Can't build Vault 1.4.0 - go.mod checksum mismatch

[herbygillot]

Describe the bug
Cannot build Vault from source due to several invalid checksums in go.sum

make dev fails to build and we see an error like:

$ make dev
==> Checking that build is using go version >= 1.13.7...
==> Using go version 1.14.1...
verifying github.com/hashicorp/vault-plugin-auth-cf@v0.5.3/go.mod: checksum mismatch
        downloaded: h1:exPUMj8yNohKM7yRiHa7OfxQmyDI9Pj8+08qB4hGlVw=
        go.sum:     h1:idkFYHc6ske2BE7fe00SpH+SBIlqDKz8vk/IPLJuX2o=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [prep] Error 1

Seeing a different mismatch error when run each time. Got this error for the following modules:

github.com/hashicorp/vault-plugin-auth-cf@v0.5.3
github.com/hashicorp/vault-plugin-secrets-azure@v0.5.5
github.com/hashicorp/vault-plugin-secrets-kv@v0.5.4
github.com/hashicorp/vault-plugin-database-mongodbatlas@v0.1.0
github.com/hashicorp/vault-plugin-auth-cf@v0.5.3
github.com/hashicorp/vault-plugin-auth-gcp@v0.6.0
github.com/hashicorp/vault-plugin-auth-oci@v0.5.3
github.com/hashicorp/vault-plugin-auth-alicloud@v0.5.4
github.com/hashicorp/vault-plugin-auth-oci@v0.5.3
...

To Reproduce
Steps to reproduce the behavior:

1. Clone Vault git repo
2. Checkout v1.4.0 tag
3. Run make bootstrap
4. Run make dev

Expected behavior
Expected build to proceed and complete successfully.

Environment:

• Vault Server Version (retrieve with vault status): N/A
• Vault CLI Version (retrieve with vault version): N/A
• Server Operating System/Architecture:

 - macOS 10.15.4 19E266
 - go version go1.14.1 darwin/amd64

Additional context
Tried building through a VPN to attempt to eliminate the possibility of a MITM; seeing the same results.

[kalafut]

Hi. Thanks for the report. We've isolated the change where go.sum seems to have diverged and are reviewing the release process that caused it. In the mean time if you want to build from the tag, you should be able to delete the github.com/hashicorp/vault-plugin-* lines from go.sum and rebuild. This will trigger a fresh download of just those dependencies.

[herbygillot]

Thank you @kalafut. Do you think there'll be a bugfix release of 1.4.0 with a fix for go.sum imminently, or no?

[kalafut]

@herbygillot This turned out to be a fairly subtle error. Our repos are correct, but an error at the start of beta resulted in proxy.golang.org caching the wrong tag content. We'll bump all plugin versions, and these will be part of 1.4.1 (TBD release date, but not immediate, since our repo and the build binaries are correct).

Another interim build fix is to not use the module proxy (set GOPROXY=direct), or don't use it for the affected dependencies (GOPRIVATE=github.com/hashicorp/vault-plugin*). In either case, you might need to clean the module cache (go clean -modcache) first if there are already local copies of these modules.

[herbygillot]

Thank you for the recommendations, @kalafut, build proceeds as expected.

For some more context, this is for packaging Vault for MacPorts
Reference PR here: macports/macports-ports#6818

Closing this and thanks again.