Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.3.0 on proxy.golang.org differs from v1.3.0 on github.com #56

Closed
Eudi4H opened this issue Apr 23, 2020 · 1 comment
Closed

v1.3.0 on proxy.golang.org differs from v1.3.0 on github.com #56

Eudi4H opened this issue Apr 23, 2020 · 1 comment

Comments

@Eudi4H
Copy link

Eudi4H commented Apr 23, 2020
edited
Loading

The cached zip file and checksum of v1.3.0 at proxy.golang.org and sum.golang.org do not match the v1.3.0 tag at github.com. If you download the module with GOPROXY="direct" to disable proxy.golang.org, you get a checksum mismatch.

$ go version
go version go1.14.2 linux/amd64
$ go clean -modcache
$ go mod init example.com/example
go: creating new go.mod: module example.com/example
$ GOPROXY="direct" GOSUMDB="sum.golang.org" go get github.com/tjfoc/gmsm
go: downloading github.com/tjfoc/gmsm v1.3.0
go get github.com/tjfoc/gmsm: github.com/tjfoc/gmsm@v1.3.0: verifying module: checksum mismatch
        downloaded: h1:qhgkrZru95jFP9NbVPknJvc9vgkMXhOEzkOASKdc0oQ=
        sum.golang.org: h1:i7c6Za/IlgBvnGxYpfD7L3TGuaS+v6oGcgq+J9/ecEA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

If you disable the checksum check with GOSUMDB="off", you can download the module zip file from github, and directly from proxy.golang.org, to see what differs. Besides a filename encoding issue, two source files are different.

$ GOPROXY="https://proxy.golang.org" GOSUMDB="sum.golang.org" go get github.com/tjfoc/gmsm
go: downloading github.com/tjfoc/gmsm v1.3.0
go: github.com/tjfoc/gmsm upgrade => v1.3.0
$ curl -o proxy.zip https://proxy.golang.org/github.com/tjfoc/gmsm/@v/v1.3.0.zip
$ unzip -d proxy proxy.zip
$ diff -ru "$GOPATH/pkg/mod/github.com/tjfoc/gmsm@v1.3.0" "proxy/github.com/tjfoc/gmsm@v1.3.0" | diffstat
 $GOPATH/pkg/mod/github.com/tjfoc/gmsm@v1.3.0/API使用说明.md |only
 proxy/github.com/tjfoc/gmsm@v1.3.0/API??+???޻???.md                   |only
 proxy/github.com/tjfoc/gmsm@v1.3.0/sm2/p256.go                         |  251 ++--------
 proxy/github.com/tjfoc/gmsm@v1.3.0/sm2/sm2.go                          |    3 
 4 files changed, 65 insertions(+), 189 deletions(-)

I suppose that at some point, v1.3.0 pointed to a different commit than it does now, and someone did a go get of it, which cached that version at proxy.golang.org. Later, v1.3.0 was changed to point to a different commit.

Because of its version number, go get still considers v1.3.0 to be the newest version, even though v1.2.2, v1.2.3, and v1.2.4 were released more recently. I don't think you can ever change what's stored at proxy.golang.org and sum.golang.org, but you could release a new v1.3.1 that doesn't have the problem.
@czdsdo
Copy link
Collaborator

czdsdo commented May 14, 2020

OK

@czdsdo czdsdo closed this as completed May 14, 2020
@miaolz123 miaolz123 mentioned this issue Sep 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@czdsdo @Eudi4H