Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: checksum mismatch lacks resolution information #33665

Open
iand opened this issue Aug 15, 2019 · 3 comments

Comments

@iand
Copy link
Contributor

commented Aug 15, 2019

What version of Go are you using (go version)?

$ go version

go version devel +5f45a3337e Wed Aug 14 19:49:15 2019 +0000 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE="auto"
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/iand/.cache/go-build"
GOENV="/home/iand/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/iand"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/opt/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/opt/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/home/iand/wip/--elided---/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build133450829=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Ran go mod tidy

What did you expect to see?

Instructions for investigating the cause and potential resolution of a checksum mismatch.

What did you see instead?

10:24 $ go mod tidy
verifying gotest.tools@v2.2.0+incompatible: checksum mismatch
	downloaded: h1:y0IMTfclpMdsdIbr6uwmJn5/WZ7vFuObxDMdrylFM3A=
	sum.golang.org: h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

This information, while correct, is not very informative for most users. It tells them the problem but doesn't indicate how they can resolve it. Their build will not progress until they resolve the problem.

go help module-auth provides very detailed information on the operation of the module checksum mechanism but doesn't help the typical user get their build working.

In my case go clean -modcache solved my problem although I am left with the feeling that I just did the module analog of "switching it off and on again".

The message would be more informative if it told me where the downloaded code is and how I can cross reference that with the code the checksum server saw.

@mvdan mvdan added the modules label Aug 15, 2019

@mvdan

This comment has been minimized.

Copy link
Member

commented Aug 15, 2019

@bcmills bcmills added this to the Unplanned milestone Aug 15, 2019

@hyangah

This comment has been minimized.

Copy link
Contributor

commented Aug 15, 2019

The same problem caused me to vote for go mod clean -m extension proposal in #28835

@im-kulikov

This comment has been minimized.

Copy link

commented Sep 12, 2019

The same problem with go1.13 and some repos (panjf2000/ants#49)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.