asdf-yarn icon indicating copy to clipboard operation
asdf-yarn copied to clipboard

Published 20 hours ago verified publisher icon twuni

Unable to download yarn v1.22.20 or v1.22.21

Open dominicbrodowski opened this issue 1 year ago • 12 comments

I am getting a 404 error when trying to fetch the tar.gz.asc file.

❯ asdf install yarn 1.22.20
--2023-11-21 09:07:26--  https://classic.yarnpkg.com/downloads/1.22.20/yarn-v1.22.20.tar.gz
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving classic.yarnpkg.com (classic.yarnpkg.com)... 54.253.236.10, 3.24.66.78
Connecting to classic.yarnpkg.com (classic.yarnpkg.com)|54.253.236.10|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/yarnpkg/yarn/releases/download/v1.22.20/yarn-v1.22.20.tar.gz [following]
--2023-11-21 09:07:26--  https://github.com/yarnpkg/yarn/releases/download/v1.22.20/yarn-v1.22.20.tar.gz
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/62ba5086-2833-407e-9ace-ed2f02385da6?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231120%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231120T220705Z&X-Amz-Expires=300&X-Amz-Signature=fa7bf66a1768d18db95ddb0f96439b960f56b1019590c7cd155d0db75aae7d7b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.20.tar.gz&response-content-type=application%2Foctet-stream [following]
--2023-11-21 09:07:31--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/62ba5086-2833-407e-9ace-ed2f02385da6?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231120%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231120T220705Z&X-Amz-Expires=300&X-Amz-Signature=fa7bf66a1768d18db95ddb0f96439b960f56b1019590c7cd155d0db75aae7d7b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.20.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1242998 (1.2M) [application/octet-stream]
Saving to: ‘yarn-v1.22.20.tar.gz’

yarn-v1.22.20.tar.gz                                      100%[=====================================================================================================================================>]   1.18M  3.12MB/s    in 0.4s

2023-11-21 09:07:32 (3.12 MB/s) - ‘yarn-v1.22.20.tar.gz’ saved [1242998/1242998]

--2023-11-21 09:07:32--  https://classic.yarnpkg.com/downloads/1.22.20/yarn-v1.22.20.tar.gz.asc
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving classic.yarnpkg.com (classic.yarnpkg.com)... 3.24.66.78, 54.66.176.79
Connecting to classic.yarnpkg.com (classic.yarnpkg.com)|3.24.66.78|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/yarnpkg/yarn/releases/download/v1.22.20/yarn-v1.22.20.tar.gz.asc [following]
--2023-11-21 09:07:32--  https://github.com/yarnpkg/yarn/releases/download/v1.22.20/yarn-v1.22.20.tar.gz.asc
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-11-21 09:07:32 ERROR 404: Not Found.

dominicbrodowski avatar Nov 20 '23 22:11 dominicbrodowski

These releases have warnings attached to them:

https://github.com/yarnpkg/yarn/releases/

Warning: This release is missing a couple of artifacts (the .msi/.rpm/.deb/.asc files); we're working on fixing this.

I'm sticking to 1.22.19 until this has been resolved upstream.

clintbullock avatar Nov 21 '23 18:11 clintbullock

These releases have warnings attached to them:

https://github.com/yarnpkg/yarn/releases/

Warning: This release is missing a couple of artifacts (the .msi/.rpm/.deb/.asc files); we're working on fixing this.

I'm sticking to 1.22.19 until this has been resolved upstream.

this worked like fine wine. muchas gracias

jackhubs avatar Dec 22 '23 20:12 jackhubs

Just off a fresh re-install. Can't install yarn :pensive:

> asdf install yarn 1.22.10
--2024-01-09 11:51:17--  https://classic.yarnpkg.com/downloads/1.22.10/yarn-v1.22.10.tar.gz
Resolving classic.yarnpkg.com (classic.yarnpkg.com)... 2a05:d014:275:cb02::c8, 2a05:d014:275:cb01::c8, 35.156.224.161, ...
Connecting to classic.yarnpkg.com (classic.yarnpkg.com)|2a05:d014:275:cb02::c8|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz [following]
--2024-01-09 11:51:17--  https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/30fd1600-0466-11eb-835a-ebba1487d5d9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240109%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240109T105117Z&X-Amz-Expires=300&X-Amz-Signature=28c205a06d1a5e719aecbc843baaf1a04ea9715a99284bc8b018819f6d6d89c9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.10.tar.gz&response-content-type=application%2Foctet-stream [following]
--2024-01-09 11:51:17--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/30fd1600-0466-11eb-835a-ebba1487d5d9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240109%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240109T105117Z&X-Amz-Expires=300&X-Amz-Signature=28c205a06d1a5e719aecbc843baaf1a04ea9715a99284bc8b018819f6d6d89c9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.10.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1244965 (1.2M) [application/octet-stream]
Saving to: ‘yarn-v1.22.10.tar.gz’

yarn-v1.22.10.tar.gz         100%[=============================================>]   1.19M  --.-KB/s    in 0.04s   

