does upgrading overwrite every file?
Yes. Or more specifically, it doesn't overwrite them, but in the single transaction, it removes the files belonging to the old package and copies over the new ones. But unless you forced a fresh download, the same pkg.tar.xz file in your cache would still be used again. So a corrupted package is unlinkely.
I wonder if downgrading far back enough was enough to trigger a file overwrite on the reupgrade.
More likely, you just didn't have a properly updated nss.
]]>I've been able to successfully executive the curl of the file that is over 2GiB in size a few times now, so I think I'll temporarily call this one solved.
A question about the inner workings of pacman... If a file is corrupted in an install, does upgrading overwrite every file? Or just those that have changed? I wonder if downgrading far back enough was enough to trigger a file overwrite on the reupgrade.
]]>{ [591 bytes data]
5 2298M 5 125M 0 0 35.4M 0 0:01:04 0:00:03 0:01:01 41.8M
* TLSv1.3 (OUT), TLS alert, bad record mac (532):
} [2 bytes data]
* OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
6 2298M 6 139M 0 0 35.9M 0 0:01:03 0:00:03 0:01:00 41.8M
* Closing connection 1
curl: (56) OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
{ [591 bytes data]
* TLSv1.3 (OUT), TLS alert, bad record mac (532):
} [2 bytes data]
* OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
100 997k 0 997k 0 0 738k 0 --:--:-- 0:00:01 --:--:-- 1423k
* Closing connection 1
curl: (56) OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
3) I was able to replicate the error from within a VirtualBox VM on an Arch Install ISO, both with bridged and NAT networking.
]]>If you repeat the bad curl, do the errors happen on the same offset?
]]>curl -v https://www.google.com > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 2607:f8b0:4007:80e::2004:443...
* Connected to www.google.com (2607:f8b0:4007:80e::2004) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2339 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
* start date: Mar 3 09:45:52 2020 GMT
* expire date: May 26 09:45:52 2020 GMT
* subjectAltName: host "www.google.com" matched cert's "www.google.com"
* issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5571304368b0)
} [5 bytes data]
> GET / HTTP/2
> Host: www.google.com
> user-agent: curl/7.69.1
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [264 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200
< date: Sun, 22 Mar 2020 14:25:24 GMT
< expires: -1
< cache-control: private, max-age=0
< content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< server: gws
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< set-cookie: 1P_JAR=2020-03-22-14; expires=Tue, 21-Apr-2020 14:25:24 GMT; path=/; domain=.google.com; Secure
< set-cookie: NID=200=sKXNZVdIlO4t_lXC3Hg_T1cRld2nlAC6AaKbcVeSKyaJRmDjyb0IPgXGelNQCEDomMGki-0Z0c1cvhbDDGI6oGiS7KB8c68L_91SdrDeO8W5viGzxSViFZ_o3tOkoJkGSu6ZVhccy51IpQ7ZD4OMzrncN84jGNLVZkmwxImTk7g; expires=Mon, 21-Sep-2020 14:25:24 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,h3-T050=":443"; ma=2592000
< accept-ranges: none
< vary: Accept-Encoding
<
{ [5 bytes data]
100 12745 0 12745 0 0 70414 0 --:--:-- --:--:-- --:--:-- 70414
* Connection #0 to host www.google.com left intact
I changed the second curl command to the file that it was choking on:
curl -vL 'https://github.com/ryanoasis/nerd-fonts/archive/v2.1.0.tar.gz' > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.30.255.112:443...
* Connected to github.com (192.30.255.112) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3090 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=5157550; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
* start date: May 8 00:00:00 2018 GMT
* expire date: Jun 3 12:00:00 2020 GMT
* subjectAltName: host "github.com" matched cert's "github.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA
* SSL certificate verify ok.
} [5 bytes data]
> GET /ryanoasis/nerd-fonts/archive/v2.1.0.tar.gz HTTP/1.1
> Host: github.com
> User-Agent: curl/7.69.1
> Accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< date: Sun, 22 Mar 2020 14:26:53 GMT
< content-type: text/html; charset=utf-8
< server: GitHub.com
< status: 302 Found
< vary: X-PJAX, Accept-Encoding, Accept, X-Requested-With
< location: https://codeload.github.com/ryanoasis/nerd-fonts/tar.gz/v2.1.0
< cache-control: max-age=0, private
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< expect-ct: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
{ [5 bytes data]
< content-security-policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com
< Age: 0
< Set-Cookie: _gh_sess=nR8wg1urQAcoMQPVVytKCQUzlW2315NuKjubIShdocUYvkmounAz6UXn3HIcFfEP8405Y28RsZ%2BHoGtpGtmkpyITeAoOJOXWwt7kFoC1A%2BFSm6xqLx7%2FydCbyy9wxoMowkkZpdZr3g3%2Fu21Btxsy94rFttPwGRkBDeYpk7rIFho%2BHLd3MvJ6O96pIEmmh0OmgYCXtPR9beHzFSws7rCaY3AM4zfgC6eTJsWxLeWY0j12nJGb%2FNa5nSlKOnJxPbE4GFqi81dFkhSmmLz14TM%2BCQ%3D%3D--XoJ%2BO8SiUxDiV9c%2F--9ytcFhnWY69OaoOJazgTew%3D%3D; Path=/; HttpOnly; Secure
< Set-Cookie: _octo=GH1.1.141097630.1584887213; Path=/; Domain=github.com; Expires=Mon, 22 Mar 2021 14:26:53 GMT; Secure
< Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Mon, 22 Mar 2021 14:26:53 GMT; HttpOnly; Secure
< Content-Length: 128
< X-GitHub-Request-Id: 25E3:0130:89921B:B89528:5E7775AD
<
* Ignoring the response-body
{ [128 bytes data]
100 128 100 128 0 0 372 0 --:--:-- --:--:-- --:--:-- 372
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://codeload.github.com/ryanoasis/nerd-fonts/tar.gz/v2.1.0'
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.30.255.121:443...
* Connected to codeload.github.com (192.30.255.121) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [25 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2856 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.com
* start date: Jul 8 00:00:00 2019 GMT
* expire date: Jul 16 12:00:00 2020 GMT
* subjectAltName: host "codeload.github.com" matched cert's "*.github.com"
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
* SSL certificate verify ok.
} [5 bytes data]
> GET /ryanoasis/nerd-fonts/tar.gz/v2.1.0 HTTP/1.1
> Host: codeload.github.com
> User-Agent: curl/7.69.1
> Accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: https://render.githubusercontent.com
< Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
< Strict-Transport-Security: max-age=31536000
< Vary: Authorization,Accept-Encoding
< X-Content-Type-Options: nosniff
< X-Frame-Options: deny
< X-XSS-Protection: 1; mode=block
< ETag: W/"7be3f5f192a6711f2aa8eca54b138cdc96221fb167c4490466784e0b44263491"
< Content-Type: application/x-gzip
< Content-Disposition: attachment; filename=nerd-fonts-2.1.0.tar.gz
< X-Geo-Block-List:
< Date: Sun, 22 Mar 2020 14:26:54 GMT
< X-Varnish: 132949497
< Age: 0
< Via: 1.1 varnish (Varnish/6.0)
< X-Cache: HFM
< X-Cache-Hits: 0
< Accept-Ranges: bytes
< Transfer-Encoding: chunked
< X-GitHub-Request-Id: 041D:7E09:054B:8F66:5E7775AE
<
{ [605 bytes data]
100 1975M 0 1975M 0 0 7820k 0 --:--:-- 0:04:18 --:--:-- 10.0M* TLSv1.3 (OUT), TLS alert, bad record mac (532):
} [2 bytes data]
* OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
100 1977M 0 1977M 0 0 7823k 0 --:--:-- 0:04:18 --:--:-- 10.1M
* Closing connection 1
curl: (56) OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
Finally
pacman -Qkk openssl
openssl: 4107 total files, 0 altered files
I'll try the command from the Installation ISO as well in the meantime.
]]>curl -v https://www.google.com > /dev/null
# and
curl -v 'https://aur.archlinux.org/nerd-fonts-complete.git/' > /dev/null
# and
pacman -Qkk openssl
?
Any chances of a VPN or firewall etc.? (Though it seems the installation iso doesn't show this problem on the same system?)
------------------
EDIT, cross-linking
https://bbs.archlinux.org/viewtopic.php?id=253854
fatal: unable to access 'https://aur.archlinux.org/nerd-fonts-complete.git/': error:0407E086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid
curl: (56) OpenSSL SSL_read: error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad record mac, errno 0
It seems to center around curl, and some of the research I've done implicates the multi-threading module within Python, but I'm at loss to solve it. I do have other issues with connecting to web sites where they won't load.
Some things I've tried:
1) I've tried a chroot reinstall of the nss package as well.
2) Switching between ethernet and Wi-Fi connections in case it's a hardware issue.
3) Ensuring the Microcode is enable.
Any ideas? Thanks!
]]>