libgcrypt SHA256 mismatch?

Kurt Buff kurt.buff at
Thu Sep 29 17:21:16 UTC 2011

On Wed, Sep 28, 2011 at 18:45, Lars Eighner <portsuser at> wrote:
> On Wed, 28 Sep 2011, Kurt Buff wrote:
>> All,
>> I've just spun up a new 8.2-RELEASE VM, and gotten a fresh ports tree.
>> I tried to install XFCE4, but it has ended with an error:
>> ===>    Verifying install for gcrypt.18 in /usr/ports/security/libgcrypt
>> ===>  License GPLv2 LGPL21 accepted by the user
>> ===>  Extracting for libgcrypt-1.5.0
>> => SHA256 Checksum mismatch for libgcrypt-1.5.0.tar.bz2.
>> ===>  Refetch for 1 more times files: libgcrypt-1.5.0.tar.bz2
>> ===>  License GPLv2 LGPL21 accepted by the user
>> => libgcrypt-1.5.0.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
>> => Attempting to fetch
>> fetch:
>> size unknown
>> fetch:
>> size of remote file is not known
>> libgcrypt-1.5.0.tar.bz2                               4634  B 5734 kBps
>> ===>  License GPLv2 LGPL21 accepted by the user
>> => SHA256 Checksum mismatch for libgcrypt-1.5.0.tar.bz2.
>> ===>  Giving up on fetching files: libgcrypt-1.5.0.tar.bz2
>> Make sure the Makefile and distinfo file
>> (/usr/ports/security/libgcrypt/distinfo)
>> are up to date.  If you are absolutely sure you want to override this
>> check, type "make NO_CHECKSUM=yes [other args]".
>> Anyone else run into this?
> The source file is being truncated because fetch loses its connection for
> one reason or another.  Many servers now cut you off if you are at dial-up
> speeds because "net fairness" means broadband users always go to the front
> of the line.
> You can make a shell script to fetch the file and keep running it until you
> finally get the whole file a piece at a time or you can try ftp.  When you
> have the whole source file (check it against distinfo) place it in
> /usr/ports/distfiles. Things should go fine.
> "Checksum mismatch" nearly always means a truncated file.  I cannot ever
> remember seeing it otherwise.  Do not override it with NO_CHECKSUM.  That
> will be useless with a truncated file and worse than useless if a security
> port really has been tampered with.

Interesting. I found out what the problem is, but haven't figured out
how to work around it.

As a test, I put the URL
into a web browser, and found that it's being blocked by our web
filter, because the site is marked as also serving adult content. The
supposed tarball in /usr/ports/distfiles is the response from the web
filter, so it's junk.

After repeated fetches, that is the only site my machine is using to
grab the tarball. How to I tell the machine to vary its download sites
(if indeed there are alternatives?)

In the Makefile I see the line


which I'd bet controls how it finds what sites to visit, but don't
know anything beyond that.



More information about the freebsd-questions mailing list