sha3-384 mismatch
Bret A. Barker
bret.barker at canonical.com
Mon Dec 5 15:03:52 UTC 2016
On Mon, Dec 05, 2016 at 03:52:32PM +0100, Didier Roche wrote:
> Le 05/12/2016 à 15:38, Gustavo Niemeyer a écrit :
> >
> >
> > On Mon, Dec 5, 2016 at 12:23 PM, Didier Roche <didrocks at ubuntu.com
> > <mailto:didrocks at ubuntu.com>> wrote:
> >
> > I did though write on the bug: "contrary to curl or wget which
> > both supports large downloads."
> > The feedback thread mentioned as well "while same assets can be
> > successfully downloaded via curl or wget".
> >
> > I thought that was really obvious that they worked consistently
> > and that I did rerun then multiple times or I wouldn't have opened
> > the bug report + write this feedback. Sorry if that wasn't clear
> > enough, let's move on :)
> >
> >
> > If you file a bug and a developer asks for specific information that
> > wasn't provided, it means the specific information is not obvious.
> >
> >> Is it the case? Did you ever get a failure with them? Are they
> >> retrying while they work? Do you have a verbose dumb of the process?
> > Yes, as mentioned. I never got any failure with any of them and I
> > did retry multiple times in loop when I saw the snapd failures.
> > wget is in verbose mode by default and I never got any hint that
> > it was retrying (just getting the normal download output).
> >
> > I did just try a verbose download in curl (here, an ubuntu 300M
> > image). Here is the output: http://paste.ubuntu.com/23583568/
> > <http://paste.ubuntu.com/23583568/>. It seems that curl doesn't
> > complain of any reconnect.
> >
> >
> > You are downloading an image from an arbitrary server on the internet
> > unrelated to the problem we're trying to debug.
> >
> > Can you please attempt these several curl downloads while using the
> > exact same URL that failed for snapd?
>
> As a developer asking for more debug information, can you please paste
> the exact instructions on how to get those?
>
> I'm trying the https://public.apps.ubuntu.com/anon/download-snap/ based
> url with the .snap showing up in the logs to get the exact same assets I
> pasted snapd information on. However, curl -v returns (output stripped out):
> * Trying 162.213.33.92...
> * Connected to public.apps.ubuntu.com (162.213.33.92) port 443 (#0)
> * found 173 certificates in /etc/ssl/certs/ca-certificates.crt
> * found 692 certificates in /etc/ssl/certs
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
> * server certificate verification OK
> * server certificate status verification SKIPPED
> * common name: public.apps.ubuntu.com (matched)
> * server certificate expiration date OK
> * server certificate activation date OK
> * certificate public key: RSA
> * certificate version: #3
> * subject: C=GB,L=London,O=Canonical Group
> Ltd,CN=public.apps.ubuntu.com
> * start date: Mon, 30 May 2016 00:00:00 GMT
> * expire date: Wed, 21 Jun 2017 12:00:00 GMT
> * issuer: C=US,O=DigiCert Inc,CN=DigiCert SHA2 Secure Server CA
> * compression: NULL
> * ALPN, server did not agree to a protocol
> > GET /anon/download-snap/YZ7LshLxDQQIrhAL6DMLub2yTVUA2DIK_15.snap HTTP/1.1
> > Host: public.apps.ubuntu.com
> > User-Agent: curl/7.47.0
> > Accept: */*
> >
> < HTTP/1.1 302 FOUND
>
> I guess that's due to the macaroon exchanged system and I'm not
> authorized or something else?
> Thanks for helping debugging.
>
> Cheers,
> Didier
snapd first hits the Ubuntu Store URL (as above) that checks ACLs and then redirects to the CDN url. I don't know why `curl -v` doesn't follow the redirect, but the URL in the resulting 'Location' header will be the CDN url. Note that the CDN url contains a time-limited token in the query-string, so after a period you will need to get a fresh one from the store download endpoint.
-bret
More information about the Snapcraft
mailing list