Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

poetry 1.2.0 can't install packages from private pypi servers supporting only MD5 hashes #6301

Closed
3 tasks done
jclerman opened this issue Aug 31, 2022 · 74 comments · Fixed by #8118
Closed
3 tasks done
Labels
kind/bug Something isn't working as expected status/triage This issue needs to be triaged

Comments

@jclerman
Copy link

jclerman commented Aug 31, 2022

  • I am on the latest Poetry version.
  • I have searched the issues of this repo and believe that this is not a duplicate.
  • If an exception occurs when executing a command, I executed it again in debug mode (-vvv option).
  • OS version and name: MacOS Monterey (12.5.1)
  • Poetry version: 1.2.0

Issue

After upgrading from poetry 1.1.15 to 1.2.0, I can no longer poetry install in my dev environment - it fails on a single package. I've investigated and it looks like the problem is that with the new poetry, only SHA256 hashes are stored for packages in poetry.lock, even when the serving PyPi repository only supplies MD5 hashes.

Somehow, even though the PyPi repo serves MD5 (only) hashes, the new poetry stores a SHA256 hash in poetry.lock - then when I try to do poetry install, the MD5 hash from the retrieved package of course doesn't match the hash in the lock file, so I get:

Retrieved digest for link sirona-xyz-utils-0.10.2.tar.gz(md5:XXXXX) not in poetry.lock metadata ['sha256:YYYYY', 'sha256:ZZZZZ']

  at ~/Library/Application Support/pypoetry/venv/lib/python3.7/site-packages/poetry/installation/chooser.py:145 in _get_links
      141│             selected_links.append(link)
      142│
      143│         if links and not selected_links:
      144│             raise RuntimeError(
    → 145│                 f"Retrieved digest for link {link.filename}({h}) not in poetry.lock"
      146│                 f" metadata {hashes}"
      147│             )
      148│
      149│         return selected_links

(I've obscured the actual hashes and package-name above).

In our case, the PyPi repo server is Nexus, and not the very latest Nexus which does serve SHA256 hashes - that was only released this month, Aug 2022.

@jclerman jclerman added kind/bug Something isn't working as expected status/triage This issue needs to be triaged labels Aug 31, 2022
@jclerman
Copy link
Author

I can work around the issue by manually installing the offending package(s) via pip, but that doesn't address the real issue here.

@neersighted
Copy link
Member

Duplicate #4523

@neersighted neersighted closed this as not planned Won't fix, can't repro, duplicate, stale Aug 31, 2022
@jclerman
Copy link
Author

@neersighted, is this really a duplicate? The behavior I've noted here is a regression from 1.1.15 to 1.2.0.

@andrecp
Copy link

andrecp commented Aug 31, 2022

This isn't duplicated @neersighted , I think @dimbleby also didn't read the latest comments. 1.2.0 broke poetry for a lot of its current users. downgrading works.

@dimbleby
Copy link
Contributor

Well in that case we can close #4523 and leave this one open, because 1.1 is out of support so it's only the 1.2 behaviour that's worth tracking here.

Either way we only need one open issue.

For real, please stop tagging me: it was borderline rude the first time and it's absurd after I've asked you to stop.

@andrecp
Copy link

andrecp commented Aug 31, 2022

Well in that case we can close #4523 and leave this one open, because 1.1 is out of support so it's only the 1.2 behaviour that's worth tracking here.

Either way we only need one open issue.

For real, please stop tagging me: it was borderline rude the first time and it's absurd after I've asked you to stop.

Apologies, you mentioned "don't tag me in this issue", and this is a separate issue from my eyes, thought you hadn't read the comments above it in the other issue (as the thread changed context) I won't be tagging you anymore regarding this. I don't know the etiquette on tagging in GH, just saw you were a maintainer.

@neersighted
Copy link
Member

Fair enough, going with this issue as the new canon.

I would like to point out that @dimbleby is NOT a Poetry maintainer -- he is a frequent contributor and an expert in many of the hairier parts of the ecosystem and codebase. However, he has expressly declined to be declared formally part of the project, and should not be pinged on issues he has not explicitly expressed interest in.

