You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The cached zip file and checksum of v1.3.0 at proxy.golang.org and sum.golang.org do not match the v1.3.0 tag at github.com. If you download the module with GOPROXY="direct" to disable proxy.golang.org, you get a checksum mismatch.
$ go version
go version go1.14.2 linux/amd64
$ go clean -modcache
$ go mod init example.com/example
go: creating new go.mod: module example.com/example
$ GOPROXY="direct" GOSUMDB="sum.golang.org" go get github.com/tjfoc/gmsm
go: downloading github.com/tjfoc/gmsm v1.3.0
go get github.com/tjfoc/gmsm: github.com/tjfoc/gmsm@v1.3.0: verifying module: checksum mismatch
downloaded: h1:qhgkrZru95jFP9NbVPknJvc9vgkMXhOEzkOASKdc0oQ=
sum.golang.org: h1:i7c6Za/IlgBvnGxYpfD7L3TGuaS+v6oGcgq+J9/ecEA=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
If you disable the checksum check with GOSUMDB="off", you can download the module zip file from github, and directly from proxy.golang.org, to see what differs. Besides a filename encoding issue, two source files are different.
I suppose that at some point, v1.3.0 pointed to a different commit than it does now, and someone did a go get of it, which cached that version at proxy.golang.org. Later, v1.3.0 was changed to point to a different commit.
Because of its version number, go get still considers v1.3.0 to be the newest version, even though v1.2.2, v1.2.3, and v1.2.4 were released more recently. I don't think you can ever change what's stored at proxy.golang.org and sum.golang.org, but you could release a new v1.3.1 that doesn't have the problem.
The text was updated successfully, but these errors were encountered:
The cached zip file and checksum of v1.3.0 at proxy.golang.org and sum.golang.org do not match the v1.3.0 tag at github.com. If you download the module with
GOPROXY="direct"
to disable proxy.golang.org, you get a checksum mismatch.If you disable the checksum check with
GOSUMDB="off"
, you can download the module zip file from github, and directly from proxy.golang.org, to see what differs. Besides a filename encoding issue, two source files are different.I suppose that at some point, v1.3.0 pointed to a different commit than it does now, and someone did a
go get
of it, which cached that version at proxy.golang.org. Later, v1.3.0 was changed to point to a different commit.Because of its version number,
go get
still considers v1.3.0 to be the newest version, even though v1.2.2, v1.2.3, and v1.2.4 were released more recently. I don't think you can ever change what's stored at proxy.golang.org and sum.golang.org, but you could release a new v1.3.1 that doesn't have the problem.The text was updated successfully, but these errors were encountered: