Locked mode not working as hash is calculated incorrectly for previously cached packages #7682
Comments
|
/cc: @anangaur |
|
@jainaashish - I think we meant to put this in 4.9.3, not 4.9.x - when we discussed yesterday, right? |
|
we discussed #7667 and #7646 to be in 4.9.3. We didn't discuss this one but from the description it seems the issue is packages cache having wrong package in there which gets wrong hash in lock file. And the current solution for this is to clean packages cache or that specific package so I'm afraid we can address this for 4.9.3 or even 4.9.x |
@jainaashish I dont think the package is wrong. I see different SHA being generated when the package is downloaded from nuget.org vs. when the package is already there but .nupkg.metadata file is not there and is generated in-situ. For Newtonsoft.json 12.0.1, when downloaded from internet (nuget.org), the SHA is but when generated, it is: |
|
this is weird, I'll look into this. Does this also happen with other packages as well or other version of Newtonsoft.json? |
|
Yes. Same with all packages. When a package is freshly downloaded, the |
|
this is happening with |
|
I guess we should test out all the paths including NuGet.exe as well. The priority of fixing this issue is high IMO. |
|
yes, confirming this happens with |
|
Root cause of the issue is while writing the This issue has already been fixed in dev16 preview bits so I'll cherry-pick the commit into 4.9.3 branch as well. |
|
Cherry-picked to release-4.9.3-rtm branch with 2d7c84030935330c0e5f1889bed825ff1ec50cc2 |
|
Where is that bug fixed? I'm using VS2019 Preview 2 (NuGet 5.0.0), and I'm still experiencing that problem. |
|
I can't repro it with VS2019 Preview2. Can you share your complete repro steps? and also the dotnet version details (run |
|
Here is what I am doing:
|
|
Thanks for details, but I still don't have repro steps to reproduce your issue locally. I need details about project, packages, did you already had a lock file when you restored, does it throw hash mis-match error at the end of restore, etc... So It will be helpful if you can list down the exact repro steps one by one and if possible, share a sample project. Also, are you running within VS or dotnet? |
|
I use VS. Restore works but generates a different SHA512 the second time, which is a red flag. And then restore fails in my CI build, which uses Is there a version of I can try to build a minimal repro. |
|
I've created a repro using nuget.exe 4.9.3 and dotnet sdk 3.0.100-preview-010184. I don't know if it's identical to the issue @Flavien saw but it's impacting my use case. @jainaashish, is the issue just that your fix hasn't made it into the dotnet distribution yet? Unzip the below and run repro.bat to reproduce the failure. |
Yes, is hasn't made into dotnet yet, it will be available in next dotnet preview/release. Can you repro it with only nuget.exe 4.9.3? |
|
As these make into the .NET SDKs, we will update our table in the release notes: |
No. If I replace all the dotnet restore calls with nuget restore (and enable lock files in the csproj) the errors do not manifest. This isn't a complete solution, though, since nuget.exe is missing some of the args from dotnet.exe (e.g. --lock-file-path and --locked-mode). |
|
@jainaashish I'm also running into this. I just updated to VS 2017 15.9.6 since according to https://docs.microsoft.com/en-us/nuget/release-notes/nuget-4.9-rtm this should include NuGet 4.9.3 which fixes this. However, I still see this wrong hash issue. I also see it when we run MSBuild Which specific versions should be expected to be correct here? |
|
@madelson Are you using VS or dotnet CLI to repro your issue? VS 2017 15.9.6 includes NuGet 4.9.3 bits only for VS but it still doesn't update dotnet SDK. So make sure you're using VS to repro your issue or wait for the next dotnet SDK update. |
|
Same problem here. I'm using .NET Core SDK 2.2.104, which is supposed to have the 4.9.3 bits, and I am still getting the wrong hash error. Is there some cache we need to clear before generating the lock file to ensure the incorrect |
|
/cc: @rrelyea |
|
@Flavien |
|
I've already tried that and that didn't make a difference. I am still getting the sha512 validation error. |
|
Thats weird. /cc: @nkolev92 |
|
Do you have a minimal repro you can provide for us? I want to eliminate sha validation issues that are potentially unrelated to the above. |
|
@Flavien from one of you previous comments it looks like you are experiencing an issue in CI. |
|
I'm also consistently seeing this with a UWP library and Microsoft.NETCore.Platforms. When I do "Microsoft.NETCore.Platforms": {
"type": "Transitive",
"resolved": "2.1.0",
"contentHash": "GmkKfoyerqmsHMn7OZj0AKpcBabD+GaafqphvX2Mw406IwiJRy1pKcKqdCfKJfYmkRyJ6+e+RaUylgdJoDa1jQ=="
}If I were to re-run the build and regenerate the lock files again I would get this hash: "Microsoft.NETCore.Platforms": {
"type": "Transitive",
"resolved": "2.1.0",
"contentHash": "ok+RPAtESz/9MUXeIEz6Lv5XAGQsaNmEYXMsgVALj4D7kqC8gveKWXWXbufLySR2fWrwZf8smyN5RmHu0e4BHA=="
}The upshot is that every time I add/remove/update packages this value will be set to the incorrect one, causing the CI build to fail. I'm presuming this is coming from a bad cache somewhere (what else could it be?), but I have What am I missing? |
|
@nexussays Look at sources and track down where that package could be coming from. Your assets file with contain sources, fallback folders and related (I can help if you can't find them) Keep in mind a few things. Fallback folders are preferred over sources. Local sources are preferred over http.
