Bug 2219757

Summary: CRB repo: invalid checksum for postgresql-docs on mirror.stream.centos.org
Product: Red Hat Enterprise Linux 9 Reporter: fossrob <fedora>
Component: postgresqlAssignee: Filip Januš <fjanus>
Status: NEW --- QA Contact: RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe>
Severity: low Docs Contact:
Priority: unspecified    
Version: CentOS StreamCC: alciregi, bstinson, farrotin, jwboyer
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description fossrob 2023-07-05 07:26:57 UTC
Description of problem:

A file located at the url https://mirror.stream.centos.org/9-stream/CRB/x86_64/os/Packages/postgresql-docs-13.7-1.el9.x86_64.rpm failed validation due to checksum. Expected '59930a07af95a826b1d4b182b7895205e71bef2cbd1b5b7e3f992dcd19908dea', Actual '8992bc89ef759f805d8a13889728adba091a9867cda6035109aa4b0cad7cb97d'

Version-Release number of selected component (if applicable):

13.7-1.el9

How reproducible:

Perform a repo sync with Foreman, or download the rpm binary and verify the checksum against the repository metadata.

Steps to Reproduce:
1.
2.
3.

Actual results:

Checksum differs.

Expected results:

Checksums should match.

Additional info:

Comment 1 farrotin 2023-07-05 09:38:46 UTC
As it was discussed on Discourse, it should be fixed in Cloudfront CDN.

curl --silent https://mirror.stream.centos.org/9-stream/CRB/x86_64/os/Packages/postgresql-docs-13.7-1.el9.x86_64.rpm |sha256sum
59930a07af95a826b1d4b182b7895205e71bef2cbd1b5b7e3f992dcd19908dea  -

Explanation: one of the origin servers behind cloudfront had a corrupted pkg, then served by cloudfront depending on the location.

Taken action:
- identified which origin node had the problematic pkg and ensuring it got the correct one (it seems rsync doesn't complain which itself is a problem)
- invalidated that pkg/path in cloudfront
- test that it was serving correct pkg

For people in charge of routing from Bugzilla to Jira CS (CentOS Stream) project: you can refer this one and it's already solved but can be used to add more checks to ensure it doesn't happen again