Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
cmd/go: allow verifying vendored code #27348
It would be great if projects that choose to vendor their modules (then presumably building with
This would satisfy a major requirement that many projects need to account for in their CI process-- ensuring that vendored code hasn't been tampered with.
While we move to go modules, perform the dep check for repos that still use dep. Run `go mod verify` instead for go modules. Note, this just verifies the integrity of modules in the local cache. We would have instead wanted to verify the vendored code here, but that is still not supported. golang/go#27348 Fixes #1879 Signed-off-by: Archana Shinde <email@example.com>
@sgreene570, note that in the interim you can simply re-run
Verifying the checksums of the vendored modules requires the full module content (because that is what is checksummed), so either way you're going to have to download the full module into the local module cache.