@dimbleby
Copy link
Contributor

... that @dimbleby ...

omg now you're at it...! I'm also not entirely sure about github tag etiquette and hope I don't sound too grumpy; but would y'all please allow me to unsubscribe from this problem? It just happens not to be interesting to me, that's all.

@andrecp
Copy link

andrecp commented Aug 31, 2022

Sounds good, apologies again!

Getting back in this subject, from @msscaroso on the #4523 issue

Same issue happening here.
I'm using poetry-1.2.0

Poetry create the lock file with md5 and now it only looks for sha256. The package repository has both and the install should not fail.

I'll try to pin poetry version and see if it works for the time being

I wonder if this was the regression ? It seems like in the case above the repo has both md5 and sha256, but poetry is not looking for the sha256 one. Anyho, will get back to work. For now I'm pinned to the latest version of 1.1.x and it "fixed" this problem.

@neersighted
Copy link
Member

omg now you're at it...! I'm also not entirely sure about github tag etiquette and hope I don't sound too grumpy; but would y'all please allow me to unsubscribe from this problem? It just happens not to be interesting to me, that's all.

😆 my bad, was meant to be a one-off. Please don't ping non-maintainers (and please don't passive-aggressively ping maintainers either, not that it happened in this thread) as it's rather rude to do so, and this issue tracker is actively monitored. We have a lot of work to do regarding duplicates, labeling, and whatnot, but that is neither here nor there right now.

@john2zy
Copy link

john2zy commented Sep 1, 2022

For anyone desperately looking for a solution. Hopefully this helps. I certainly got real frustrated by it.

On Macbook Pro M1 Pro
MacOS: Monterey

  1. Uninstall poetry 1.2.0 and install 1.1.5
  2. Go to poetry's own virtual env, in my case, ~/Library/Application Support/pypoetry/venv/bin
  3. use ./pip list to check poetry-core's version. I got 1.0.8
  4. ./pip install poetry-core==1.0.4 to downgrade it

Downgrading poetry-core is due to it hardcodes sha256 when validating hashes. We'll need to reverse that.

@DonFortes
Copy link

The same problem. pip install "poetry<1.2" as a temporary "fix" worked

@ronlut
Copy link

ronlut commented Sep 5, 2022

I have a similar problem
Any direction for a solution with poetry >= 1.2?

@lucaspolo
Copy link

Same problem here! Temporary solution is pin version to <1.2

@lokeshjain279
Copy link

lokeshjain279 commented Sep 6, 2022

I am also facing the same problem and this is a major blocker in adopting poetry. Getting following error while installing a privately hosted library in nexus.

Retrieved digest for link mal_lib_poc-0.5.2.tar.gz(md5:0d08bdd0f8a21cb012816e77cec1d9c1) not in poetry.lock metadata ['sha256:605264c4a71648bbf4d966bc3031ac4121b1ecfea5ae730fe46257a36857233f', 'sha256:c021d5b2c34b68aeecb813a9108ddf3d9b19e2ebb1a93b4cb24a489c80417dd9']

  at ~/.local/share/pypoetry/venv/lib/python3.7/site-packages/poetry/installation/chooser.py:145 in _get_links
      141│             selected_links.append(link)
      142│ 
      143│         if links and not selected_links:
      144│             raise RuntimeError(
    → 145│                 f"Retrieved digest for link {link.filename}({h}) not in poetry.lock"
      146│                 f" metadata {hashes}"
      147│             )
      148│ 
      149│         return selected_links

@jclerman
Copy link
Author

jclerman commented Sep 6, 2022

For people suffering from this issue and using the latest (3.41.x or above) version of Sonatype Nexus for their private PyPi repository, the problem can be solved by forcing Nexus to re-create the index files for all affected packages. There is a Nexus bug where the problem is described: https://issues.sonatype.org/browse/NEXUS-34950 and the solution is to delete all files under simple/ in the Nexus PyPi server (or at least, all files for packages that aren't yielding sha256 hashes yet). The files will be re-created properly next time a client requests package info via the simple interface.

@shea-parkes
Copy link

I did find a stupid work around that seems to work for those using services like GemFury/Nexus that are still serving some packages with MD5 hashes only:

You can't just replace the MD5 hash with the SHA256 hash in poetry.lock because Poetry still compares the reported hash from the repository to poetry.lock (and then goes on to hash the downloaded file with SHA256 and compare that against poetry.lock as well).

But at the moment, it appears you can have redundant file entries in poetry.lock. So instead of replacing the hash for a given .whl (or whatever file you're failing on), duplicate that line and change the hash on the new line. So you have two lines describing the same file, but one has an md5 hash and one has a sha256 hash.

The poetry internals appear to currently build a set of all hashes for a given package, so it's lenient on having multiple entries (as of current version of poetry).

@invokermain
Copy link

The solution is to delete all files under simple/ in the Nexus PyPi server.

I think this will fix the issue I am seeing with this poetry issue and Sonatype Nexus Repository ManagerOSS 3.37.1-0, but I cannot figure out how to apply the fix. Could you ELI5?

@vad
Copy link

vad commented Sep 7, 2022

@invokermain you must upgrade Nexus to 3.41+ first, then you can:

  • push new versions of the packages
  • use that trick (remove simple/) to force sha256 hash creation

@AdamGagorik
Copy link

I see a similar issue for packagecloud.io based private package repo. However, it is with SHA1 hashes instead of MD5. The solution provided by @shea-parkes works to get around it temporarily. Manually editing the lock file every time we do a dependency update would not work long term.

• Installing xxxxxx (1.0.0)
 
RuntimeError
 
Retrieved digest for link xxxxxx-1.0.0.tar(sha1:...) not in poetry.lock metadata ['sha256:...']
 
at ~/.local/lib/python3.9/site-packages/poetry/installation/chooser.py:144 in _get_links
    140│ 
    141│             selected_links.append(link)
    142│ 
    143│         if links and not selected_links:
  → 144│             raise RuntimeError(
    145│                 f"Retrieved digest for link {link.filename}({h}) not in poetry.lock"
    146│                 f" metadata {hashes}"
    147│             )
    148│ 

@oleks-popovych
Copy link

oleks-popovych commented Sep 7, 2022

Currently I'm facing the same issue.
Possible solution I see now - upgrading Nexus to recent version, which is finally switched from md5 to sha256.

This issue may clarify why this issue appears.

In other hand, maybe poetry could make step further to check which hash name repository service is providing?

@ademoverflow
Copy link

Hello, same problem with latest poetry version (1.3.2).
We have a nexus that hosts home made python packages, and installing them with poetry does not work.
Logs:

Package operations: 1 install, 0 updates, 0 removals

  • Installing XXXXXXXXXXX (0.1.0): Failed

  RuntimeError

  Retrieved digest for link XXXXXXXXXXXX-0.1.0.tar.gz(md5:71cf85a955df5595ca799ee43dc470d3) not in poetry.lock metadata ['sha256:808761b60f05670f43c6be57d5c95ddc4db636041e62e74463a398c5cc9e4fb1', 'sha256:67ffb7d2f0a168517876ae8b98e075986d04c003419aec2543fc9f92c31184ea']

  at /opt/poetry/venv/lib/python3.8/site-packages/poetry/installation/chooser.py:146 in _get_links
      142│ 
      143│             selected_links.append(link)
      144│ 
      145│         if links and not selected_links:
    → 146│             raise RuntimeError(
      147│                 f"Retrieved digest for link {link.filename}({h}) not in poetry.lock"
      148│                 f" metadata {hashes}"
      149│             )
      150│ 

Cleared cache (both poetry and pip caches), remove poetry.lock, not working at all :(
I saw that this issue and another strongly similar exist since 3 years now, maybe this should be considered as a priority ?

What version of Nexus are you running? It works fine since https://issues.sonatype.org/browse/NEXUS-24127, but new versions of the packages need to be uploaded.

I´m using Nexus v3.37, but how this is related to Nexus ?

@vfazio
Copy link
Contributor

vfazio commented Jan 30, 2023

I´m using Nexus v3.37, but how this is related to Nexus ?
@ademoverflow

Because Nexus prior to 3.41 doesn't report sha256 hashes, it only reports md5. AFAICT, Poetry 1.2+ does not support md5 hashes. You should upgrade to Nexus 3.44 if you need poetry 1.2+ or stick to poetry 1.1.x.

@ademoverflow
Copy link

I´m using Nexus v3.37, but how this is related to Nexus ?
@ademoverflow

Because Nexus prior to 3.41 doesn't report sha256 hashes, it only reports md5. AFAICT, Poetry 1.2+ does not support md5 hashes. You should upgrade to Nexus 3.44 if you need poetry 1.2+ or stick to poetry 1.1.x.

Thank you for the info. Will try to update the nexus asap.

But when I look at my package on Nexus, I see that it has some checksums, not only md5 (sha1, sha256, etc), so are we sure that the issue is really related to Nexus ONLY ?

@vfazio
Copy link
Contributor

vfazio commented Jan 30, 2023

I´m using Nexus v3.37, but how this is related to Nexus ?
@ademoverflow

Because Nexus prior to 3.41 doesn't report sha256 hashes, it only reports md5. AFAICT, Poetry 1.2+ does not support md5 hashes. You should upgrade to Nexus 3.44 if you need poetry 1.2+ or stick to poetry 1.1.x.

Thank you for the info. Will try to update the nexus asap.

But when I look at my package on Nexus, I see that it has some checksums, not only md5 (sha1, sha256, etc), so are we sure that the issue is really related to Nexus ONLY ?

@ademoverflow

Nexus stores multiple hashes for the individual backing files, but the page used to serve those files up as a pypi index only serves up the md5sum prior to 3.41. This is technically within the PEP 503 spec https://peps.python.org/pep-0503/ however poetry does not accept what they consider to be insecure hash types.

Nexus 3.44 supposedly fixes an issue with stale indices for packages uploaded prior to 3.41, but i haven't had a chance to test that it works.

@ademoverflow
Copy link

I´m using Nexus v3.37, but how this is related to Nexus ?
@ademoverflow

Because Nexus prior to 3.41 doesn't report sha256 hashes, it only reports md5. AFAICT, Poetry 1.2+ does not support md5 hashes. You should upgrade to Nexus 3.44 if you need poetry 1.2+ or stick to poetry 1.1.x.

Thank you for the info. Will try to update the nexus asap.
But when I look at my package on Nexus, I see that it has some checksums, not only md5 (sha1, sha256, etc), so are we sure that the issue is really related to Nexus ONLY ?

@ademoverflow

Nexus stores multiple hashes for the individual backing files, but the page used to serve those files up as a pypi index only serves up the md5sum prior to 3.41. This is technically within the PEP 503 spec https://peps.python.org/pep-0503/ however poetry does not accept what they consider to be insecure hash types.

Nexus 3.44 supposedly fixes an issue with stale indices for packages uploaded prior to 3.41, but i haven't had a chance to test that it works.

After upgrading to 3.46 and reuploading my packages, it works perfectly. Thanks !

@vfazio
Copy link
Contributor

vfazio commented Feb 6, 2023

@ademoverflow

After upgrading to 3.46 and reuploading my packages, it works perfectly. Thanks !

I don't want to take this too far off topic, but was reuploading necessary? Nexus documentation via https://issues.sonatype.org/browse/NEXUS-34950 implies this isn't necessary after 3.44 :-/

@ademoverflow
Copy link

@ademoverflow

After upgrading to 3.46 and reuploading my packages, it works perfectly. Thanks !

I don't want to take this too far off topic, but was reuploading necessary? Nexus documentation via https://issues.sonatype.org/browse/NEXUS-34950 implies this isn't necessary after 3.44 :-/

I've tested before reuploading with no success unfortunately. But right after the reupload, poetry succeed to add the package without any error.

@TreeKat71
Copy link

It does work for me.

Steps below

  1. Update Nexus to 3.44
  2. Re-upload all needed packages.
  3. Update poetry to the latest (1.3.2)
  4. Reduce the time of resolving dependencies from 10000+s to 150s.

@vfazio
Copy link
Contributor

vfazio commented Feb 26, 2023

Just for clarification, when updating Nexus to 3.44+ it's not necessary to reupload all packages. There are maintenance tasks that you can run to clear and generate the simple index https://issues.sonatype.org/browse/NEXUS-36608.

@palmitoto
Copy link

pypi-server run . --hash-algo=sha256

This didn't work for us, as setting this only tells the server to generate a sha256 hash for all uploads, not for the packages already uploaded. I'm unaware of any means of telling the server to re-generate hashes using a new algorithm.

For my part it worked for all packages, old or new.

@falknerdominik
Copy link

Also only worked for new packages for me. Maybe the nexus version was not high enough. In my case i reuploaded the packages.

@obaltian
Copy link

obaltian commented Mar 11, 2023

Since disabling new installer is now deprecated (since 1.4.0), previous workaround should be replaced by something more solid.
Any updates on this issue?

@gaborbernat
Copy link
Contributor

gaborbernat commented Jun 21, 2023

So the problem comes from https://github.com/python-poetry/poetry/blame/master/src/poetry/repositories/http_repository.py#L224-L246, change made by @abn; this ignores the hash returned by the HTTP repository and instead calculates SHA256 variant for it. However, at https://github.com/python-poetry/poetry/blob/master/src/poetry/installation/chooser.py#LL105C1-L105C1 this transformation is not made, hence the failure here. Options:

  1. Respect the hash served by the server and do not recalculate.
  2. Make the same dynamic calculation in chooser.

Maintainers, should I make a PR, any preferences? For now created a PR with the later.

@radoering
Copy link
Member

I'm not that deep into this topic. After reading several linked issues and PRs, I conclude as follows regarding the two options:

1. Respect the hash served by the server and do not recalculate.

#2958 introduced the change and probably did not allow md5 because it's too weak (i.e. not secure). Further, this may result in other issues if the server is just a mirror, see #5326 (comment):

Allowing non-sha checksums would break exporting to requirements.txt for use with pip (unless using --without-hashes) as pip no longer supports using md5, sha1, and sha224 checksums.

pip says:

However, weaker ones such as md5, sha1, and sha224 are excluded to avoid giving a false sense of security.

I would consider simply allowing md5 to be a security risk. I think a config option to allow md5 that is turned off by default and maybe still prints a warning if md5 is used when turned on might be a viable option.

2. Make the same dynamic calculation in chooser.

Sounds like a "simple" bugfix to me so I'd say this might make more sense. Further, it's more secure. IMO, we should prefer this solution.

@lucas-bunzel
Copy link

@gaborbernat Do we have an estimate of when a release with this fix will be launched? Thank you.

@gaborbernat
Copy link
Contributor

I'm not a maintainer so can't say.

@lnlrbr
Copy link

lnlrbr commented Jul 26, 2023

Hi all,
we use an old Artifactory server and this problem occurs with Poetry 1.5.1. Is there any plan to solve this issue? Thanks

@yiftachn
Copy link

Joining to ask for a solution, I can't affect the private pypi server owners

@chrimaho
Copy link

chrimaho commented Aug 9, 2023

Bumping this issue. Is there any resolution to this problem yet?

@Jmennius
Copy link

Jmennius commented Nov 30, 2023

Since Nexus's Jira is not available anymore (https://issues.sonatype.org/browse/NEXUS-24127 is not accessible)
and it was not easy to find adequate instructions, here is a brief summary:

  • Upgrade to Nexus >= 3.44.0, it supports sha256 since 3.41.0, but the task to rebuild indexes exists since 3.44.0.
    At this point you still have md5 indexes for packages, but you do NOT have to re-upload all your packages.
  • Instead, in Nexus admin UI create a task PyPI - Delete Index Asset MD5 Metadata and run it once/manually for your repositories.

BTW, it looks like if you upload a new package - older ones will be automatically updated to use sha256. But I would still run the task manually.
FYI, there is also a PyPI - Generate Missing SHA256 Checksums , but I did not have to run that.

@elementary-charge
Copy link

elementary-charge commented Jan 9, 2024

I'm using Nexus 3.43 and have no direct access to just simply update that. For me helped a bit trivial action sequence

  • uninstall target package pip uninstall ...
  • remove lock file
  • launch poetry install --no-cache

Copy link

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
kind/bug Something isn't working as expected status/triage This issue needs to be triaged
Projects
None yet