APT Hash sum mismatch

Mar 21, 2016 • packagecloud

TL;DR

NOTE we recently blogged about another more serious cause for APT’s Hash sum mismatch bug and we’ve backported APT 1.2.10 to Ubuntu 12.04 (Precise) and Ubuntu 14.04 (Trusty) which includes bug fixes for the bug mentioned in this post and many exciting new features.

APT repository can be provided uncompressed or compressed in a variety of archive formats. The most commonly offered formats are gzip, bzip, and lzma.

A bug in apt’s code which deals with reading and writing lzma (.xz) archives causes apt to occasionally report the error “Hash sum mismatch.”

This blog post highlights a work-around and the version in apt in which this bug is fixed.

Users of the following systems should upgrade to the latest version of apt provided by their operating system:

  • Ubuntu Trusty (14.04) and newer
  • Debian Jessie (8) and newer

Users of earlier versions should either upgrade their OS or use the workaround described below.

For the time being, we’ve decided to disable lzma archive support on packagecloud for all repositories. Metadata will still be produced in gzip, bzip, and uncompressed formats. No action is required on the part of packagecloud repository owners.

Create an APT repository in seconds, for free!

Hash sum mismatch work around

Users can force apt not to use lzma compressed metadata in two ways.

The first way is by adding an extra command line flag when running apt-get commands:

$ apt-get update -o Acquire::CompressionTypes::Order::=gz

(Note: You can also specify “bz2” if you prefer bzipped archives instead.)

Alternatively, you can specify this option globally in an apt config so you don’t need to type that each time.

In order to do this:

  1. Create a new file called /etc/apt/apt.conf.d/99compression-workaround
  2. Add the text Acquire::CompressionTypes::Order:: "gz";' to the file

Now, apt-get update will attempt to use gzip compressed metadata first.

Hash sum mismatch fixed in newer apt versions

The bug was fixed in apt on March 21, 2014 (git commit sha c4b113e650dbdbb4c5c9c6f36437c94db6b214d9).

This fix is included in all apt versions starting with version 1.0 which is available on the following systems:

  • Ubuntu Trusty (14.04) and newer
  • Debian Jessie (8) and newer

If you are using the above systems and see this error, you should make sure you are running the latest version of apt included with your OS.

What does ‘Hash sum mismatch’ actually mean?

apt repository metadata is organized in such a way that a top level file contains the checksums of other pieces of repository metadata.

The “Hash sum mismatch” error indicates to the user that apt has run a checksum against the repository metadata it has downloaded and the checksum apt computed does not match the checksum listed in the top level file.

Unfortunately, due to a bug in apt, metadata files compressed with lzma (.xz files) are occasionally downloaded (and in some cases) decompressed incorrectly resulting in a broken file.

As a result, the checksum of the broken file will be incorrect and cause apt to produce the “Hash sum mismatch” error.

Conclusion

An unfortunate bug in apt for dealing with lzma compressed (.xz files) causes the notorious “Hash sum mismatch” error in cases where the checksum would have normally verified yielding a very confusing situation for end users.

Users of Ubuntu Trusty and Debian Jessies (or newer) are encouraged to upgrade to the latest version of apt available on their systems. All other users are encouraged to employ the workaround listed above to avoid lzma compressed metadata or try using our backported APT 1.2.10.

packagecloud APT repository owner’s don’t need to do anything. We’ve disabled lzma compressed metadata completely so users of your repositories will not be affected by this bug.

Never miss an update!

Subscribe to our RSS feed