Checksum error when installing 6.7-RC2 from roots/wordpress-full

I’m trying to test a site on the upcoming 6.7 release, using the latest RC2 package. As I understand it the normal process for this with Bedrock or Radicle is to modify the composer packages to require the core installer and roots/wordpress-full directly (since roots/wordpress-no-content doesn’t include RC releases.) The changed composer.json should look like this:

-   "roots/wordpress": "6.6.2",
+   "roots/wordpress-core-installer": "^1.100",
+   "roots/wordpress-full": "6.7-RC2",

When I added the RC2, I got the following output — note the checksum verification failure:

❯ composer require roots/wordpress-full:6.7-RC2
./composer.json has been updated
Running composer update roots/wordpress-full
Loading composer repositories with package information
Updating dependencies
Lock file operations: 1 install, 0 updates, 0 removals
  - Locking roots/wordpress-full (6.7-RC2)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 1 install, 0 updates, 0 removals
  - Downloading roots/wordpress-full (6.7-RC2)
    Failed to download roots/wordpress-full from dist: The checksum verification of the file failed (downloaded from https://downloads.wordpress.org/release/wordpress-6.7-RC2.zip)
    Now trying to download from source
  - Syncing roots/wordpress-full (6.7-RC2) into cache
  - Installing roots/wordpress-full (6.7-RC2): Cloning master from cache

If I go to wordpress-full/composer.json at 7911eb86794280f56c98e94e2cec2a67ee97a06e · roots/wordpress-full · GitHub, I see that the package’s hard-coded checksum is 01d03df8b0a70f93f31d2030d39c6cf84c0a7edb.

But, if I go download the RC2 zip from https://wordpress.org/download/releases/#betas, and calculate my own checksum, sure enough it’s different: 0f78e7a8b97328a06be6767d4d606eda37ee4a2e.

This second checksum matches what is published at https://wordpress.org/wordpress-6.7-RC2.zip.sha1. The mismatch is between Composer’s expectation and what WordPress has published… so something has gone weird.

It looks like roots/wordpress-packager is the tool that assembles these new releases, and if I read the code correctly it should have gotten the checksum directly from what WordPress published at the URL above.

So what happened???

(Also strange: when I go check the wp-includes/version.php file that Composer added in my project, I see that what was actually installed is $wp_version = '6.8-alpha-59330' — apparently it pulled the master branch of WordPress/WordPress directly. That seems like a risky fallback.)

I don’t have an answer for 6.7-RC2 but this has happened in the past with 6.5.4 due to them rebuilding the zips 4 hours after initial release.

Related discussion here: Invalid checksum for version 6.5.4 · Issue #7 · roots/wordpress-no-content · GitHub

…they sometimes rebuild public releases in a non-reproducible manner?

:grimacing:

Very likely that’s what happened here. 6.7-RC4 is working normally.