Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to download yarn v1.22.20 or v1.22.21 #33

Open
dominicbrodowski opened this issue Nov 20, 2023 · 12 comments
Open

Unable to download yarn v1.22.20 or v1.22.21 #33

dominicbrodowski opened this issue Nov 20, 2023 · 12 comments

Comments

@dominicbrodowski
Copy link

dominicbrodowski commented Nov 20, 2023
edited
Loading

I am getting a 404 error when trying to fetch the tar.gz.asc file.

❯ asdf install yarn 1.22.20
--2023-11-21 09:07:26--  https://classic.yarnpkg.com/downloads/1.22.20/yarn-v1.22.20.tar.gz
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving classic.yarnpkg.com (classic.yarnpkg.com)... 54.253.236.10, 3.24.66.78
Connecting to classic.yarnpkg.com (classic.yarnpkg.com)|54.253.236.10|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/yarnpkg/yarn/releases/download/v1.22.20/yarn-v1.22.20.tar.gz [following]
--2023-11-21 09:07:26--  https://github.com/yarnpkg/yarn/releases/download/v1.22.20/yarn-v1.22.20.tar.gz
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/62ba5086-2833-407e-9ace-ed2f02385da6?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231120%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231120T220705Z&X-Amz-Expires=300&X-Amz-Signature=fa7bf66a1768d18db95ddb0f96439b960f56b1019590c7cd155d0db75aae7d7b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.20.tar.gz&response-content-type=application%2Foctet-stream [following]
--2023-11-21 09:07:31--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/62ba5086-2833-407e-9ace-ed2f02385da6?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231120%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231120T220705Z&X-Amz-Expires=300&X-Amz-Signature=fa7bf66a1768d18db95ddb0f96439b960f56b1019590c7cd155d0db75aae7d7b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.20.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.108.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1242998 (1.2M) [application/octet-stream]
Saving to: ‘yarn-v1.22.20.tar.gz’

yarn-v1.22.20.tar.gz                                      100%[=====================================================================================================================================>]   1.18M  3.12MB/s    in 0.4s

2023-11-21 09:07:32 (3.12 MB/s) - ‘yarn-v1.22.20.tar.gz’ saved [1242998/1242998]

--2023-11-21 09:07:32--  https://classic.yarnpkg.com/downloads/1.22.20/yarn-v1.22.20.tar.gz.asc
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving classic.yarnpkg.com (classic.yarnpkg.com)... 3.24.66.78, 54.66.176.79
Connecting to classic.yarnpkg.com (classic.yarnpkg.com)|3.24.66.78|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/yarnpkg/yarn/releases/download/v1.22.20/yarn-v1.22.20.tar.gz.asc [following]
--2023-11-21 09:07:32--  https://github.com/yarnpkg/yarn/releases/download/v1.22.20/yarn-v1.22.20.tar.gz.asc
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2023-11-21 09:07:32 ERROR 404: Not Found.
@clintbullock
Copy link

These releases have warnings attached to them:

https://github.com/yarnpkg/yarn/releases/

Warning: This release is missing a couple of artifacts (the .msi/.rpm/.deb/.asc files); we're working on fixing this.

I'm sticking to 1.22.19 until this has been resolved upstream.

@jackhubs
Copy link

These releases have warnings attached to them:

https://github.com/yarnpkg/yarn/releases/

Warning: This release is missing a couple of artifacts (the .msi/.rpm/.deb/.asc files); we're working on fixing this.

I'm sticking to 1.22.19 until this has been resolved upstream.

this worked like fine wine. muchas gracias

@benkim077 benkim077 mentioned this issue Dec 30, 2023
Closed
@djnnvx
Copy link

djnnvx commented Jan 9, 2024

Just off a fresh re-install. Can't install yarn 😔

> asdf install yarn 1.22.10
--2024-01-09 11:51:17--  https://classic.yarnpkg.com/downloads/1.22.10/yarn-v1.22.10.tar.gz
Resolving classic.yarnpkg.com (classic.yarnpkg.com)... 2a05:d014:275:cb02::c8, 2a05:d014:275:cb01::c8, 35.156.224.161, ...
Connecting to classic.yarnpkg.com (classic.yarnpkg.com)|2a05:d014:275:cb02::c8|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz [following]
--2024-01-09 11:51:17--  https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/30fd1600-0466-11eb-835a-ebba1487d5d9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240109%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240109T105117Z&X-Amz-Expires=300&X-Amz-Signature=28c205a06d1a5e719aecbc843baaf1a04ea9715a99284bc8b018819f6d6d89c9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.10.tar.gz&response-content-type=application%2Foctet-stream [following]
--2024-01-09 11:51:17--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/30fd1600-0466-11eb-835a-ebba1487d5d9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240109%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240109T105117Z&X-Amz-Expires=300&X-Amz-Signature=28c205a06d1a5e719aecbc843baaf1a04ea9715a99284bc8b018819f6d6d89c9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.10.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1244965 (1.2M) [application/octet-stream]
Saving to: ‘yarn-v1.22.10.tar.gz’

yarn-v1.22.10.tar.gz         100%[=============================================>]   1.19M  --.-KB/s    in 0.04s   

2024-01-09 11:51:17 (29.3 MB/s) - ‘yarn-v1.22.10.tar.gz’ saved [1244965/1244965]

--2024-01-09 11:51:17--  https://classic.yarnpkg.com/downloads/1.22.10/yarn-v1.22.10.tar.gz.asc
Resolving classic.yarnpkg.com (classic.yarnpkg.com)... 2a05:d014:275:cb02::c8, 2a05:d014:275:cb01::c8, 35.156.224.161, ...
Connecting to classic.yarnpkg.com (classic.yarnpkg.com)|2a05:d014:275:cb02::c8|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz.asc [following]
--2024-01-09 11:51:18--  https://github.com/yarnpkg/yarn/releases/download/v1.22.10/yarn-v1.22.10.tar.gz.asc
Resolving github.com (github.com)... 140.82.121.3
Connecting to github.com (github.com)|140.82.121.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/3195ac80-0466-11eb-86eb-b6fe824b87c6?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240109%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240109T105118Z&X-Amz-Expires=300&X-Amz-Signature=79494918897a0f616365d57aff7bcab89a176e53c0d78de88039b146c4847f18&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.10.tar.gz.asc&response-content-type=application%2Foctet-stream [following]
--2024-01-09 11:51:18--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/49970642/3195ac80-0466-11eb-86eb-b6fe824b87c6?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240109%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240109T105118Z&X-Amz-Expires=300&X-Amz-Signature=79494918897a0f616365d57aff7bcab89a176e53c0d78de88039b146c4847f18&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=49970642&response-content-disposition=attachment%3B%20filename%3Dyarn-v1.22.10.tar.gz.asc&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 832 [application/octet-stream]
Saving to: ‘yarn-v1.22.10.tar.gz.asc’

yarn-v1.22.10.tar.gz.asc     100%[=============================================>]     832  --.-KB/s    in 0s      

2024-01-09 11:51:18 (33.4 MB/s) - ‘yarn-v1.22.10.tar.gz.asc’ saved [832/832]

gpg: key 1646B01B86E50310: "Yarn Packaging <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: Signature made Fri 02 Oct 2020 01:17:27 PM CEST
gpg:                using RSA key 6D98490C6F1ACDDD448E45954F77679369475BAA
gpg: Good signature from "Yarn Packaging <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 72EC F46A 56B4 AD39 C907  BBB7 1646 B01B 86E5 0310
     Subkey fingerprint: 6D98 490C 6F1A CDDD 448E  4595 4F77 6793 6947 5BAA

happens on any versions i try

@dominicbrodowski
Copy link
Author

Hi @djnnvx , that doesn't actually indicate a failed install. What do you get when you run asdf list yarn?

@djnnvx
Copy link

djnnvx commented Jan 10, 2024

shoot, you're right. I was sick and misunderstood the message. Sorry guys, english is hard.

@ThaiGQ
Copy link

ThaiGQ commented Jan 23, 2024

Will there still be a fix for this issue? I'm unable to install version 1.22.21 using asdf:

asdf install yarn 1.22.21
gpg: key 1646B01B86E50310: "Yarn Packaging <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

@ThaiGQ
Copy link

ThaiGQ commented Jan 24, 2024

Forgot to include in my last post that yarn 1.22.21 was not installed:

asdf list yarn
  1.22.19

@deiga deiga mentioned this issue Feb 15, 2024
Open
@dominicbrodowski
Copy link
Author

Given Yarn has released 1.22.22 and they still don't provide a GPG key, would it be possible to disable the GPG checking for these last three releases? Unfortunately it seems their team don't care enough about security to maintain these features.

@canterberry canterberry mentioned this issue Mar 14, 2024
Closed
@canterberry
Copy link
Member

I've left a note at yarnpkg/yarn#8801 to see if there's something we can do to have the issue corrected upstream. If that is a success, then it should be possible to backport signatures for the currently failing releases, and ensure signatures are included in future releases. Thus, no special accommodation would need to be made in this plugin.

If addressing this issue upstream is not possible or feasible, then an accommodation can be made in this plugin as follows:

Proposal

Add support for a new environment variable -- ASDF_PLUGIN_YARN_CONFIG_VERIFY_SIGNATURES -- whose value can be one of the following:

  • "always" (default) - Do not allow installation of releases that are missing a signature file.
  • "preferred" - Allow installation of releases that are missing a signature file, but log a warning when doing so.
  • "never" - Do not attempt to verify signatures at all, but log a warning when a signature file is available.

Under no circumstances would the plugin allow installation of releases that include a signature file but which fail signature verification.

@dominicbrodowski
Copy link
Author

I'd be okay with this accommodation; you could also add an option in .asdfrc like the java plugin people did for MacOS:
https://github.com/halcyon/asdf-java?tab=readme-ov-file#macos

@MerouaneBali-OscarsFarm
Copy link

+1, still unable to install 1.22.2X due to this OpenPGP issue.

asdf install yarn 1.22.22
gpg: key 1646B01B86E50310: "Yarn Packaging <[email protected]>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg: no valid OpenPGP data found.
gpg: the signature could not be verified.
Please remember that the signature file (.sig or .asc)
should be the first file given on the command line.

@kroleg kroleg mentioned this issue Apr 10, 2024
Merged
@canterberry canterberry mentioned this issue Apr 11, 2024
Closed
@timdp
Copy link

timdp commented May 28, 2024

It looks like the missing files got added: https://github.com/yarnpkg/yarn/releases/tag/v1.22.22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@timdp @clintbullock @canterberry @jackhubs @dominicbrodowski @ThaiGQ @djnnvx @MerouaneBali-OscarsFarm