[email protected]/go.mod checksum mismatch #1083
Comments
|
Hi @jarrodhroberson , Would you like to share your project setup ? |
|
Here's an example: https://github.com/emilhauk/envoy-checksum-error |
|
Can you try this |
|
For what it's worth, I am experiencing the same issue and so tried the suggested fix above which yields the same error: > go get github.com/envoyproxy/go-control-plane/envoy@latest
verifying github.com/envoyproxy/go-control-plane/[email protected]/go.mod: checksum mismatch
downloaded: h1:c955gQjaXHsMxMjHjEZ7nwIzMJYxXpN+sJIGufsSbg4=
go.sum: h1:F6hWupPfh75TBXGKA++MCT/CZHFq5r9/uwt/kQYkZfE=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.I would note that in my case, the Looking at the changelog I see that there are changes to I suspect that this change may be the root cause of the issue, I have not tested but this line raised some suspicion for me: Line 6 in 2d07f5a |
|
I also tried your suggestion, but to no avail. I get different hashes though (same as in the example repo linked above). Then, I tried to install this using a basic docker container, which apparently works just fine 🙈: The issue seems to be local or system related, but affecting several others as well it seems. I have tried the following:
I don't get how this is the only package of countless on my machine that's acting up. Any insights and/or suggestions would be greatly appreciated 😃 |
|
I can not share my project, it is not public. I am not using this directly, it is being accessed as a dependency of a dependency. I think it a Google Cloud SDK dependency. I tracked it down to "opentelemetry" using this version. I can get it to work LOCALLY by either setting GONOSUMDB or replacing my local hash with the expected one. But, when I try and deploy to Google App Engine Standard, I am NOT in control of the build environment and can not set GONOSUMDB (which I think is a hack work around). I did finally get an absolutely crap workaround to get it to deploy by replacing the hash in go.sum with the one that GAE build expects. Which is "correct" I have no idea because the next time I tried to deploy, the hashes were reversed and I got the error again. The only reason that the checksum would be different for the exact same version is someone replaced a published binary and did not bump the version number for some reason. I know this because when I first started using Go and releasing my code I did the same thing and it bit me immediately. Deleting the contents of go.mod and deleting go.sum completely can affect the hashes that are retrieved. I have tried everything, including doing that. I have experienced the order of the hashes reversing as a previous poster says. That is why, replacing the hash in my go.sum before pushing to Google App Engine for deployment is not a solution, the hash that GAE pulls seems to be non-deterministic. I am using GOPROXY=direct, which should pull directly from the source, There is no acceptable client side fix for this if you do not control the version of the library directly. |
I am trying to build a project and when I updated dependencies I started getting this error.
I can get around it locally by setting GONOSUMDB='github.com/envoyproxy/*' but this does not let me deploy it to google app engine where I can not specify that.
Is there a solution to this?
The text was updated successfully, but these errors were encountered: