Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

github.com/firefart/nonamedreturns@v1.0.0: verifying module: checksum mismatch #2

Closed
joewreschnig opened this issue Apr 20, 2022 · 7 comments
Closed

github.com/firefart/nonamedreturns@v1.0.0: verifying module: checksum mismatch #2

joewreschnig opened this issue Apr 20, 2022 · 7 comments

Comments

@joewreschnig
Copy link

Hi,

The checksum for this module currently in the module proxy does not match the checksum I get when I try to pull from the repository. This is probably not affecting most people because they use both the official Go proxy cache and official checksum database, but I am trying to populate a local proxy cache cache.

$ GOPROXY=direct go install github.com/firefart/nonamedreturns@v1.0.0
go: downloading github.com/firefart/nonamedreturns v1.0.0
go: github.com/firefart/nonamedreturns@v1.0.0: github.com/firefart/nonamedreturns@v1.0.0: verifying module: checksum mismatch
	downloaded: h1:bP/nIE/jZyMFBIH3LQp5vwqCO4/+Lftxu+DXqRh/3aQ=
	sum.golang.org: h1:TKZUsLIQ7rks6+g5qdG+MAtMIvZEvVSYGNDeybB7jO0=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Did you rebase or retag v1.0.0 in the past?
@joewreschnig joewreschnig mentioned this issue Apr 20, 2022
Merged
@firefart
Copy link
Owner

yes v1.0.0 was deleted and recreated

@joewreschnig
Copy link
Author

joewreschnig commented Apr 20, 2022
edited
Loading

Please tag a v1.0.1 ASAP and have golangci-lint update to it, as this is currently breaking their build. Version tags in Go modules are immutable; you can never change what they point to without triggering checksum violations.

@firefart
Copy link
Owner

there is now a version v1.0.1 if you wanna use it

@ldez
Copy link
Contributor

ldez commented Apr 20, 2022

@firefart can you explain why you did that? Because it's a real problem for us.

As explained by @joewreschnig, tags in Go modules are immutable, and when you do that you have a security impact on golangci-lint.

I can understand that you didn't know that and we will assume the consequences.

@firefart
Copy link
Owner

because you requested multiple changes and I didn't want to create new versions for each of them. See here for the update PR: golangci/golangci-lint#2776

@ldez ldez mentioned this issue Apr 20, 2022
Merged
@ldez
Copy link
Contributor

ldez commented Apr 20, 2022

Ok, I can understand.

We are lucky that someone has detected the problem before a release, thank you @joewreschnig.
I need to find a way to enforce the check of this kind of problem during the review process.

@joewreschnig
Copy link
Author

Thanks @firefart and @ldez for addressing this so quickly!

Regarding enforcing this during review, a build/test run with GOPROXY=direct will usually detect this.

Regarding workflow for changes during a PR, in situations like this our team usually keeps the go.mod version pointing to specific revisions (e.g. a version like v0.0.0-20220325145130-11b0aca896bd) during code review, tagging only after review is finished before merging. Repointing the tag after changes doesn't work right anyway, since the depending project will usually keep pulling the same code over the proxy every time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@firefart @joewreschnig @ldez