Skip to content

cargo publish --dry-run -Zpackage-workspace reports the checksum has changed #15647

New issue
New issue
Open
Open
cargo publish --dry-run -Zpackage-workspace reports the checksum has changed#15647
Labels
C-bugCategory: bugCommand-packageCommand-publishS-needs-designStatus: Needs someone to work further on the design for the feature or fix. NOT YET accepted.Z-package-workspaceNightly: package-workspace
@epage

Description

@epage
epage
opened on Jun 9, 2025

Problem

When doing a cargo release -vvv patch on clap, I got

 
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_lex since clap_lex-v0.7.4: [
        "/home/epage/src/personal/clap/clap_lex/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_lex/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_lex/src/lib.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_builder since v4.5.39: [
        "/home/epage/src/personal/clap/clap_builder/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_builder/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_builder/README.md",
        "/home/epage/src/personal/clap/clap_builder/src/lib.rs",
        "/home/epage/src/personal/clap/clap_builder/src/macros.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_derive since v4.5.32: [
        "/home/epage/src/personal/clap/clap_derive/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_derive/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_derive/README.md",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap since v4.5.39: [
        "/home/epage/src/personal/clap/Cargo.lock",
        "/home/epage/src/personal/clap/Cargo.toml",
        "/home/epage/src/personal/clap/src/_faq.rs",
        "/home/epage/src/personal/clap/src/lib.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_complete since clap_complete-v4.5.52: [
        "/home/epage/src/personal/clap/clap_complete/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_complete/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_complete/src/lib.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_complete_nushell since clap_complete_nushell-v
4.5.6: [
        "/home/epage/src/personal/clap/clap_complete_nushell/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_complete_nushell/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_complete_nushell/src/lib.rs",
    ]
[2025-06-09T17:22:05Z DEBUG cargo_release::steps] Files changed in clap_mangen since clap_mangen-v0.2.26: [
        "/home/epage/src/personal/clap/clap_mangen/LICENSE-APACHE",
        "/home/epage/src/personal/clap/clap_mangen/LICENSE-MIT",
        "/home/epage/src/personal/clap/clap_mangen/src/lib.rs",
    ]
...
  Publishing clap_lex, clap_builder, clap_derive, clap, clap_complete, clap_complete_nushell, clap_mangen
[2025-06-09T17:22:06Z TRACE cargo_release::ops::cmd] /home/epage/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/b
in/cargo publish --manifest-path /home/epage/src/personal/clap/clap_lex/Cargo.toml -Zpackage-workspace --package clap_
lex --package clap_builder --package clap_derive --package clap --package clap_complete --package clap_complete_nushel
l --package clap_mangen --dry-run --allow-dirty
    Updating crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
warning: crate [email protected] already exists on crates.io index
   Packaging clap_lex v0.7.4 (/home/epage/src/personal/clap/clap_lex)
warning: ignoring test `testsuite` as `tests/testsuite/main.rs` is not included in the published package
    Updating crates.io index
    Packaged 9 files, 44.5KiB (13.2KiB compressed)
   Packaging clap_builder v4.5.39 (/home/epage/src/personal/clap/clap_builder)
error: failed to prepare local package for uploading

Caused by:
  checksum for `clap_lex v0.7.4` changed between lock files

  this could be indicative of a few possible errors:

      * the lock file is corrupt
      * a replacement source in use (e.g., a mirror) returned a different checksum
      * the source itself may be corrupt in one way or another

  unable to verify that `clap_lex v0.7.4` is the same as when the lockfile was generated

Pulling out from that, the command was roughly

$ cargo publish -Zpackage-workspace --workspace --dry-run --allow-dirty

They key parts to this

  • --dry-run was being used
  • versions were not bumped (because it was a dry-run release)
  • every package was changed

This can also be reproduced with cargo package within the same repo at the same point in time

Steps

Add the following test:

#[cargo_test]
fn checksum_changed() {
    let registry = RegistryBuilder::new().http_api().http_index().build();

    Package::new("dep", "1.0.0").publish();
    Package::new("transitive", "1.0.0")
        .dep("dep", "1.0.0")
        .publish();

    let p = project()
        .file(
            "Cargo.toml",
            r#"
                [workspace]
                members = ["dep"]

                [package]
                name = "foo"
                version = "0.0.1"
                edition = "2015"
                authors = []
                license = "MIT"
                description = "foo"
                documentation = "foo"

                [dependencies]
                dep = { path = "./dep", version = "1.0.0" }
                transitive = "1.0.0"
            "#,
        )
        .file("src/lib.rs", "")
        .file(
            "dep/Cargo.toml",
            r#"
                [package]
                name = "dep"
                version = "1.0.0"
                edition = "2015"
            "#,
        )
        .file("dep/src/lib.rs", "")
        .build();

    p.cargo("check").run();

    p.cargo("publish --dry-run --workspace -Zpackage-workspace")
        .masquerade_as_nightly_cargo(&["package-workspace"])
        .replace_crates_io(registry.index_url())
        .with_status(101)
        .with_stderr_data(str![[r#"
[UPDATING] crates.io index
[WARNING] crate [email protected] already exists on crates.io index
[WARNING] manifest has no description, license, license-file, documentation, homepage or repository.
See https://doc.rust-lang.org/cargo/reference/manifest.html#package-metadata for more info.
[PACKAGING] dep v1.0.0 ([ROOT]/foo/dep)
[PACKAGED] 4 files, [FILE_SIZE]B ([FILE_SIZE]B compressed)
[PACKAGING] foo v0.0.1 ([ROOT]/foo)
[ERROR] failed to prepare local package for uploading

Caused by:
  checksum for `dep v1.0.0` changed between lock files

  this could be indicative of a few possible errors:

      * the lock file is corrupt
      * a replacement source in use (e.g., a mirror) returned a different checksum
      * the source itself may be corrupt in one way or another

  unable to verify that `dep v1.0.0` is the same as when the lockfile was generated

"#]])
        .run();
}

Possible Solution(s)

No response

Notes

Previously reported at #1169 (comment) without clear reproduction steps

Previous issues related to --dry-run

Version

$ ❯ cargo +nightly -Vv
cargo 1.89.0-nightly (056f5f4f3 2025-05-09)
release: 1.89.0-nightly
commit-hash: 056f5f4f3c100cb36b5e9aed2d20b9ea70aae295
commit-date: 2025-05-09
host: x86_64-unknown-linux-gnu
libgit2: 1.9.0 (sys:0.20.0 vendored)
libcurl: 8.12.1-DEV (sys:0.4.80+curl-8.12.1 vendored ssl:OpenSSL/3.4.1)
ssl: OpenSSL 3.4.1 11 Feb 2025
os: Pop!_OS 22.4.0 (jammy) [64-bit]

Metadata

Metadata

Assignees

No one assigned

    Labels

    C-bugCategory: bugCommand-packageCommand-publishS-needs-designStatus: Needs someone to work further on the design for the feature or fix. NOT YET accepted.Z-package-workspaceNightly: package-workspace

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions