Error when downloading cosign

[ericofusco]

Description

I'm getting this error when I try to download cosign.

$ go install github.com/sigstore/cosign/cmd/cosign@latest
go install github.com/sigstore/cosign/cmd/cosign@latest: github.com/sigstore/cosign@v1.1.0
        The go.mod file for the module providing named packages contains one or
        more replace directives. It must not contain directives that would cause
        it to be interpreted differently than if it were the main module.

[dlorenc]

Someone just hit this yesterday and somehow got past it here: #575

[ericofusco]

Thanks, I was able to download with go get but just saw this message in the end (just an #fyi).

go get: installing executables with 'go get' in module mode is deprecated.
        Use 'go install pkg@version' instead.
        For more information, see https://golang.org/doc/go-get-install-deprecation
        or run 'go help get' or 'go help install'.

go clean -modcache doesn't work for me either, it doesn't have any effect for me anyway I'm downloading cosign from a clean CI build.

Issue happens with go 1.17 too.

[bwalding]

I was able to work around this by using go install github.com/sigstore/cosign/cmd/cosign@main - I figured someone else would hit this issue and fix it before I had to solve it for myself.

Using @latest didn't work for me.

[cpanato]

latest i think will not work because this is the branch name

[UPDATE]
Looks like both latest and v1.1.0 we cannot use due to the two requires in the go.mod, and that looks like it is conflicting

if we try to use go install github.com/sigstore/cosign/cmd/cosign@main (main branch) it works

So I think this will be fixed in the next release

cc @dlorenc

[BernhardFuchs]

Got the same issue with go install and v1.1.0 but it worked with v1.0.0.
Could install v1.1.0 with go get which gives a deprecation warning.

[luhring]

I'm not able to go install using main. I can reproduce this problem in a clean environment:

$ docker run --rm golang:1.17-alpine go install github.com/sigstore/cosign/cmd/cosign@main
go: downloading github.com/sigstore/cosign v1.2.1-0.20210916114150-905c794dd7c2
go install: github.com/sigstore/cosign/cmd/cosign@main (in github.com/sigstore/cosign@v1.2.1-0.20210916114150-905c794dd7c2):
	The go.mod file for the module providing named packages contains one or
	more replace directives. It must not contain directives that would cause
	it to be interpreted differently than if it were the main module.

From what I'm seeing, the issue isn't the two require directives in go.mod, it's the replace directive.

The replace directive was introduced in cosign's go.mod in fb04df8. I've found that go install ... stops working as of this commit. In the previous commit (739947d), it works. Note that this previous commit already has two require directives.

I've been looking more into the replace directive (such as in this Go proposal), and it seems to me like this isn't intended for long-term/production use. I defer to anyone who has a stronger background in this area, though!

Suggestions

From what I can tell, the README's installation instructions do not work.

1. Can we remove cosign's go.mod's replace directive? (Is this just used by a consumer? If so, can the consuming module add the replace directive in their own go.mod?)
2. If not, can we remove this instruction from the README, perhaps replaced by something else?

[dlorenc]

• Can we remove cosign's go.mod's replace directive? (Is this just used by a consumer? If so, can the consuming module add the replace directive in their own go.mod?)
• If not, can we remove this instruction from the README, perhaps replaced by something else?

Ugh, we should definitely remove it if we can't get it working...

[luhring]

Agreed. Do we understand why we need the replace directive? The go install ... method is a really nice convenience, so if there's any way to save it, I'd be super happy... 😄

[dekkagaijin]

We also have double require directives again, so we've lost compatibility with Go 1.16. We should add 1.16 builds to our presubmit as a sanity test as long as it remains a supported version

[dlorenc]

We also have double require directives again, so we've lost compatibility with Go 1.16. We should add 1.16 builds to our presubmit as a sanity test as long as it remains a supported version

Are you sure about this? We have go1.16 as the declared version here: https://github.com/sigstore/cosign/blob/main/go.mod#L3

My understanding is that would force go to be compatible.

[dekkagaijin]

Are you sure about this?

We had issues in the past where 1.16's Go mod errored when it encountered multiple requires. Not sure how it got split out again, but my local 1.17.1 go mod does respect the version declaration. See #689

[luhring]

Just ran this:

docker run --rm golang:1.16-alpine go install github.com/sigstore/cosign/cmd/cosign@739947de3d0197fbaab926bd9b896963ebf47a19

And it works. This creates a clean environment that uses Go 1.16 to install Cosign at the commit that had two require directives, but no replace directives.

[ShubhamPalriwala]

Still facing the same issue. Even after #716 is merged

[luhring]

Hi @ShubhamPalriwala — yeah, I neglected to mention something noteworthy... in order to completely fix the issue, we'd need an actual release of Cosign to follow-up this PR.

go install ... uses version references: ...@revision.

These commands should now be fixed:

• go install github.com/sigstore/cosign/cmd/cosign@main
• go install github.com/sigstore/cosign/cmd/cosign@ae960b97774baf1e3449588af9c1b9794bb7a9d3

But latest refers to the most recent tag, which is still v1.2.0. The go.mod in v1.2.0 still has the replace directive. So until latest points to a tag that includes the fix, this command will still be broken:

• go install github.com/sigstore/cosign/cmd/cosign@latest

@dlorenc Would it be possible to publish another release sometime soon? Even if just a patch release

[dlorenc]

Yeah, we should cut a 1.2.1 this week.