can't go get this package SECURITY ERROR

[andrexus]

Describe the bug
Trying to get the package

go get github.com/ory/fosite 

and get the following error message

github.com/oleiade/reflections@v1.0.0/go.mod: verifying module: checksum mismatch downloaded: h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60= sum.golang.org: h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w=SECURITY ERRORThis download does NOT match the one reported by the checksum server.The bits may have been replaced on the origin server, or an attacker mayhave intercepted the download attempt.

[aeneasr]

Thank you for contributing to this repository by creating an issue!

Unfortunately, your issue lacks vital information (go version), such as log files, the error message, the software version, your configuration or other pieces of the puzzle.

Please also ensure that your issue is appropriately formatted. If you do not know how to write markdown, you can find help here.

Helping you with your problem is only possible if you share this information, and it will save a lot of time of back and forth on your as well as our end!

For this reason, this repository uses issue templates which you can select when pressing "New issue". Please use one of those issue templates to fill in the required information. You can either create a new issue for this purpose and close this one, or leave a comment.

Do not edit the original post as we will not be notified when you do so.

If you do not provide the requested information, this issue will be closed.

[andrexus]

go version is 1.15

[aeneasr]

Sorry, I can't reproduce this - might be a problem with your GOPROXY or something else:

% cd $(mktemp -d)
% go mod init github.com/foo/bar
go: creating new go.mod: module github.com/foo/bar
% go get github.com/ory/fosite 
go: github.com/ory/fosite upgrade => v0.36.0
% 

[titouanfreville]

Hello @aeneasr. I also encounter this issue and is not related to go proxy but the default SUM db check for public repository. You can ignore those checks using some go module settings but the main problem will stay.

The issue is on github.com/oleiade/reflections v1.0.0 side as they overwritted a commit for version 1.0.0 as you can check in this issue report: oleiade/reflections#14

I'll make a PR to upgrade to version 1.0.1 in go.mod as it should fix the problem but could you reopen this issue as no solution was proposed yet ?

[aeneasr]

Thank you for tracing that, yes that would be great!

[titouanfreville]

/!\ It also impact older version of fosite relying on oleiade/reflection (like fosite 0.29 witch is used by ory/x

go mod tidy
go: github.com/ory/x@v0.0.162 requires
github.com/ory/fosite@v0.29.0 requires
github.com/oleiade/reflections@v1.0.0/go.mod: verifying module: checksum mismatch
downloaded: h1:rdFxbxq4QXVZWj0F+e9jqjDkc7dbp97vkRixKo2JR60=
sum.golang.org: h1:RbATFBbKYkVdqmSFtx13Bb/tVhR0lgOBXunWTZKeL4w=

after upgrading dependencies for fosite on my local.

[titouanfreville]

@aeneasr Sorry to disturb you again but I don't think I will be able to fix it on my side. I'm meeting lot of issues with dependencies (cleaned recently my go modules) and the issue is deeper than I though (cf previous comment). Can someone on ory side take it ?

[aeneasr]

I can't reproduce the issue unfortunately

[titouanfreville]

Did you try to clear your gomod cache ? go clean -modcache ? I didn't have the issue while projects where cached but cannot re-install after a reset or on a clean env.

[titouanfreville]

Finally managed to restore my env and fix the issue. Pipeline fail due to token missing. If you have an hint :)