2024-01-09 11:51:17 (29.3 MB/s) - ‘yarn-v1.22.10.tar.gz’ saved [1244965/1244965]

--2024-01-09 11:51:17--  https://classic.yarnpkg.com/downloads/1.22.10/yarn-v1.22.10.tar.gz.asc
Resolving classic.yarnpkg.com (classic.yarnpkg.com)... 2a05:d014:275:cb02::c8, 2a05:d014:275:cb01::c8, 35.156.224.161, ...
Connecting to classic.yarnpkg.com (classic.yarnpkg.com)|2a05:d014:275:cb02::c8|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz.asc [following]
--2024-01-09 11:51:18--  https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz.asc
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/3195ac80-0466-11eb-86eb-b6fe824b87c6?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240109%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240109T105118Z&X-Amz-Expires=300&X-Amz-Signature=79494918897a0f616365d57aff7bcab89a176e53c0d78de88039b146c4847f18&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.10.tar.gz.asc&response-content-type=application%2Foctet-stream [following]
--2024-01-09 11:51:18--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/3195ac80-0466-11eb-86eb-b6fe824b87c6?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240109%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240109T105118Z&X-Amz-Expires=300&X-Amz-Signature=79494918897a0f616365d57aff7bcab89a176e53c0d78de88039b146c4847f18&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.10.tar.gz.asc&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 832 [application/octet-stream]
Saving to: ‘yarn-v1.22.10.tar.gz.asc’

yarn-v1.22.10.tar.gz.asc     100%[=============================================>]     832  --.-KB/s    in 0s      

2024-01-09 11:51:18 (33.4 MB/s) - ‘yarn-v1.22.10.tar.gz.asc’ saved [832/832]

gpg: key 1646B01B86E50310: "Yarn Packaging <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: Signature made Fri 02 Oct 2020 01:17:27 PM CEST
gpg:                using RSA key 6D98490C6F1ACDDD448E45954F77679369475BAA
gpg: Good signature from "Yarn Packaging <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
     Subkey fingerprint: 6D98 490C 6F1A CDDD 448E  4595 4F77 6793 6947 5BAA

happens on any versions i try

djnnvx avatar Jan 09 '24 10:01 djnnvx

Hi @djnnvx , that doesn't actually indicate a failed install. What do you get when you run asdf list yarn?

dominicbrodowski avatar Jan 09 '24 23:01 dominicbrodowski

shoot, you're right. I was sick and misunderstood the message. Sorry guys, english is hard.

djnnvx avatar Jan 10 '24 07:01 djnnvx

Will there still be a fix for this issue? I'm unable to install version 1.22.21 using asdf:

asdf install yarn 1.22.21
gpg: key 1646B01B86E50310: "Yarn Packaging <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

ThaiGQ avatar Jan 23 '24 03:01 ThaiGQ

Forgot to include in my last post that yarn 1.22.21 was not installed:

asdf list yarn
  1.22.19

ThaiGQ avatar Jan 24 '24 08:01 ThaiGQ

Given Yarn has released 1.22.22 and they still don't provide a GPG key, would it be possible to disable the GPG checking for these last three releases? Unfortunately it seems their team don't care enough about security to maintain these features.

dominicbrodowski avatar Mar 14 '24 00:03 dominicbrodowski

I've left a note at https://github.com/yarnpkg/yarn/issues/8801 to see if there's something we can do to have the issue corrected upstream. If that is a success, then it should be possible to backport signatures for the currently failing releases, and ensure signatures are included in future releases. Thus, no special accommodation would need to be made in this plugin.

If addressing this issue upstream is not possible or feasible, then an accommodation can be made in this plugin as follows:

Proposal

Add support for a new environment variable -- ASDF_PLUGIN_YARN_CONFIG_VERIFY_SIGNATURES -- whose value can be one of the following:

  • "always" (default) - Do not allow installation of releases that are missing a signature file.
  • "preferred" - Allow installation of releases that are missing a signature file, but log a warning when doing so.
  • "never" - Do not attempt to verify signatures at all, but log a warning when a signature file is available.

Under no circumstances would the plugin allow installation of releases that include a signature file but which fail signature verification.

canterberry avatar Mar 14 '24 05:03 canterberry

I'd be okay with this accommodation; you could also add an option in .asdfrc like the java plugin people did for MacOS: https://github.com/halcyon/asdf-java?tab=readme-ov-file#macos

dominicbrodowski avatar Mar 19 '24 23:03 dominicbrodowski

+1, still unable to install 1.22.2X due to this OpenPGP issue.

asdf install yarn 1.22.22
gpg: key 1646B01B86E50310: "Yarn Packaging <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

MerouaneBali-OscarsFarm avatar Mar 22 '24 00:03 MerouaneBali-OscarsFarm

It looks like the missing files got added: https://github.com/yarnpkg/yarn/releases/tag/v1.22.22

timdp avatar May 28 '24 10:05 timdp