checksum mismatch when downloading with GOPROXY=direct

[zikaeroh]

It appears as though the published version that exists in the Go module proxy differs from the one that is in this repo; this can happen if you retag to another commit or force push, and can cause breakages.

$ go clean -modcache
$ GOPROXY=direct go install github.com/ryancurrah/gomodguard/cmd/gomodguard@latest
go: downloading github.com/ryancurrah/gomodguard v1.2.1
go install github.com/ryancurrah/gomodguard/cmd/gomodguard@latest: github.com/ryancurrah/gomodguard@v1.2.1: verifying module: checksum mismatch
	downloaded: h1:nZFSDqk8ui1DxX9Hj8td+vz9K2ByPwfq6QJPKkz6YVo=
	sum.golang.org: h1:t1WWL0RGJJBo5KZ0u2c/FGY1QQgx2gUbHWzBmOKWs98=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

This module is now a part of golangci-lint, so I'm hitting this when installing it.

[pellared]

The same problem affects dependabot. Examples:

• https://github.com/signalfx/splunk-otel-go/pull/64/checks?check_run_id=2845624984 from Bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.0 in /internal/tools signalfx/splunk-otel-go#64
• https://github.com/goyek/goyek/pull/99/checks?check_run_id=2846283707 from Bump github.com/golangci/golangci-lint from 1.40.1 to 1.41.0 in /build goyek/goyek#99

I am guessing that the v1.2.1 tag has been modified in this repository instead of creating v1.2.2.

[ryancurrah]

Yeah I think when I used goreleaser it messed up and I deleted the tag and tried again.

[pellared]

Could you please publish a v1.2.2 if you do not plan to make a new release soon? It would make people life easier 😉

[ryancurrah]

Done. Let me know if it fixes it for you.

[pellared]

Done. Let me know if it fixes it for you.

Thanks.
I guess it will fix once golangci-lint makes a deps bump.

[StevenACoffman]

Not sure if this is worked? I tried the directions for Adding a package and none of them worked:

1. Visiting that page on pkg.go.dev, and clicking the “Request” button. For example:
   https://pkg.go.dev/github.com/ryancurrah/gomodguard/@v1.2.2

2. Making a request to proxy.golang.org for the module version, to any endpoint specified by the Module proxy protocol. For example:
   https://proxy.golang.org/github.com/ryancurrah/gomodguard/@v/v1.2.2.info

3. Downloading the package via the go command. For example:

GOPROXY=https://proxy.golang.org GO111MODULE=on go get github.com/ryancurrah/gomodguard@v1.2.2

[zikaeroh]

The tag is 1.2.2, but it needs to be v1.2.2 in order to be a valid version.

[pellared]

The v1.2.1 tag should be pointing to the commit cached in Go Module Proxy if we want to fix the issue.

[ryancurrah]

What if we updated the version in golangci-lint and bumped a patch release?

The tag is 1.2.2, but it needs to be v1.2.2 in order to be a valid version.

Fixed

[zikaeroh]

What if we updated the version in golangci-lint and bumped a patch release?

Yep, this will have to be updated there, since it'll keep picking the last revision.

[StevenACoffman]

Will golangci-lint also need an exclude in it's go.mod for v1.2.1 now that v1.2.2 is available?

In the meantime, in your projects depending on golangci-lint, you can add an exclude to go.mod for the invalid version:

exclude github.com/ryancurrah/gomodguard v1.2.1

For instance, to ensure my tool dependencies are not removed and so I can leverage the Go Modules, I create a file tools.go. In this file I will list all my tool dependencies using an import statement:

// +build tools

package tools

import (
	_ "github.com/golangci/golangci-lint/cmd/golangci-lint"
)

// There is nothing here intentionally

This allows me to again use golangci-lint v1.4.1 in my ci/cdd pipeline.

[zikaeroh]

Will golangci-lint also need an exclude in it's go.mod for v1.2.1 now that v1.2.2 is available?

No, it'd bump the dep to v1.2.2 in its go.mod, and them the version is guaranteed to be at least that version (unless someone uses another go.mod to replace it to a lower version).

[zikaeroh]

I'll close this, since it's fixed. 🙂

[ryancurrah]

Apologies for the issues I'm happy it's resolved now.