# Checksum error when installing 6.7-RC2 from roots/wordpress-full **URL:** https://discourse.roots.io/t/checksum-error-when-installing-6-7-rc2-from-roots-wordpress-full/28865 **Category:** bedrock **Tags:** composer **Created:** 2024-10-31T18:16:11Z **Posts:** 3 ## Post 1 by @andronocean — 2024-10-31T18:16:11Z I’m trying to test a site on the upcoming 6.7 release, using the latest RC2 package. As I understand it the normal process for this with Bedrock or Radicle is to modify the composer packages to require the core installer and `roots/wordpress-full` directly (since `roots/wordpress-no-content` doesn’t include RC releases.) The changed composer.json should look like this: ``` - "roots/wordpress": "6.6.2", + "roots/wordpress-core-installer": "^1.100", + "roots/wordpress-full": "6.7-RC2", ``` When I added the RC2, I got the following output — **note the checksum verification failure** : ``` ❯ composer require roots/wordpress-full:6.7-RC2 ./composer.json has been updated Running composer update roots/wordpress-full Loading composer repositories with package information Updating dependencies Lock file operations: 1 install, 0 updates, 0 removals - Locking roots/wordpress-full (6.7-RC2) Writing lock file Installing dependencies from lock file (including require-dev) Package operations: 1 install, 0 updates, 0 removals - Downloading roots/wordpress-full (6.7-RC2) Failed to download roots/wordpress-full from dist: The checksum verification of the file failed (downloaded from https://downloads.wordpress.org/release/wordpress-6.7-RC2.zip) Now trying to download from source - Syncing roots/wordpress-full (6.7-RC2) into cache - Installing roots/wordpress-full (6.7-RC2): Cloning master from cache ``` If I go to [wordpress-full/composer.json at 7911eb86794280f56c98e94e2cec2a67ee97a06e · roots/wordpress-full · GitHub](https://github.com/roots/wordpress-full/blob/7911eb86794280f56c98e94e2cec2a67ee97a06e/composer.json), I see that the package’s hard-coded checksum is `01d03df8b0a70f93f31d2030d39c6cf84c0a7edb`. But, if I go download the RC2 zip from [https://wordpress.org/download/releases/#betas](https://wordpress.org/download/releases/#betas), and calculate my own checksum, sure enough it’s different: `0f78e7a8b97328a06be6767d4d606eda37ee4a2e`. This second checksum matches what is published at [https://wordpress.org/wordpress-6.7-RC2.zip.sha1](https://wordpress.org/wordpress-6.7-RC2.zip.sha1). The mismatch is between Composer’s expectation and what WordPress has published… so something has gone weird. It looks like [roots/wordpress-packager](https://github.com/roots/wordpress-packager) is the tool that assembles these new releases, and if I read the code correctly it should have gotten the checksum directly from what WordPress published at the URL above. _ **So what happened???** _ (Also strange: when I go check the wp-includes/version.php file that Composer added in my project, I see that what was actually installed is `$wp_version = '6.8-alpha-59330'` — apparently it pulled [the `master` branch of WordPress/WordPress](https://github.com/WordPress/WordPress/blob/1522e2f0011e31dc92ea2b39668cf36f60ce5825/wp-includes/version.php#L19) directly. That seems like a risky fallback.) --- ## Post 2 by @Log1x — 2024-10-31T22:20:02Z I don’t have an answer for 6.7-RC2 but this has happened in the past with 6.5.4 due to them rebuilding the zips 4 hours after initial release. Related discussion here: [Invalid checksum for version 6.5.4 · Issue #7 · roots/wordpress-no-content · GitHub](https://github.com/roots/wordpress-no-content/issues/7) --- ## Post 3 by @andronocean — 2024-11-09T15:34:55Z …they sometimes rebuild public releases in a non-reproducible manner? :grimacing: Very likely that’s what happened here. 6.7-RC4 is working normally.