SECURITY ERROR - This download does NOT match the one reported by the checksum server
Closed this issue · 6 comments
Hi, when I try to build (xk6 build --with github.com/grafana/xk6-chaos@latest) with xk6 a k6 file, I get the following error:
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
We couldn't reproduce this, maybe it was some temporary network issue? Does this still happen? And if so, which Go version are you using?
Yes, the error continues. I am using windows and used the version below:
go version go1.18.2 windows/amd64
I used the newer one just in case:
go version go1.18.3 windows/amd64
The error still occurs. Full log below
2022/06/16 18:28:13 [INFO] Temporary folder: C:\Users\figaro\AppData\Local\Temp\buildenv_2022-06-16-1828.1333196320
2022/06/16 18:28:13 [INFO] Initializing Go module
2022/06/16 18:28:13 [INFO] exec (timeout=10s): C:\Program Files\Go\bin\go.exe mod init k6
go: creating new go.mod: module k6
2022/06/16 18:28:13 [INFO] Pinning versions
2022/06/16 18:28:13 [INFO] exec (timeout=0s): C:\Program Files\Go\bin\go.exe mod edit -require github.com/grafana/xk6-chaos@latest
2022/06/16 18:28:13 [INFO] exec (timeout=0s): C:\Program Files\Go\bin\go.exe mod tidy -compat=1.17
go: downloading go.k6.io/k6 v0.38.1
k6 imports
github.com/grafana/xk6-chaos imports
go.k6.io/k6/js/modules: go.k6.io/k6@v0.38.1: verifying module: checksum mismatch
downloaded: h1:1D1qZuOJVTeYpYSiq+fEe1ntPTMSgBekrP932upP414=
sum.golang.org: h1:s/XTX00SD4FJuwN79MR3KxAnMEPhqq9neT7ZIH/7lPQ=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
k6 imports
github.com/grafana/xk6-chaos imports
github.com/grafana/xk6-chaos/internal/k8s imports
go.k6.io/k6/js/common: go.k6.io/k6@v0.38.1: verifying module: checksum mismatch
downloaded: h1:1D1qZuOJVTeYpYSiq+fEe1ntPTMSgBekrP932upP414=
sum.golang.org: h1:s/XTX00SD4FJuwN79MR3KxAnMEPhqq9neT7ZIH/7lPQ=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
Hm, can you try running xk6 build v0.38.3 --with github.com/grafana/xk6-chaos@latest ?
@mstoykov I get the same error
Yeah ... I forgot that xk6 will still at one point in the process request k6 v0.38.1 ;(.
I have bumped the required version and made new release. You should be able to build it with the normal command in a couple of minutes when this propagates through the caches. You can force it with @v0.0.4 instead of @latest in case it takes too long.
Apparently v0.38.1 was tagged once and there was a problem, so it was deleted and remade. Unfortunately at least the gosumdb server you are hitting got the original tag and now that it has been replaces you are getting the error above.
I am not certain we can really do anything and to be honest v0.38.0-2 have bugs that required us to rebuild, so arguably they shouldn't be used 🤷.
So I guess I will just hope that nobody else uses v0.38.1 and won't hit this issue 🤞
Please close the issue once your build succeeds and thanks for reporting 🙇
Works like a charm, thanks:)