Closed TheNerdyHamster closed 4 years ago
Which command are you running and in which folder?
I am trying to install:
go-astilectron
go-astilectron-bootstrap
go-astilectron-bundler
Getting the same error on every package when I download the latest version. But if I install an older version it works fine.
I've created new releases for astiamqp
, astitools
, astilectron
, astilectron-bootstrap
and astilectron-bundler
. Should be all good now.
Can you confirm ?
Its seems to fail on go-astilectron-bootstrap v0.1.1 now.
go: extracting github.com/asticode/go-astilectron-bootstrap v0.1.1
verifying github.com/asticode/go-astiamqp@v1.0.1/go.mod: checksum mismatch
downloaded: h1:P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ=
sum.golang.org: h1:Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
Damn, I can't reproduce the error locally.
Can you run go clean --modcache
and try again?
If that still doesn't succeed, can you tell me which exact command you are running? And can you paste all the output?
ran clean --modcache
Then I ran go get github.com/asticode/go-astilectron
Output:
verifying github.com/asticode/go-astiamqp@v1.0.1/go.mod: checksum mismatch
downloaded: h1:P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ=
sum.golang.org: h1:Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
Go version: go version go1.13.5 windows/amd64
Can you try one more thing : run go clean --modcache
and then GOPROXY=direct go get github.com/asticode/go-astilectron
?
$ GOPROXY=direct go get github.com/asticode/go-astilectron
verifying github.com/asticode/go-astiamqp@v1.0.1/go.mod: checksum mismatch
downloaded: h1:P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ=
sum.golang.org: h1:Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
Ran both commands but nothing changed. It's really weird.
What is weird is that:
Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4=
corresponds to v1.0.1
P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ=
corresponds to v1.1.0
So what the message is saying is that it downloaded v1.1.0
(which is good) but verifies against v1.0.1
(which is bad 😱)
What is weirder is that I can't reproduce locally 😢 There must be a mix up in GO modules in your environment... Can you try cleaning modules cache (go clean --modcache
) and getting the demo (GOPROXY=direct go get github.com/asticode/go-astilectron-demo
), and see if that fails ?
go: extracting github.com/asticode/go-astilectron-demo v0.0.0-20191204165856-f4c07322c983
verifying github.com/asticode/go-astiamqp@v1.0.1/go.mod: checksum mismatch
downloaded: h1:P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ=
sum.golang.org: h1:Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
Its still the same output, tried to install on another computer and still says the same thing.
I've tried on a windows machine, but I still can't reproduce the error. Could you be so kind to indicate precisely the steps you took when trying to install on the other computer? All the steps are important (including creating folders for instance) and I will need to know your $GOPATH
(you can replace your username by xxx
if you wish) as well as the absolute paths your using so that I know whether you're working in your $GOPATH
or not.
For instance, here are the steps I took on Windows:
($GOPATH
= C:\Users\xxx\go
)
$ cd $GOPATH
$ mkdir test
$ cd test
$ go mod init
$ go get github.com/astilectron/go-astilectron
Output is
go: finding github.com/asticode/go-astilectron v0.9.2
go: downloading github.com/asticode/go-astilectron v0.9.2
go: extracting github.com/asticode/go-astilectron v0.9.2
go: downloading github.com/asticode/go-astitools v1.2.2
go: downloading github.com/pkg/errors v0.8.1
go: downloading github.com/asticode/go-astilog v1.2.0
go: extracting github.com/pkg/errors v0.8.1
go: extracting github.com/asticode/go-astilog v1.2.0
go: extracting github.com/asticode/go-astitools v1.2.2
go: downloading golang.org/x/crypto v0.0.0-20191205161847-0a08dada0ff9
go: downloading github.com/sirupsen/logrus v1.4.2
go: extracting github.com/sirupsen/logrus v1.4.2
go: extracting golang.org/x/crypto v0.0.0-20191205161847-0a08dada0ff9
go: downloading github.com/konsorten/go-windows-terminal-sequences v1.0.2
go: downloading github.com/mattn/go-colorable v0.1.4
go: extracting github.com/konsorten/go-windows-terminal-sequences v1.0.2
go: downloading golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e
go: downloading github.com/julienschmidt/httprouter v1.3.0
go: extracting github.com/mattn/go-colorable v0.1.4
go: extracting github.com/julienschmidt/httprouter v1.3.0
go: downloading golang.org/x/net v0.0.0-20191204025024-5ee1b9f4859a
go: downloading github.com/mattn/go-isatty v0.0.10
go: extracting github.com/mattn/go-isatty v0.0.10
go: extracting golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e
go: extracting golang.org/x/net v0.0.0-20191204025024-5ee1b9f4859a
go: finding github.com/asticode/go-astitools v1.2.2
go: finding github.com/asticode/go-astilog v1.2.0
go: finding github.com/pkg/errors v0.8.1
go: finding github.com/julienschmidt/httprouter v1.3.0
go: finding github.com/mattn/go-colorable v0.1.4
go: finding golang.org/x/crypto v0.0.0-20191205161847-0a08dada0ff9
go: finding golang.org/x/net v0.0.0-20191204025024-5ee1b9f4859a
go: finding github.com/mattn/go-isatty v0.0.10
go: finding github.com/sirupsen/logrus v1.4.2
go: finding golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e
go: finding github.com/konsorten/go-windows-terminal-sequences v1.0.2
It seems to be working now for some reason. After I did your steps
mmmm ok, was there any difference between your steps and mine ?
The one I did before?
Yes, the one you did when you first tried on another computer
@asticode this happens to us at work. The implication is usually that the tag was forced pushed to and modified, such that the git repo and the mod proxy disagree. If you have disabled the mod proxy or are using an older version of git that didn't enable it, you wouldn't see this error.
@frioux thanks for your feedback. I'm using go.1.13.5
with GOPROXY
set to default (which is https://proxy.golang.org,direct
) therefore if you're right shouldn't I also experience the error? Also, adding GOPROXY=direct
should have solved the problem for @Lilahamstern, shouldn't it? That's why I think there's more to it.
I've created an issue for a different proxy problem on GO's repository that allowed identifying a race condition in the proxy, maybe that was linked.
With the newest version (v1.0.1) of astiamqp you are getting a SECURITY ERROR (checksum mismatch), when you are trying to download the package.
Error: