Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verifying go.uber.org/dig@v1.16.0: checksum mismatch #370

Closed
Meroje opened this issue Jan 9, 2023 · 5 comments
Closed

verifying go.uber.org/dig@v1.16.0: checksum mismatch #370

Meroje opened this issue Jan 9, 2023 · 5 comments
Assignees
@sywhang

Comments

@Meroje
Copy link

Meroje commented Jan 9, 2023
edited
Loading

Describe the bug
The current v1.16.0 version cannot be downloaded directly or from another proxy than proxy.golang.org while also verifying the sum.

edit: the info file says it got this commit 7e27222

To Reproduce

$ cd $(mktemp -d)
$ go mod init digsum
go: creating new go.mod: module digsum
$ GOPROXY=direct GOMODCACHE="$PWD/cache" go get -d go.uber.org/dig@v1.16.0
go: downloading go.uber.org/dig v1.16.0
go: go.uber.org/dig@v1.16.0: verifying module: checksum mismatch
	downloaded: h1:UvbC1KUaQKx6MQTALcKanqRuPQRX7Tnt1iIYZHH2shk=
	sum.golang.org: h1:O48QoUEj4ePocypAIE5jz+SrxVdG/izHM1CZ/Yjrwww=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Expected behavior
It should work, regardless of the GOPROXY value.

Additional context
I guess the tag has been moved after publication but not before it was cached by the proxy ?
@Meroje
Copy link
Author

Meroje commented Jan 9, 2023

I guess you'll have to publish a new version anyway because of the l6 typo ?

dig/CHANGELOG.md

Line 18 in cdbd7eb

[1.l6.0]: https://github.com/uber-go/dig/compare/v1.15.0...v1.16.0

@sywhang sywhang self-assigned this Jan 9, 2023
@un000
Copy link

un000 commented Jan 11, 2023 

INFO[9:17AM]: go.uber.org/dig@v1.16.0: verifying module: checksum mismatch
	downloaded: h1:UvbC1KUaQKx6MQTALcKanqRuPQRX7Tnt1iIYZHH2shk=
	sum.golang.org: h1:O48QoUEj4ePocypAIE5jz+SrxVdG/izHM1CZ/Yjrwww=

@Meroje
Copy link
Author

Meroje commented Feb 6, 2023

As v1.16.1 was released this can be closed because moving forward dig is installable again (event though v1.16.0 will remain "broken")

@kaptinlin
Copy link

go: downloading go.uber.org/dig v1.16.0
go.uber.org/fx imports
go.uber.org/dig: go.uber.org/dig@v1.16.0: verifying module: checksum mismatch
downloaded: h1:UvbC1KUaQKx6MQTALcKanqRuPQRX7Tnt1iIYZHH2shk=
sum.golang.org: h1:O48QoUEj4ePocypAIE5jz+SrxVdG/izHM1CZ/Yjrwww=

@abhinav
Copy link
Collaborator

abhinav commented Feb 21, 2023

Seeing as the issue has been fixed in 1.16.1, perhaps we can retract 1.16.0.

@sywhang @r-hang what do you think about retracting the bad release to prevent this issue?
https://go.dev/ref/mod#go-mod-file-retract

sywhang added a commit to sywhang/dig that referenced this issue Feb 21, 2023
@sywhang
Add retract directive for v1.16.0
beb0552 
This adds retract directive to go.mod for v1.16.0 which was a bad
release causing issues like uber-go#370.

See also: https://go.dev/ref/mod#go-mod-file-retract.
@sywhang sywhang mentioned this issue Feb 21, 2023
Merged
sywhang added a commit that referenced this issue Feb 21, 2023
@sywhang
Add retract directive for v1.16.0 (#378)
80fad73 
This adds retract directive to go.mod for v1.16.0 which was a bad
release causing issues like #370.

See also: https://go.dev/ref/mod#go-mod-file-retract.
@sywhang sywhang closed this as completed Feb 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sywhang sywhang

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@abhinav @Meroje @kaptinlin @un000 @sywhang