[Bug]: checksum mismatch when using GOPROXY=direct for v0.5.10

Question

[Bug]: checksum mismatch when using GOPROXY=direct for v0.5.10

yann-soubeyrand opened this issue 2 years ago · 10 comments

What happened?

root@b38dc5125e03:/go# export GOPROXY=direct
root@b38dc5125e03:/go# go install sigs.k8s.io/aws-iam-authenticator/cmd/aws-iam-authenticator@v0.5.10
go: downloading sigs.k8s.io/aws-iam-authenticator v0.5.10
go: sigs.k8s.io/aws-iam-authenticator/cmd/aws-iam-authenticator@v0.5.10: sigs.k8s.io/aws-iam-authenticator@v0.5.10: verifying module: checksum mismatch
	downloaded: h1:NkY05qFG4AUY1qG54J4+387o/iSi4Z9p/NP8gV9OOQ4=
	sum.golang.org: h1:YGPh/SpRxNkWXfGkURKGsgWvz70x41SB4QazrU7R3Wk=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

What you expected to happen?

root@294492ad16dd:/go# go install sigs.k8s.io/aws-iam-authenticator/cmd/aws-iam-authenticator@v0.5.10
go: downloading github.com/aws/aws-sdk-go v1.44.107
go: downloading github.com/sirupsen/logrus v1.8.1
go: downloading github.com/manifoldco/promptui v0.9.0
go: downloading github.com/prometheus/client_golang v1.11.0
go: downloading github.com/spf13/cobra v1.1.3
go: downloading k8s.io/apimachinery v0.22.1
go: downloading github.com/spf13/viper v1.7.0
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading k8s.io/client-go v0.22.1
go: downloading k8s.io/component-base v0.22.1
go: downloading k8s.io/sample-controller v0.22.1
go: downloading sigs.k8s.io/yaml v1.2.0
go: downloading github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e
go: downloading golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e
go: downloading github.com/fsnotify/fsnotify v1.4.9
go: downloading github.com/hashicorp/hcl v1.0.0
go: downloading github.com/magiconair/properties v1.8.1
go: downloading github.com/mitchellh/mapstructure v1.1.2
go: downloading github.com/pelletier/go-toml v1.2.0
go: downloading github.com/spf13/afero v1.2.2
go: downloading github.com/spf13/cast v1.3.0
go: downloading github.com/spf13/jwalterweatherman v1.0.0
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/subosito/gotenv v1.2.0
go: downloading gopkg.in/ini.v1 v1.51.0
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/cespare/xxhash/v2 v2.1.1
go: downloading github.com/golang/protobuf v1.5.2
go: downloading github.com/cespare/xxhash v1.1.0
go: downloading github.com/prometheus/client_model v0.2.0
go: downloading github.com/prometheus/common v0.26.0
go: downloading github.com/prometheus/procfs v0.6.0
go: downloading k8s.io/klog/v2 v2.9.0
go: downloading k8s.io/api v0.22.1
go: downloading github.com/gofrs/flock v0.7.0
go: downloading golang.org/x/text v0.3.7
go: downloading golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd
go: downloading github.com/imdario/mergo v0.3.5
go: downloading golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
go: downloading github.com/go-logr/logr v0.4.0
go: downloading github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.1.0
go: downloading google.golang.org/protobuf v1.26.0
go: downloading github.com/googleapis/gnostic v0.5.5
go: downloading golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac
go: downloading k8s.io/utils v0.0.0-20210707171843-4b05e18ac7d9
go: downloading sigs.k8s.io/structured-merge-diff/v4 v4.1.2
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
go: downloading gopkg.in/inf.v0 v0.9.1
go: downloading github.com/google/go-cmp v0.5.5
go: downloading github.com/jmespath/go-jmespath v0.4.0
go: downloading github.com/json-iterator/go v1.1.11
go: downloading github.com/modern-go/reflect2 v1.0.1
go: downloading gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd
go: downloading k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e

Anything else we need to know?

No response

Installation tooling

other (please specify in description)

AWS IAM Authenticator server Version

0.5.10

Client information

Go 1.19.

Kubernetes API Version

NA

aws-iam-authenticator YAML manifest

No response

kube-apiserver YAML manifest

No response

aws-iam-authenticator logs

No response

nckturner commented 2 years ago

/close

Answer 1 · 2022-11-28T15:38:35.000Z

Has this version been retagged?
I didn’t check with other versions.

Answer 2 · 2022-11-28T15:57:27.000Z

v0.5.11 seems to be also affected:

root@2771dad96a76:/go# go install sigs.k8s.io/aws-iam-authenticator/cmd/aws-iam-authenticator@v0.5.11
go: downloading sigs.k8s.io/aws-iam-authenticator v0.5.11
go: sigs.k8s.io/aws-iam-authenticator/cmd/aws-iam-authenticator@v0.5.11: sigs.k8s.io/aws-iam-authenticator@v0.5.11: verifying module: checksum mismatch
	downloaded: h1:sZRLVtKsZmr5QAk7eCXoDpGeceq0RjrjG7HkM1PUr5A=
	sum.golang.org: h1:QqPw+DUFLKX2PewcwO+Tqps5mCKBAWvDk1H5rMO2fF4=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

Answer 3 · 2022-11-28T18:45:11.000Z

@yann-soubeyrand apology for your inconvenience. I am not able to reproduce the same error in my end.

Could you please kindly give a try on https://stackoverflow.com/questions/54133789/go-modules-checksum-mismatch and let me know if it doesn't work?

thank you!

Answer 4 · 2022-11-29T15:01:59.000Z

Hello @nnmin-aws,
I already tried to clean my module cache before opening this issue 😉
To reproduce it on your side, can you try the following command please (I used Podman, but I guess it’s the same)?
docker run --rm -it -e GOPROXY=direct docker.io/golang:1.19 go install sigs.k8s.io/aws-iam-authenticator/cmd/aws-iam-authenticator@v0.5.10

Answer 5 · 2022-11-29T23:02:12.000Z

@yann-soubeyrand I can reproduce the error message in my end. it turns out NOSUMDB is different setting for me.

We will prepare a new release to fix this issue.

Apology again for your inconvenience.

Answer 6 · 2022-12-01T17:06:16.000Z

@nnmin-aws I also run into the similar checksum issue with 0.5.11 release, let me know when you can make a new release. Thanks!

Answer 7 · 2022-12-02T20:30:04.000Z

@chenrui333 @yann-soubeyrand new release v0.5.12 is available, please kindly check https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/tag/v0.5.12.

Answer 8 · 2022-12-02T21:44:42.000Z

Thanks @nnmin-aws!

Answer 9 · 2022-12-05T21:40:53.000Z

@nckturner: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.