go sum mismatch

Question

go sum mismatch

SterlingWitty opened this issue 3 years ago · 3 comments

while attempting to use the Prometheus client that depends on this package:
github.com/prometheus/client_golang v1.11.0
doing a go get returns the following error.

verifying github.com/cespare/xxhash/v2@v2.1.1: checksum mismatch
downloaded: h1:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=
go.sum: h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

This was working last week, and now appears as though the checksum has changed, breaking my builds with this package.

my go sum ENV variable is pointing to:
GOSUMDB="sum.golang.org"

Answer 1 · 2021-09-08T18:01:19.000Z

Hmm, I'm not sure what's wrong. I haven't changed the tag. The checksum in your go.sum is correct.

$ mkdir /tmp/xxhash
$ cd /tmp/xxhash/
$ go mod init tmp
go: creating new go.mod: module tmp
$ mkdir /tmp/gopath
$ export GOPATH=/tmp/gopath
$ go get github.com/cespare/xxhash/v2@v2.1.1
go: downloading github.com/cespare/xxhash/v2 v2.1.1
go get: added github.com/cespare/xxhash/v2 v2.1.1
$ cat go.sum
github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

$ curl https://sum.golang.org/lookup/github.com/cespare/xxhash/v2@v2.1.1
476576
github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

go.sum database tree
6839389
VCTWqyTQ0QJWPn7EzQkO+XOf4AH1S8ZmA1i2bBV1CyI=

— sum.golang.org Az3griDhprscc89ufjWmrdmJvATROuQaesN2/NRmH2MrWsiNTKOIN0ax6NVYxdhXAdok1ix+/95eukx4wUJIcPqm0wU=

Do you have GOPROXY set? What Go version are you using?

Answer 2 · 2021-09-08T18:11:53.000Z

Thanks for the quick reply!

Currently on 1.16.

Unfortunately, my employer has some network settings that block direct access to github, so we have to use a artifactory proxy that mirrors the repos we need from github, though it was working fine not more than 5 days ago.
This sounds like it is pointing in the direction of that proxy.

Answer 3 · 2021-09-08T20:52:22.000Z

I'm going to close this for now since it doesn't seem to be a problem on my end. I don't know where the checksum value h1:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU= comes from, but I'd be interested in the outcome if you learn more.