zlib port download hits unexpected hash, probably GitHub issue

[akoeplinger]

Sometime in the last few hours we're seeing this:

ports:INFO: retrieving port: zlib from https://github.com/madler/zlib/archive/v1.2.11.zip
emcc: error: Unexpected hash: 9ec7c573fac2cd4d6ba64dd4dfd7330f317be75367575013da4004d7da7ff51b70b85783dc8533df081e70527135cdbf2ffc12b40f2d011fd7fbe6cb52d2f47d

It looks like https://github.com/madler/zlib/archive/v1.2.11.zip started returning a file with a different SHA512 hash now:

• Before: a42b8359e76cf7b3ae70bf31f0f8a8caa407ac80e8fe08b838076cd5e45ac2e685dae45eb59db2d25543fb3b5bd13b843a02bb8373cda704d7238be50d5e9c68
• After: 9ec7c573fac2cd4d6ba64dd4dfd7330f317be75367575013da4004d7da7ff51b70b85783dc8533df081e70527135cdbf2ffc12b40f2d011fd7fbe6cb52d2f47d

Interestingly https://github.com/madler/zlib/archive/refs/tags/v1.2.11.zip still returns the "expected" SHA512 hash.

---

The /archive/v1.2.10 for the earlier zlib tag returns the expected content on both URLs so it looks like a GitHub bug to me and I opened a ticket with GitHub support: 1485268

[donalffons]

I'm experiencing the same problem with the Emscripten Docker Images and -s USE_ZLIB=1. I tried a few different versions (3.x and 2.x) - all showing the same error...
EDIT: While researching I found this issue, which might or might not be related.

[akoeplinger]

Looks like GitHub is aware of the issue according to this Twitter thread (I didn't get a reply on the support ticket yet): https://twitter.com/tgummerer/status/1488493440103030787

[akoeplinger]

According to https://twitter.com/tgummerer/status/1488565820326400000 this should've been fixed but I just checked and I'm still seeing the wrong checksum for https://github.com/madler/zlib/archive/v1.2.11.zip

[sbehnke]

According to https://twitter.com/tgummerer/status/1488565820326400000 this should've been fixed but I just checked and I'm still seeing the wrong checksum for https://github.com/madler/zlib/archive/v1.2.11.zip

Same here.

[notnarb]

@akoeplinger and @sbehnke could you try the URL https://github.com/madler/zlib/archive/refs/tags/v1.2.11.zip instead?

Currently I can see that the combination of http1.1 and the /archive/v1.2.11.zip produces the "incorrect" hash while using http2 or /archive/refs/tags/v1.2.11.zip will produce the old hash consistently. I suspect there is a caching issue on GitHub's end.

[~/Downloads]
bhorsley@beehorse$ curl -sL --http1.1 https://github.com/madler/zlib/archive/v1.2.11.zip | sha256sum
9c46d65f2f8655c0decc9a22c90a3d58fdc8dfff432899b655a6c9d2b8bbd7db  -
[~/Downloads]
bhorsley@beehorse$ curl -sL --http2 https://github.com/madler/zlib/archive/v1.2.11.zip | sha256sum
f5cc4ab910db99b2bdbba39ebbdc225ffc2aa04b4057bc2817f1b94b6978cfc3  -
[~/Downloads]
bhorsley@beehorse$ curl -sL --http1.1 https://github.com/madler/zlib/archive/refs/tags/v1.2.11.zip | sha256sum
f5cc4ab910db99b2bdbba39ebbdc225ffc2aa04b4057bc2817f1b94b6978cfc3  -
[~/Downloads]
bhorsley@beehorse$ curl -sL --http2 https://github.com/madler/zlib/archive/refs/tags/v1.2.11.zip | sha256sum
f5cc4ab910db99b2bdbba39ebbdc225ffc2aa04b4057bc2817f1b94b6978cfc3  -

[sbehnke]

@akoeplinger and @sbehnke could you try the URL https://github.com/madler/zlib/archive/refs/tags/v1.2.11.zip instead?

Currently I can see that the combination of http1.1 and the /archive/v1.2.11.zip produces the "incorrect" hash while using http2 or /archive/refs/tags/v1.2.11.zip will produce the old hash consistently. I suspect there is a caching issue on GitHub's end.

[~/Downloads]
bhorsley@beehorse$ curl -sL --http1.1 https://github.com/madler/zlib/archive/v1.2.11.zip | sha256sum
9c46d65f2f8655c0decc9a22c90a3d58fdc8dfff432899b655a6c9d2b8bbd7db  -
[~/Downloads]
bhorsley@beehorse$ curl -sL --http2 https://github.com/madler/zlib/archive/v1.2.11.zip | sha256sum
f5cc4ab910db99b2bdbba39ebbdc225ffc2aa04b4057bc2817f1b94b6978cfc3  -
[~/Downloads]
bhorsley@beehorse$ curl -sL --http1.1 https://github.com/madler/zlib/archive/refs/tags/v1.2.11.zip | sha256sum
f5cc4ab910db99b2bdbba39ebbdc225ffc2aa04b4057bc2817f1b94b6978cfc3  -
[~/Downloads]
bhorsley@beehorse$ curl -sL --http2 https://github.com/madler/zlib/archive/refs/tags/v1.2.11.zip | sha256sum
f5cc4ab910db99b2bdbba39ebbdc225ffc2aa04b4057bc2817f1b94b6978cfc3  -

Currently I worked around it by applying https://github.com/emscripten-core/emscripten/pull/16169/files to 3.1.1.

Running the curl commands I get:

❯ curl -sL --http1.1 https://github.com/madler/zlib/archive/v1.2.11.zip | shasum -a 256
9c46d65f2f8655c0decc9a22c90a3d58fdc8dfff432899b655a6c9d2b8bbd7db  -
❯ curl -sL --http2 https://github.com/madler/zlib/archive/v1.2.11.zip | shasum -a 256
f5cc4ab910db99b2bdbba39ebbdc225ffc2aa04b4057bc2817f1b94b6978cfc3  -
❯ curl -sL --http1.1 https://github.com/madler/zlib/archive/refs/tags/v1.2.11.zip | shasum -a 256
f5cc4ab910db99b2bdbba39ebbdc225ffc2aa04b4057bc2817f1b94b6978cfc3  -
❯ curl -sL --http2 https://github.com/madler/zlib/archive/refs/tags/v1.2.11.zip | shasum -a 256
f5cc4ab910db99b2bdbba39ebbdc225ffc2aa04b4057bc2817f1b94b6978cfc3  -

[akoeplinger]

I just tried again and I now get the correct checksum again over http1.0, http1.1 and http2 so looks like it is fixed on GitHub's side 👍