Do you clean the global packages folder or something here? |
|
@nkolev92 Thanks for the suggestions!
Using nuget.exe 5.2.0.6090 in dev environment and on the CI server.
It's a transitive dependency from UWP/UAP. I'm targeting 10.0.18362.0
So if there's no way to prevent the cache from altering the checksum how can I disable the use of caches other than |
When I clear nuget caches the hash is |
NuGet has an http-cache that lasts 30 mins, however I've rarely seen that as a problem. Once something is in the global packages folder, that's the final and permanent install location, no changes are ever made here. DisableImplicitNuGetFallbackFolder might not apply to UWP projects because that's a .NET Core SDK switch, not a NuGet one. |
|
I came across the same issue, @nexussays. See #11610 (comment). Did you ultimately find a resolution? |
|
Try Also: If you have any .NET Core 1.x or .NET Core 2.x SDKs installed, uninstall them (you can still target older versions of netcoreapp with a newer SDK). On a clean machine with only in-support versions of the .NET SDK installed, you should no longer have any |
|
Thank you! I knew about <?xml version="1.0" encoding="utf-8" ?>
<Project>
<PropertyGroup>
<RestoreAdditionalProjectFallbackFolders></RestoreAdditionalProjectFallbackFolders>
</PropertyGroup>
</Project>The oldest version of .NET Core I have installed is 3.1. We intend to port to .NET Core though, so I'm sure this information will come in handy in the future! Re-reading your comment above, I realized that I actually observe the opposite of what you reported. |
Details about Problem
I've been struggling with the new "locked mode" of dotnet restore since release and I've finally been able to create repro steps.
The problems seems related to using different version of the .NET Core SDK on the same machine, in particular versions before the locked mode introduction alongside the new ones.
As the NuGet Package Cache is shared between all versions, if the package as been cached by an old version of dotnet.exe/nuget, it looks like the new
.nupkg.metadataget created with an incorrect signature.Example:
Newtonsoft.Json 12.0.1 has signature:
however if it was already in the Nuget Package Cache, when using the new dotnet.exe/nuget it get this signature
which obviously cause the locked mode feature to fail.
This behaviour seems consistent in different Windows versions and machines.
Not tested on Linux/MaxOs.
I believe it is a common scenario to use different versions of the SDK on a dev machine as well on a build agent (not everyone use disposable docker agents yet) e.g. via global.json in different projects
Happy to help investigate more but I will need someone to point me in the right direction.
Thank you
Product Versions
NuGet product used: dotnet.exe
Version pre locked mode used:
❯ dotnet --version
2.1.403
❯ dotnet nuget --version
NuGet Command Line
4.8.1.0
Version with locked mode used:
❯ dotnet --version
2.2.102
❯ dotnet nuget --version
NuGet Command Line
4.9.2.0
OS version: Win10 17763
Worked before? No
Detailed repro steps so we can see the same problem
cd DotnetRestoreLockedMode\NetSdk22dotnet restore --force --force-evaluatedotnet restore --force --locked-modepass!cd ..\NetSdk21dotnet restore --forcecd ..\NetSdk22dotnet restore --force --locked-modefail! :(Sample Project
https://github.com/alefranz/DotnetRestoreLockedMode
Note the global.json is at the project level for simplicity, but it doesn't make any difference having different solutions.
The text was updated successfully, but these errors were encountered: