[package] libjpeg/9d: wrong SHA256 checksum

[andioz]

Package and Environment Details

• Package Name/Version: libjpeg/9d
• Operating System+version: Linux Ubuntu 20.04

Conan profile

Configuration for profile default:

[settings]
os=Linux
os_build=Linux
arch=x86_64
arch_build=x86_64
compiler=gcc
compiler.version=9
compiler.libcxx=libstdc++
build_type=Release
[options]
[build_requires]
[env]

Problem

I cannot build, signature is wrong:

 Provided signature: 99cb50e48a4556bc571dadd27931955ff458aae32f68c4d9c39d624693f69c32  
 Computed signature: 6c434a3be59f8f62425b2e3c077e785c9ce30ee5874ea1c270e843f273ba71ee

Steps to reproduce (Include if Applicable)

$ cd conan-center-index/recipes/libjpeg/all
$ conan create . libjpeg/9d@
[HOOK - conan-center.py] pre_export(): [DEPRECATED GLOBAL CPPSTD (KB-H001)] OK
[HOOK - conan-center.py] pre_export(): [REFERENCE LOWERCASE (KB-H002)] OK
[HOOK - conan-center.py] pre_export(): [RECIPE METADATA (KB-H003)] OK
[HOOK - conan-center.py] pre_export(): [HEADER_ONLY, NO COPY SOURCE (KB-H005)] OK
[HOOK - conan-center.py] pre_export(): [FPIC OPTION (KB-H006)] OK
[HOOK - conan-center.py] pre_export(): [VERSION RANGES (KB-H008)] OK
[HOOK - conan-center.py] pre_export(): [RECIPE FOLDER SIZE (KB-H009)] Total recipe size: 49.19921875 KB
[HOOK - conan-center.py] pre_export(): [RECIPE FOLDER SIZE (KB-H009)] OK
[HOOK - conan-center.py] pre_export(): [EXPORT LICENSE (KB-H023)] exports: None
[HOOK - conan-center.py] pre_export(): [EXPORT LICENSE (KB-H023)] exports: ['Win32.Mak', 'patches/**']
[HOOK - conan-center.py] pre_export(): [EXPORT LICENSE (KB-H023)] OK
[HOOK - conan-center.py] pre_export(): [TEST PACKAGE FOLDER (KB-H024)] OK
[HOOK - conan-center.py] pre_export(): [META LINES (KB-H025)] OK
[HOOK - conan-center.py] pre_export(): [CONAN CENTER INDEX URL (KB-H027)] OK
[HOOK - conan-center.py] pre_export(): [CMAKE MINIMUM VERSION (KB-H028)] OK
[HOOK - conan-center.py] pre_export(): [TEST PACKAGE - RUN ENVIRONMENT (KB-H029)] OK
[HOOK - conan-center.py] pre_export(): [SYSTEM REQUIREMENTS (KB-H032)] OK
[HOOK - conan-center.py] pre_export(): [CONANDATA.YML FORMAT (KB-H030)] OK
[HOOK - conan-center.py] pre_export(): [TEST PACKAGE - NO IMPORTS() (KB-H034)] OK
[HOOK - conan-center.py] pre_export(): [NO AUTHOR (KB-H037)] OK
[HOOK - conan-center.py] pre_export(): [NO TARGET NAME (KB-H040)] OK
[HOOK - conan-center.py] pre_export(): [NO FINAL ENDLINE (KB-H041)] OK
[HOOK - conan-center.py] pre_export(): [NO REQUIRES.ADD() (KB-H044)] OK
[HOOK - conan-center.py] pre_export(): [DELETE OPTIONS (KB-H045)] OK
[HOOK - conan-center.py] pre_export(): [NO ASCII CHARACTERS (KB-H047)] OK
[HOOK - conan-center.py] pre_export(): [CMAKE VERBOSE MAKEFILE (KB-H046)] OK
[HOOK - conan-center.py] pre_export(): [CMAKE VERSION REQUIRED (KB-H048)] OK
[HOOK - conan-center.py] pre_export(): [CMAKE WINDOWS EXPORT ALL SYMBOLS (KB-H049)] OK
[HOOK - conan-center.py] pre_export(): [DEFAULT OPTIONS AS DICTIONARY (KB-H051)] OK
[HOOK - conan-center.py] pre_export(): [CONFIG.YML HAS NEW VERSION (KB-H052)] OK
[HOOK - conan-center.py] pre_export(): [PRIVATE IMPORTS (KB-H053)] OK
Exporting package recipe
libjpeg/9d exports: File 'conandata.yml' found. Exporting it...
libjpeg/9d exports: Copied 1 '.yml' file: conandata.yml
libjpeg/9d exports_sources: Copied 1 '.Mak' file: Win32.Mak
libjpeg/9d exports_sources: Copied 1 '.patch' file: 0001-libjpeg-add-msvc-dll-support.patch
[HOOK - conan-center.py] post_export(): [CONANDATA.YML REDUCE (KB-H031)] Saving conandata.yml: {'sources': {'9d': {'url': 'http://ijg.org/files/jpegsrc.v9d.tar.gz', 'sha256': '99cb50e48a4556bc571dadd27931955ff458aae32f68c4d9c39d624693f69c32'}}, 'patches': {'9d': [{'patch_file': 'patches/0001-libjpeg-add-msvc-dll-support.patch', 'base_path': 'source_subfolder'}]}}
[HOOK - conan-center.py] post_export(): [CONANDATA.YML REDUCE (KB-H031)] New conandata.yml contents: patches:
  9d:
  - base_path: source_subfolder
    patch_file: patches/0001-libjpeg-add-msvc-dll-support.patch
sources:
  9d:
    sha256: 99cb50e48a4556bc571dadd27931955ff458aae32f68c4d9c39d624693f69c32
    url: http://ijg.org/files/jpegsrc.v9d.tar.gz

[HOOK - conan-center.py] post_export(): [CONANDATA.YML REDUCE (KB-H031)] OK
[HOOK - conan-center.py] post_export(): [DEFAULT SHARED OPTION VALUE (KB-H050)] OK
libjpeg/9d: The stored package has not changed
libjpeg/9d: Source folder is corrupted, forcing removal
libjpeg/9d: Exported revision: 1e1ae44fcf44e8e212e80a72f2cf4c3d
Configuration:
[settings]
arch=x86_64
arch_build=x86_64
build_type=Release
compiler=gcc
compiler.libcxx=libstdc++
compiler.version=9
os=Linux
os_build=Linux
[options]
[build_requires]
[env]

libjpeg/9d: Forced build from source
libjpeg/9d (test package): Installing package
Requirements
    libjpeg/9d from local cache - Cache
Packages
    libjpeg/9d:6af9cc7cb931c5ad942174fd7838eb655717c709 - Build

Installing (downloading, building) binaries...
libjpeg/9d: WARN: Build folder is dirty, removing it: /home/zoufala/sandbox/github/andioz/conan-center-index/tmp/.conan/data/libjpeg/9d/_/_/build/6af9cc7cb931c5ad942174fd7838eb655717c709
[HOOK - conan-center.py] pre_source(): [IMMUTABLE SOURCES (KB-H010)] OK
libjpeg/9d: Configuring sources in /home/zoufala/sandbox/github/andioz/conan-center-index/tmp/.conan/data/libjpeg/9d/_/_/source
Downloading jpegsrc.v9d.tar.gz completed [1045.00k]                                      
ERROR: libjpeg/9d: Error in source() method, line 38
	tools.get(**self.conan_data["sources"][self.version])
	ConanException: sha256 signature failed for 'jpegsrc.v9d.tar.gz' file. 
 Provided signature: 99cb50e48a4556bc571dadd27931955ff458aae32f68c4d9c39d624693f69c32  
 Computed signature: 6c434a3be59f8f62425b2e3c077e785c9ce30ee5874ea1c270e843f273ba71ee
$ 

I'm pretty sure it worked until today noon UTC (January 7th, 2021), but suddenly the signature doesn't match anymore. Ich checked the source repository on the website, downloaded the archive file and generated the hash. Indeed the result changed!

Is this maybe a serious attack, or some conan internal problem? The timestams on their web site looks ok:

 README                            3 KB   Mon Jan 04 22:33 2016 
 T-REC-T.871-201105-I!!PDF-E.pdf 198 KB   Tue Oct 21 13:22 2014   Portable Document Format
 TIFFTechNote2.txt.gz             13 KB   Thu Apr 17 03:02 2008   Plain Text
 Wallace.JPEG.pdf                 78 KB   Fri May 11 23:29 2012   Portable Document Format
 jdosaobj.zip                      2 KB   Thu Apr 17 03:02 2008   Zip Compressed Data
 jfif3.pdf                        17 KB   Tue Oct 21 14:47 2014   Portable Document Format
 jpeg.documents.gz                 2 KB   Thu Apr 17 03:02 2008 
 jpegaltui.v9d.tar.gz             14 KB   Sat Jan 11 12:03 2020   Unix Tape Archive
 jpegaltui9d.zip                  18 KB   Sat Jan 11 11:09 2020   Zip Compressed Data
 jpegsr6b.zip                    745 KB   Sat Apr 20 13:47 2002   Zip Compressed Data
 jpegsr7.zip                   1,009 KB   Sat Jun 27 10:42 2009   Zip Compressed Data
 jpegsr8.zip                   1,013 KB   Sun Jan 10 10:10 2010   Zip Compressed Data
 jpegsr8a.zip                  1,014 KB   Sun Feb 28 11:19 2010   Zip Compressed Data
 jpegsr8b.zip                  1,018 KB   Sun May 16 10:19 2010   Zip Compressed Data
 jpegsr8c.zip                  1,032 KB   Sun Jan 16 10:17 2011   Zip Compressed Data
 jpegsr8d.zip                  1,037 KB   Sun Jan 15 10:34 2012   Zip Compressed Data
 jpegsr9.zip                   1,029 KB   Sun Jan 13 10:24 2013   Zip Compressed Data
 jpegsr9a.zip                  1,042 KB   Sun Jan 19 10:26 2014   Zip Compressed Data
 jpegsr9b.zip                  1,065 KB   Sun Jan 17 10:46 2016   Zip Compressed Data
 jpegsr9c.zip                  1,071 KB   Sun Jan 14 10:10 2018   Zip Compressed Data
 jpegsr9d.zip                  1,108 KB   Sun Jan 12 10:07 2020   Zip Compressed Data
 jpegsrc.v6a.tar.gz              527 KB   Sun Mar 10 14:19 2019   Unix Tape Archive
 jpegsrc.v6b.tar.gz              599 KB   Sun May 28 18:39 2006   Unix Tape Archive
 jpegsrc.v7.tar.gz               938 KB   Sat Jun 27 10:18 2009   Unix Tape Archive
 jpegsrc.v8.tar.gz               940 KB   Sun Jan 10 10:38 2010   Unix Tape Archive
 jpegsrc.v8a.tar.gz              940 KB   Sun Feb 28 11:15 2010   Unix Tape Archive
 jpegsrc.v8b.tar.gz              943 KB   Sun May 16 10:14 2010   Unix Tape Archive
 jpegsrc.v8c.tar.gz              964 KB   Sun Jan 16 10:11 2011   Unix Tape Archive
 jpegsrc.v8d.tar.gz              969 KB   Sun Jan 15 10:25 2012   Unix Tape Archive
 jpegsrc.v9.tar.gz               965 KB   Sun Jan 13 10:15 2013   Unix Tape Archive
 jpegsrc.v9a.tar.gz              977 KB   Sun Jan 19 10:18 2014   Unix Tape Archive
 jpegsrc.v9b.tar.gz              999 KB   Sun Jan 17 10:38 2016   Unix Tape Archive
 jpegsrc.v9c.tar.gz            1,005 KB   Sun Jan 14 11:48 2018   Unix Tape Archive
 jpegsrc.v9d.tar.gz            1,046 KB   Sun Jan 12 10:49 2020   Unix Tape Archive
 pm.errata.gz                      2 KB   Thu Apr 17 03:02 2008 

[Croydon]

On first sight, I can't see any contact information for them. Does someone know a way we can contact the maintainers and ask them about this?

[dmn-star]

https://jpegclub.org/reference/reference-sources/

https://jpegclub.org/reference/contact/

[datalogics-kam]

Going to the Internet Archive and getting the first jpegsrc.v9d.tar.gz from last year shows a different checksum:

❯ sha256sum jpegsrc*
99cb50e48a4556bc571dadd27931955ff458aae32f68c4d9c39d624693f69c32  jpegsrc.v9d-20200127160911.tar.gz
6c434a3be59f8f62425b2e3c077e785c9ce30ee5874ea1c270e843f273ba71ee  jpegsrc.v9d.tar.gz

Here are the diffs:

❯ diff -ur jpeg-9d-20200127160911 jpeg-9d
diff -ur jpeg-9d-20200127160911/makeasln.v16 jpeg-9d/makeasln.v16
--- jpeg-9d-20200127160911/makeasln.v16	2019-02-07 11:19:48.000000000 -0600
+++ jpeg-9d/makeasln.v16	2019-02-07 12:19:48.000000000 -0600
@@ -1,4 +1,4 @@
-ãØ®
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
 VisualStudioVersion = 15.0.28307.329
diff -ur jpeg-9d-20200127160911/makecfil.v16 jpeg-9d/makecfil.v16
--- jpeg-9d-20200127160911/makecfil.v16	2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/makecfil.v16	2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
     <Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makecvcx.v16 jpeg-9d/makecvcx.v16
--- jpeg-9d-20200127160911/makecvcx.v16	2019-04-04 13:12:08.000000000 -0500
+++ jpeg-9d/makecvcx.v16	2019-04-04 14:12:08.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/makedfil.v16 jpeg-9d/makedfil.v16
--- jpeg-9d-20200127160911/makedfil.v16	2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/makedfil.v16	2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
     <Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makedvcx.v16 jpeg-9d/makedvcx.v16
--- jpeg-9d-20200127160911/makedvcx.v16	2019-04-04 13:12:08.000000000 -0500
+++ jpeg-9d/makedvcx.v16	2019-04-04 14:12:08.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/makejfil.v16 jpeg-9d/makejfil.v16
--- jpeg-9d-20200127160911/makejfil.v16	2010-05-01 12:36:54.000000000 -0500
+++ jpeg-9d/makejfil.v16	2010-05-01 15:36:54.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
     <Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makejsln.v16 jpeg-9d/makejsln.v16
--- jpeg-9d-20200127160911/makejsln.v16	2019-02-07 11:05:24.000000000 -0600
+++ jpeg-9d/makejsln.v16	2019-02-07 12:05:24.000000000 -0600
@@ -1,4 +1,4 @@
-ãØ®
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio 15
 VisualStudioVersion = 15.0.28307.329
diff -ur jpeg-9d-20200127160911/makejvcx.v16 jpeg-9d/makejvcx.v16
--- jpeg-9d-20200127160911/makejvcx.v16	2019-04-04 13:04:56.000000000 -0500
+++ jpeg-9d/makejvcx.v16	2019-04-04 14:04:56.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/makerfil.v16 jpeg-9d/makerfil.v16
--- jpeg-9d-20200127160911/makerfil.v16	2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/makerfil.v16	2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
     <Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makervcx.v16 jpeg-9d/makervcx.v16
--- jpeg-9d-20200127160911/makervcx.v16	2019-04-04 13:12:08.000000000 -0500
+++ jpeg-9d/makervcx.v16	2019-04-04 14:12:08.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/maketfil.v16 jpeg-9d/maketfil.v16
--- jpeg-9d-20200127160911/maketfil.v16	2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/maketfil.v16	2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
     <Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/maketvcx.v16 jpeg-9d/maketvcx.v16
--- jpeg-9d-20200127160911/maketvcx.v16	2019-04-04 13:12:08.000000000 -0500
+++ jpeg-9d/maketvcx.v16	2019-04-04 14:12:08.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Release|Win32">
diff -ur jpeg-9d-20200127160911/makewfil.v16 jpeg-9d/makewfil.v16
--- jpeg-9d-20200127160911/makewfil.v16	2010-05-02 03:20:38.000000000 -0500
+++ jpeg-9d/makewfil.v16	2010-05-02 06:20:38.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup>
     <Filter Include="Source Files">
diff -ur jpeg-9d-20200127160911/makewvcx.v16 jpeg-9d/makewvcx.v16
--- jpeg-9d-20200127160911/makewvcx.v16	2019-04-04 13:12:10.000000000 -0500
+++ jpeg-9d/makewvcx.v16	2019-04-04 14:12:10.000000000 -0500
@@ -1,4 +1,4 @@
-ãØ®<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <ItemGroup Label="ProjectConfigurations">
     <ProjectConfiguration Include="Release|Win32">

looks like some extraneous characters were removed from the .v16 files.

[datalogics-kam]

libjpeg/9c is also affected:

❯ conan create recipes/libjpeg/all libjpeg/9c@
Exporting package recipe
libjpeg/9c exports: File 'conandata.yml' found. Exporting it...
libjpeg/9c exports: Copied 1 '.yml' file: conandata.yml
libjpeg/9c exports_sources: Copied 1 '.Mak' file: Win32.Mak
libjpeg/9c exports_sources: Copied 1 '.patch' file: 0001-libjpeg-add-msvc-dll-support.patch
libjpeg/9c: A new conanfile.py version was exported
libjpeg/9c: Folder: /Users/kam/.conan/data/libjpeg/9c/_/_/export
libjpeg/9c: Using the exported files summary hash as the recipe revision: aad9cba44421373f72b973a5745b33fb
libjpeg/9c: Exported revision: aad9cba44421373f72b973a5745b33fb
Configuration:
[settings]
arch=x86_64
arch_build=x86_64
build_type=Release
compiler=apple-clang
compiler.libcxx=libc++
compiler.version=12.0
os=Macos
os_build=Macos
[options]
[build_requires]
[env]

libjpeg/9c: Forced build from source
libjpeg/9c (test package): Installing package
Requirements
    libjpeg/9c from local cache - Cache
Packages
    libjpeg/9c:647afeb69d3b0a2d3d316e80b24d38c714cc6900 - Build

Installing (downloading, building) binaries...
libjpeg/9c: Configuring sources in /Users/kam/.conan/data/libjpeg/9c/_/_/source
Downloading jpegsrc.v9c.tar.gz completed [1003.91k]
ERROR: libjpeg/9c: Error in source() method, line 38
	tools.get(**self.conan_data["sources"][self.version])
	ConanException: sha256 signature failed for 'jpegsrc.v9c.tar.gz' file.
 Provided signature: 650250979303a649e21f87b5ccd02672af1ea6954b911342ea491f351ceb7122
 Computed signature: 1e9793e1c6ba66e7e0b6e5fe7fd0f9e935cc697854d5737adec54d93e5b3f730

[andioz]

Looks like they are reorganizing existing archives without changing the filename? Strange... Even the timestamps didn't update.

[andioz]

@ all - what do you think how we should handle this?

• accept the updated archives and correct the signatures without checking?
• check the archives and the update signatures?
• use archived version instead, if possible?
• contact them and clarify if the new archives are ok? (and let them know this breaks at least conan recipes)

[andioz]

I checked the differences for both versions 9c and 9d with their previous ones (from Nov 2020 resp. Dec. 2020). As @datalogics-kam found out, in both archives several make*.v* files has changes, some garbage characters at the beginning of the files are removed.

I would say it looks safe if we would like to update the signatures. But how long will this last, when does the next silent change appear?

[datalogics-kam]

I'm going to make a PR and include documentation of what changed between the tarballs to justify the checksum change.

[mloskot]

On Unix (OSX and Linux), I'm an end user of the Conan's libjpeg/9c and I'm still seeing this

libjpeg/9c@bincrafters/stable: Configuring sources in /Users/runner/.conan/data/libjpeg/9c/bincrafters/stable/source
ERROR: libjpeg/9c@bincrafters/stable: Error in source() method, line 41
	tools.get("{}/files/jpegsrc.v{}.tar.gz".format(self.homepage, self.version), sha256=sha256)
	ConanException: sha256 signature failed for 'jpegsrc.v9c.tar.gz' file. 

My conanfile.txt reads as follows:

[requires]
libpng/1.6.37@bincrafters/stable
libjpeg/9c@bincrafters/stable
libtiff/4.0.9@bincrafters/stable

AFAIU, this issue has been fixed by the PR referred above. Am I supposed to do anything to obtain the fix?
I install Conan via python -m pip install --upgrade conan.

[andioz]

@mloskot python -m pip install --upgrade conan updates the conan application only, not the recipes in your cache. If I remember right, you can use conan install --update ... to update the dependencies in your cache.

Or simply, go into your cache directory and remove all relevant sub-directories in data. This is what I do if I want to be absolutely sure.

[mloskot]

@andioz Thanks for the tip about the cache.

The thing is, I'm getting the failure for CI builds on Azure Pipelines:
https://dev.azure.com/boostorg/gil/_build/results?buildId=1147&view=logs&j=d77bfd1b-2b56-50c4-ff1e-490af6b2be2e&t=af45cbea-d66c-5594-4a9b-0167ff3f0c9a

where, I assume, the cache is clean slate on each build.

The Conan is run via conan-cmake's command conan_cmake_run:
https://github.com/boostorg/gil/blob/2102fdc5b4d80a03691fbcb317c76b96a7f32dd2/CMakeLists.txt#L123-L138

[andioz]

Ah, one more hint: you are using libjpeg/9c@bincrafters/stable, which doesn't use the repository filled with recipes from here. I guess. The new syntax for using https://conan.io/center/ is to omit the user/channel like this libjpeg/9c or to use underscores like this libjpeg/9c@_/_.

[mloskot]

@andioz The new syntax is something I wasn't aware of and it did the trick indeed. Thanks!

[planetmarshall]

I'm still seeing this issue in a local build:

conan remove -f libjpeg
conan install . --build outdated --update

...
libjpeg/9d: Configuring sources in C:\Users\plane\.conan\data\libjpeg\9d\_\_\source
Downloading jpegsrc.v9d.tar.gz completed [1045.00k]
ERROR: libjpeg/9d: Error in source() method, line 38
        tools.get(**self.conan_data["sources"][self.version])
        ConanException: sha256 signature failed for 'jpegsrc.v9d.tar.gz' file.
 Provided signature: 99cb50e48a4556bc571dadd27931955ff458aae32f68c4d9c39d624693f69c32
 Computed signature: 6c434a3be59f8f62425b2e3c077e785c9ce30ee5874ea1c270e843f273ba71ee
...

While I could just delete the local data folder entirely, I'd like to know what's causing the issue otherwise I can't really trust that packages are being properly updated. I'm not seeing this issue on CI where everything is downloaded from scratch - is there some additional caching behaviour going on?