

Are you using the latest version of sharp?

  • I am using the latest version of sharp as reported by npm view sharp dist-tags.latest.

If you cannot confirm this, please upgrade to the latest version and try again before opening an issue.

If you are using another package which depends on a version of sharp that is not the latest, please open an issue against that package instead.

Is this a problem with filesystem permissions?

If you are using npm v6 or earlier and installing as a root or sudo user, have you tried with the npm install --unsafe-perm flag?

Not applicable

If you are using npm v7 or later, does the user running npm install own the directory it is run in?

Not applicable

If you are using the ignore-scripts feature of npm, have you tried with the npm install --ignore-scripts=false flag?

Not applicable

What is the complete output of running npm install --verbose sharp?

I've added the output of the Yarn installation command that fails the integrity check

Mar 12 04:47:58 PM  [5/5] Building fresh packages...
Mar 12 04:48:09 PM  error /opt/render/project/node_modules/sharp, /opt/render/project/src/node_modules/sharp: Command failed.
Mar 12 04:48:09 PM  Exit code: 1
Mar 12 04:48:09 PM  Command: (node install/libvips && node install/dll-copy && prebuild-install) || (node install/can-compile && node-gyp rebuild && node install/dll-copy)
Mar 12 04:48:09 PM  Arguments:
Mar 12 04:48:09 PM  Directory: /opt/render/project/node_modules/sharp
Mar 12 04:48:09 PM  Output:
Mar 12 04:48:09 PM  sharp: Downloading https://github.com/lovell/sharp-libvips/releases/download/v8.12.2/libvips-8.12.2-linux-x64.tar.br
Mar 12 04:48:09 PM  sharp: Integrity expected: sha512-SSWAwBFi0hx8V/h/v82tTFGKWTFv9FiCK3Timz5OExuI+sX1Ngrd0PVQaWXOThGNdel/fcD3Bz9YjSt4feBR1g==
Mar 12 04:48:09 PM  sharp: Integrity received: sha512-uXR53JMNUBvGLI/MM0LfDFn4saogG4UP+Sq9/1oFUEGTa84sil1bPEM+9iGcl4L+gFNM0omTsLF8yj8n9IPvAw==
Mar 12 04:48:09 PM  sharp: Please see https://sharp.pixelplumbing.com/install for required dependencies
Mar 12 04:48:09 PM  sharp: Installation error: Integrity check failed for linux-x64
Mar 12 04:48:09 PM  info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
Mar 12 04:48:13 PM  error Command failed with exit code 1.

What is the output of running npx envinfo --binaries --system --npmPackages=sharp --npmGlobalPackages=sharp?
@karlhorky karlhorky mentioned this issue Mar 12, 2022
Closed
3 tasks
@karlhorky
Copy link
Author

Hm, interesting... as quickly as the error appeared, it is gone again!

I cleared the cache of the system and started a new deploy -- twice! -- and on the second run, it installed without problems.

Wonder if it was a temporary problem (or even temporary breach) at GitHub...

Anyway, seems to be working again. Closing this!

@lovell
Copy link
Owner

lovell commented Mar 12, 2022

Sounds like a temporary problem between your CI environment and GitHub, hopefully not a breach of either, but the integrity check exists to guard against this kind of problem so it worked as intended.

https://sharp.pixelplumbing.com/install#prebuilt-binaries

A ~7MB tarball containing libvips and its most commonly used dependencies is downloaded via HTTPS, verified via Subresource Integrity and...

@karlhorky
Copy link
Author

Interesting, just failed again now, different SHA512... 🤔

Anyway, clearing cache and retrying. I know there's not much that the sharp project itself can do - these safeguards are helping out, which is great.

Mar 13 03:19:41 PM   Output:
Mar 13 03:19:41 PM   sharp: Downloading https://github.com/lovell/sharp-libvips/releases/download/v8.12.2/libvips-8.12.2-linux-x64.tar.br
Mar 13 03:19:41 PM   sharp: Integrity expected: sha512-SSWAwBFi0hx8V/h/v82tTFGKWTFv9FiCK3Timz5OExuI+sX1Ngrd0PVQaWXOThGNdel/fcD3Bz9YjSt4feBR1g==
Mar 13 03:19:41 PM   sharp: Integrity received: sha512-8S++NruXPKAZkqNPu9/RUvPfNCFitvOb6a0BZdO3FTwiDN7MmAUiur07UPG2kDSbXoALbhIpvNRbmAimjjCJMA==
Mar 13 03:19:41 PM   sharp: Installation error: Integrity check failed for linux-x64

@lovell
Copy link
Owner

lovell commented Mar 13, 2022

I guess it's possible that the integrity error could be smothering another error? Perhaps the check should be wrapped in a nextTick() to let any other sync logic that could emit an error run first.

sharp/install/libvips.js

Lines 71 to 73 in e8720c9

flush: function (done) {
const digest = `sha512-${hash.digest('base64')}`;
if (expected !== digest) {

What version of Node.js are you using? There was a fix in 16 that is somewhat related - nodejs/node#34314

@karlhorky
Copy link
Author

Ah interesting, yeah Node.js 16.2.0 is the version on the CI system where the failures are.

Another system with 16.13.0 was not failing, so that could really be something. I'll try upgrading the failing system.

Thanks for the tip!

@karlhorky
Copy link
Author

karlhorky commented Mar 16, 2022
edited
Loading

Hm... another error after the upgrade to 16.13.0 too (again, a completely different hash):

Mar 16 01:22:06 PM   ==> Detected Node version 16.13.0
...
Mar 16 01:26:46 PM   Output:
Mar 16 01:26:46 PM   sharp: Downloading https://github.com/lovell/sharp-libvips/releases/download/v8.12.2/libvips-8.12.2-linux-x64.tar.br
Mar 16 01:26:46 PM   sharp: Integrity expected: sha512-SSWAwBFi0hx8V/h/v82tTFGKWTFv9FiCK3Timz5OExuI+sX1Ngrd0PVQaWXOThGNdel/fcD3Bz9YjSt4feBR1g==
Mar 16 01:26:46 PM   sharp: Integrity received: sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==

@sibelius
Copy link

how to get more logs on sharp?

does this happen on node 20 and node 22 ?

@lovell
Copy link
Owner

lovell commented Jul 30, 2024

This is no longer relevant as of sharp v0.33.0+.

Repository owner locked and limited conversation to collaborators Jul 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
installation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lovell @karlhorky @sibelius