asticode
commented
4 years ago Which command are you running and in which folder?
Closed TheNerdyHamster closed 4 years ago
asticode
commented
4 years ago Which command are you running and in which folder?
TheNerdyHamster
commented
4 years ago I am trying to install:
go-astilectron
go-astilectron-bootstrap
go-astilectron-bundler
Getting the same error on every package when I download the latest version. But if I install an older version it works fine.
asticode
commented
4 years ago I've created new releases for astiamqp, astitools, astilectron, astilectron-bootstrap and astilectron-bundler. Should be all good now.
Can you confirm ?
TheNerdyHamster
commented
4 years ago Its seems to fail on go-astilectron-bootstrap v0.1.1 now.
go: extracting github.com/asticode/go-astilectron-bootstrap v0.1.1
verifying github.com/asticode/go-astiamqp@v1.0.1/go.mod: checksum mismatch
downloaded: h1:P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ=
sum.golang.org: h1:Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.Damn, I can't reproduce the error locally.
Can you run go clean --modcache and try again?
If that still doesn't succeed, can you tell me which exact command you are running? And can you paste all the output?
TheNerdyHamster
commented
4 years ago ran clean --modcache
Then I ran go get github.com/asticode/go-astilectron
Output:
verifying github.com/asticode/go-astiamqp@v1.0.1/go.mod: checksum mismatch
downloaded: h1:P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ=
sum.golang.org: h1:Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.Go version: go version go1.13.5 windows/amd64
asticode
commented
4 years ago Can you try one more thing : run go clean --modcache and then GOPROXY=direct go get github.com/asticode/go-astilectron ?
TheNerdyHamster
commented
4 years ago $ GOPROXY=direct go get github.com/asticode/go-astilectron
verifying github.com/asticode/go-astiamqp@v1.0.1/go.mod: checksum mismatch
downloaded: h1:P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ=
sum.golang.org: h1:Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.Ran both commands but nothing changed. It's really weird.
asticode
commented
4 years ago What is weird is that:
Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4= corresponds to v1.0.1P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ= corresponds to v1.1.0So what the message is saying is that it downloaded v1.1.0 (which is good) but verifies against v1.0.1 (which is bad 😱)
What is weirder is that I can't reproduce locally 😢 There must be a mix up in GO modules in your environment... Can you try cleaning modules cache (go clean --modcache) and getting the demo (GOPROXY=direct go get github.com/asticode/go-astilectron-demo), and see if that fails ?
TheNerdyHamster
commented
4 years ago go: extracting github.com/asticode/go-astilectron-demo v0.0.0-20191204165856-f4c07322c983
verifying github.com/asticode/go-astiamqp@v1.0.1/go.mod: checksum mismatch
downloaded: h1:P6ykqiZTrhziRnZP+sfCSTQvvQIJCzSM6Jiv7IH8XpQ=
sum.golang.org: h1:Xe27K2GHnsEoIgAtHi+udd7xXV5YSQG4nE3ggZoyU/4=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
Its still the same output, tried to install on another computer and still says the same thing.
asticode
commented
4 years ago I've tried on a windows machine, but I still can't reproduce the error. Could you be so kind to indicate precisely the steps you took when trying to install on the other computer? All the steps are important (including creating folders for instance) and I will need to know your $GOPATH (you can replace your username by xxx if you wish) as well as the absolute paths your using so that I know whether you're working in your $GOPATH or not.
For instance, here are the steps I took on Windows:
($GOPATH = C:\Users\xxx\go)
$ cd $GOPATH
$ mkdir test
$ cd test
$ go mod init
$ go get github.com/astilectron/go-astilectronOutput is
go: finding github.com/asticode/go-astilectron v0.9.2
go: downloading github.com/asticode/go-astilectron v0.9.2
go: extracting github.com/asticode/go-astilectron v0.9.2
go: downloading github.com/asticode/go-astitools v1.2.2
go: downloading github.com/pkg/errors v0.8.1
go: downloading github.com/asticode/go-astilog v1.2.0
go: extracting github.com/pkg/errors v0.8.1
go: extracting github.com/asticode/go-astilog v1.2.0
go: extracting github.com/asticode/go-astitools v1.2.2
go: downloading golang.org/x/crypto v0.0.0-20191205161847-0a08dada0ff9
go: downloading github.com/sirupsen/logrus v1.4.2
go: extracting github.com/sirupsen/logrus v1.4.2
go: extracting golang.org/x/crypto v0.0.0-20191205161847-0a08dada0ff9
go: downloading github.com/konsorten/go-windows-terminal-sequences v1.0.2
go: downloading github.com/mattn/go-colorable v0.1.4
go: extracting github.com/konsorten/go-windows-terminal-sequences v1.0.2
go: downloading golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e
go: downloading github.com/julienschmidt/httprouter v1.3.0
go: extracting github.com/mattn/go-colorable v0.1.4
go: extracting github.com/julienschmidt/httprouter v1.3.0
go: downloading golang.org/x/net v0.0.0-20191204025024-5ee1b9f4859a
go: downloading github.com/mattn/go-isatty v0.0.10
go: extracting github.com/mattn/go-isatty v0.0.10
go: extracting golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e
go: extracting golang.org/x/net v0.0.0-20191204025024-5ee1b9f4859a
go: finding github.com/asticode/go-astitools v1.2.2
go: finding github.com/asticode/go-astilog v1.2.0
go: finding github.com/pkg/errors v0.8.1
go: finding github.com/julienschmidt/httprouter v1.3.0
go: finding github.com/mattn/go-colorable v0.1.4
go: finding golang.org/x/crypto v0.0.0-20191205161847-0a08dada0ff9
go: finding golang.org/x/net v0.0.0-20191204025024-5ee1b9f4859a
go: finding github.com/mattn/go-isatty v0.0.10
go: finding github.com/sirupsen/logrus v1.4.2
go: finding golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e
go: finding github.com/konsorten/go-windows-terminal-sequences v1.0.2It seems to be working now for some reason. After I did your steps
asticode
commented
4 years ago mmmm ok, was there any difference between your steps and mine ?
TheNerdyHamster
commented
4 years ago The one I did before?
asticode
commented
4 years ago Yes, the one you did when you first tried on another computer
frioux
commented
4 years ago @asticode this happens to us at work. The implication is usually that the tag was forced pushed to and modified, such that the git repo and the mod proxy disagree. If you have disabled the mod proxy or are using an older version of git that didn't enable it, you wouldn't see this error.
asticode
commented
4 years ago @frioux thanks for your feedback. I'm using go.1.13.5 with GOPROXY set to default (which is https://proxy.golang.org,direct) therefore if you're right shouldn't I also experience the error? Also, adding GOPROXY=direct should have solved the problem for @Lilahamstern, shouldn't it? That's why I think there's more to it.
I've created an issue for a different proxy problem on GO's repository that allowed identifying a race condition in the proxy, maybe that was linked.
With the newest version (v1.0.1) of astiamqp you are getting a SECURITY ERROR (checksum mismatch), when you are trying to download the package.
Error: