Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

github.com/go-openapi/spec@v0.20.5: verifying module: checksum mismatch #156

Closed
jonathanwin opened this issue Aug 3, 2022 · 4 comments
Closed

github.com/go-openapi/spec@v0.20.5: verifying module: checksum mismatch #156

jonathanwin opened this issue Aug 3, 2022 · 4 comments

Comments

@jonathanwin
Copy link 

$ go get github.com/go-openapi/spec@v0.20.5

go: downloading github.com/go-openapi/spec v0.20.5
go: github.com/go-openapi/spec@v0.20.5: verifying module: checksum mismatch
        downloaded: h1:7VP8zufGZEIV+zfSwHGTWgbMINz/WhW3oFsA47Rhjsk=
        sum.golang.org: h1:skHa8av4VnAtJU5zyAUXrrdK/NDiVX8lchbG+BfcdrE=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

It looks like you have might have rewritten the 0.20.5 tag to point to 0.20.6:
https://github.com/go-openapi/spec/tags
v0.20.6 [1005cfb]
v0.20.5 [1005cfb]

This breaks any package using v0.20.5, e.g. github.com/swaggo/http-swagger@v1.2.7 and all later versions so far
@jonathanwin
Copy link
Author

I suspect the best plan would be to rewrite the v0.20.5 tag again with it's original commit.

@jonathanwin jonathanwin mentioned this issue Aug 3, 2022
Open
@casualjim
Copy link
Member

I think that the original commit is lost, or at least I wouldn't know how to find it. That's why I pushed a 0.20.6 tag when I realized the mistake.

You should be able to fix this by doing go get -u github.com/go-openapi/spec@latest

I saw that swaggo also updated the deps in their repo

@jonathanwin
Copy link
Author

Unless you force-pushed to master, or tagged something that wasn't pushed, or wasn't on master, then v0.20.5 should be somewhere between v0.20.4 and v0.20.6.
Assuming it's wasn't equal to v0.20.4, that leaves 95abe38 (v0.20.6~1) or 6ca6ff8 (v0.20.6~2)

Turns out proxy.golang.org has a copy of the "original" v0.20.5 that matches sum.golang.org's checksum, so the issue does not show except when GOPROXY=direct (or when proxy.golang.org is unreachable), while still using sum.golang.org.
This explains why swaggo cannot reproduce, but also lets us find the original tag by downloading proxy.golang.org's version:

cd $(go env GOPATH)/src &&
mkdir -p testprx &&
cd testprx &&
go mod init &&
go clean -modcache &&
GOPROXY="http://proxy.golang.org" go get github.com/go-openapi/spec@v0.20.5 &&
cd $(go env GOMODCACHE)/github.com/go-openapi/spec@v0.20.5

It looks identical to the commit 95abe38 (v0.20.6~1)

\o/

@yeya24 yeya24 mentioned this issue Sep 19, 2022
Closed
@fredbi
Copy link
Member

fredbi commented Nov 30, 2023

I believe this issue is now outdated, as the latest tag is now v0.20.9. Therefore, closing this.

@fredbi fredbi closed this as completed Nov 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@casualjim @jonathanwin @fredbi