tkey-ssh-agent: update artifact url and checksum

[chenrui333]

• Have you followed the guidelines for contributing?
• Have you ensured that your commits follow the commit style guide?
• Have you checked that there aren't other open pull requests for the same formula update/change?
• Have you built your formula locally with HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
• Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
• Does your build pass brew audit --strict <formula> (after doing HOMEBREW_NO_INSTALL_FROM_API=1 brew install --build-from-source <formula>)? If this is a new formula, does it pass brew audit --new <formula>?

---

found in #162713

[stefanb]

This should also change dependancy from "go" to "[email protected]" once

• [email protected] 1.21.7 (new formula) #162713

is merged

[dehanj]

This should also change dependancy from "go" to "[email protected]" once

* [[email protected] 1.21.7 (new formula) #162713](https://github.com/Homebrew/homebrew-core/pull/162713)

is merged

If I'm not mistaken, I think it should be built with [email protected]. It relates to this issue, which is fixed upstreams but not yet released.
So to close this PR that is the easiest fix. We do intend to make the release fixing the build issue with go above 1.20, but that will happen in about 2 weeks from now.

[dehanj]

@chenrui333, can you update the build dependency from "go" to "[email protected]"? Would appreciate it.
Should fix the build issue so this PR can go through.

[bevanjkay]

@dehanj we are waiting for confirmation from upstream that the changed checksum is legitimate.

[dehanj]

@bevanjkay I think it is legitimate. See my comment here.

[bevanjkay]

Unfortunately what we "think" is generally not enough in these instances. We need official confirmation from upstream

[chenrui333]

@chenrui333, can you update the build dependency from "go" to "[email protected]"? Would appreciate it.

we actually deprecated [email protected] recently, meaning we cannot use it as build dependencies anymore

[dehanj]

we actually deprecated [email protected] recently, meaning we cannot use it as build dependencies anymore

Ah, I see. Then this will have to wait until we release in about 2 weeks. It would obviously produce a new checksum for that release, but I will try to dig a bit more until then to see if we can get a better explanation for this change. The source in the tarball has not changed at least.

[chenrui333]

@dehanj is the upstream maintainer and confirm the latest checksum, my idea is maybe we can upload the tarball into the github asset rather than use github's source archive tarball for the sake of the tarball stability.

[dehanj]

If uploading our own release tarball is the recommendation from Homebrew, that is a solution. Is that the general recommendation from Homebrew? I guess it has to be seen Github does not offer checksum stability on the tarballs (even if they should seldomly change).

Unfortunately, we still have the issue that our latest release only supports Go 1.20 and below, and it has been deprecated. The fix is merged upstream, but we have some other changes the we absolutely need to include in our next release, it is our priority, but It is not finished yet. Sorry for the wait.

[ZhongRuoyu]

In this case I think the tarball checksum could be a result of the repository rename because the repository name is encoded in the tarball:

$ curl -Ls https://github.com/tillitis/tillitis-key1-apps/archive/refs/tags/v0.0.6.tar.gz | tar zt | head
tkey-ssh-agent-0.0.6/
tkey-ssh-agent-0.0.6/.clang-format
tkey-ssh-agent-0.0.6/.editorconfig
tkey-ssh-agent-0.0.6/.github/
tkey-ssh-agent-0.0.6/.github/workflows/
tkey-ssh-agent-0.0.6/.github/workflows/ci.yaml
tkey-ssh-agent-0.0.6/.gitignore
tkey-ssh-agent-0.0.6/.golangci.yml
tkey-ssh-agent-0.0.6/LICENSE
tkey-ssh-agent-0.0.6/Makefile

I guess it has to be seen Github does not offer checksum stability on the tarballs (even if they should seldomly change).

There was an incident last year changing the checksum of all Git archives. The change was reverted shortly after, but the recommendation from GitHub is that release assets are preferred over Git archives if checksum stability is a requirement.

However, most of the checksum mismatches we see are a result of re-tagging. So, if you don't go against Git's recommendation and re-tag your releases (or frequently rename the repository which I don't think you will :) ), then it should be fine.

[ZhongRuoyu]

I don't think this is ready to merge. It fails to build on macOS.

[github-actions]

🤖 An automated task has requested bottles to be published to this PR.

[dehanj]

In this case I think the tarball checksum could be a result of the repository rename because the repository name is encoded in the tarball:

Thanks, the renaming seems to be the root cause.

However, most of the checksum mismatches we see are a result of re-tagging. So, if you don't go against Git's recommendation and re-tag your releases (or frequently rename the repository which I don't think you will :) ), then it should be fine.

Makes sense! Then I think it should be fine.