package_index.JSON broken?

Hey all seems to be a lot of these posts in the forums. summary.. board manager is broken done all the regular stuff. cleaned out the Appdata entry, reinstalled clean... file displays in browser okay package_index.json MD5: D87069632A808A5D05A51D91E5C6E682 SHA-1: 2DD031B6732CB527985077AF905D79CE68E67AF0 something is broken somewhere.

Cheetor: board manager is broken

Are you getting an error message that makes you think this? If so, post it.

Cheetor: package_index.json MD5: D87069632A808A5D05A51D91E5C6E682

The MD5 of https://downloads.arduino.cc/packages/package_index.json should be 3a6903f95253b04de6dcd7c36c21a6d5.

Please do this:

  • In the Arduino IDE, click the link on the line following File > Preferences > More preferences can be edited directly in the file. This will open the Arduino15 (or similar name depending on OS) folder.
  • In this thread, click the "Reply" button.
  • Click "Attachments and other options" attach the package_index.json file you find in the Arduino15 or similar folder you opened in the previous step.
  • Post the attachment.

Getting the classic “https://downloads.arduino.cc/packages/package_index.json file signature verification failed. File ignored.” error when trying to use board manager
Hmm, Looks like I must somehow be getting a corrupted file. My appdata arduino
folder does not hold a package_index.json file. If I put a manually downloaded
package_index.json in to it it causes the Arduino IDE to delete it on next launch.
My manually downloaded copy is attached, perhaps a diff with the correct version can
let us see whats going wrong.

package_index.json.txt (252 KB)

Did you download the attached file from https://downloads.arduino.cc/packages/package_index.json? It's strange because yours is missing the entry for Arduino SAMD Boards 1.8.1 and avrdude 6.3.0-arduino17. So that explains the different checksum values, but it's not caused by corruption.

Please download and attach the file from https://downloads.arduino.cc/packages/package_index.json.sig so I can compare it to the one I get from that URL.

What I'm wondering is whether some servers didn't receive the new .json file but they did receive the new .sig file. Since the two files are mismatched, the verification fails. Which download server is used could depend on your geographic location. So I get an up to date .json file, but you don't.

Additionally I downloaded the file in Firefox, Chrome, Internet Explorer and Edge
Chrome, Firefox and IE gave me a MD5 of D87069632A808A5D05A51D91E5C6E682
Edge gave me a MD5 of 0EE9A468F4C766058F1EB5AECD181403
So I got to thinking… maybe theres something screwy in the network…
'cos in theory there is no way a HTTPS transaction could be altered except for
AFTER it has been received and confirmed correct… I fired up an instance of
TAILS in a VM ( TAILS uses TOR, effectively bypassing any network highjinks our
company routers/firewalls may be performing ). inside TAILS I wget downloaded
the file, and the MD5 was comming back as the correct 3a6903f95253b04de6dcd7c36c21a6d5

For my location I am in NZ, a tracert to downloads.arduino.cc returns
C:\Users\TechSupport>tracert downloads.arduino.cc

Tracing route to downloads.arduino.cc.cdn.cloudflare.net [104.20.190.47]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 10.123.162.1
2 1 ms * 153 ms aecomfw1.???.???l [???.???.???.???]
3 2 ms 1 ms 1 ms tengige0-0-2-1-992.chrev-rt1.fx.net.nz [131.203.252.217]
4 * * * Request timed out.
5 16 ms 15 ms 15 ms callplus1.ape.nzix.net [192.203.154.46]
6 15 ms 15 ms 15 ms cloudflare.ape.nzix.net [192.203.154.51]
7 17 ms 17 ms 80 ms 104.20.190.47

Trace complete.

the .sig file is attached, I get a identical .sig if I download from windows or over TOR.
but I get a different JSON if I’m in windows or TOR… Perhaps cloudfare has pushed out
the new .sig file, but perhaps not correctly pushed down the .json file?

package_indexFIREFOX.json.sig.txt (543 Bytes)

Cheetor:
Edge gave me a MD5 of 0EE9A468F4C766058F1EB5AECD181403

Strange. I don’t have an explanation for that one.

Cheetor:
inside TAILS I wget downloaded
the file, and the MD5 was comming back as the correct 3a6903f95253b04de6dcd7c36c21a6d5

Nice work! I wonder if TAILS is causing you to get the file from a different server than you do without it? Since you’re anonymized, Cloudflare couldn’t determine the best server to use for your geographic location so you end with a server that actually received the updated package_index.json file.

Cheetor:
the .sig file is attached

That file is the same as the one I get.

Cheetor:
Perhaps cloudfare has pushed out
the new .sig file, but perhaps not correctly pushed down the .json file?

That’s exactly my hypothesis (but that the problem is limited to only certain servers). All your results confirm this except for the thing with Edge. I don’t don’t think that fits in with our hypothesis but it might be only some unrelated issue.

You’re one of four people who have reported this issue over the last few days. I’m waiting to receive files from someone else to see if theirs have the same issue as yours. After that, I’ll report our findings to someone at Arduino who can investigate this further.

I agree... TAILS was using an exit node in the USA, so it was getting a cloudfare CDN server in the US. Whereas outside of TAILS I'm getting the file from the NZ based cloudfare servers.. For curiosity I tried my phone as it is on a different ISP to my work internet.. it still gets the incorrect file.

As for the odd MD5 with EDGE, it's probably because Edge has no Download or Save option and I had to copy/paste out of the browser window. I think its's safe to ignore this particular result.

I think you're on point with it being a problem with the CDN not being synced up for the json file.

I'm located in the US.

Someone also located in NZ in another thread reported that the problem has now stopped. The package_index.json they’re getting now is the one with MD5 of 3a6903f95253b04de6dcd7c36c21a6d5. Would you mind checking to see if this is the case for you too?

It might be that the problem fixed itself.

Hi Yeah I've been following that thread too. I'm still getting the json with MD5 D87069632A808A5D05A51D91E5C6E682 I've reached out to a few techy people I know around NZ.. the results are a bit patchy... some get the correct file, others don't I cant seem to narrow it down to a certian route

I submitted a bug report: https://github.com/arduino/Arduino/issues/8988

Hi there,
@Cheetor, thanks for the heads up, are you able to provide the http headers you get when you download both
https://downloads.arduino.cc/packages/package_index.json
https://downloads.arduino.cc/packages/package_index.json.sig
in case you are still experiencing the signature error?
Thanks!

Roberto

https://downloads.arduino.cc/packages/package_index.json file signature verification failed. File ignored.

And I cannot see any MKR boards.

Hi there,
we launched a CDN refresh, can you please verify if you are still experiencing the
“package_index.json file signature verification failed. File ignored”
error?
If yes please reply with geographical location and both headers and files.
Thanks!

Can confirm, problem has been solved at my end now

Confirm fixed. Location: Finland.

same problem here: arduino samd boards disappered with error.
https://downloads.arduino.cc/packages/package_index.json file signature verification failed. File ignored.

@bassai please follow the troubleshooting guide here: https://github.com/arduino/Arduino/issues/8988#issuecomment-505393479

I followed the instructions given by pert:

The problem still persists, see debugging report in attachment.

Operating System: Linux 64
Location: Germany
LANG=en_US.UTF-8
Arduino IDE: 1.8.9

bug.txt (2.21 KB)

Thanks bassai! We need you to also provide the downloaded package_index.json file and package_index.json.sig files. You'll need to rename the files with a .txt file extension so that GitHub will allow them to be attached. It would be best if you can post those two files as well as the headers in a reply on the issue report on GitHub: https://github.com/arduino/Arduino/issues/8988 so that all the information will be in one place for rsora's investigation.