Dapr 1.9.1 Checksum mismatch

[coreywagehoft]

Describe the bug

When building a docker container with go we have a step which calls go mod download. We are getting the following error:

#11 [builder 6/9] RUN go mod download
#11 7.066 verifying github.com/dapr/go-sdk@v1.9.1: checksum mismatch
#11 7.066   downloaded: h1:f5gV8HtGz6iBJSsh6eI+/Ews4sGC3W9gX0/oD9ANVqM=
#11 7.066   go.sum:     h1:SwfLYwqFwBNn1B8pCzGGG49utjV3oMQLZOlOkmf63T8=
#11 7.066 
#11 7.066 SECURITY ERROR
#11 7.066 This download does NOT match an earlier download recorded in go.sum.
#11 7.066 The bits may have been replaced on the origin server, or an attacker may
#11 7.066 have intercepted the download attempt.
#11 7.066 
#11 7.066 For more information, see 'go help module-auth'.
#11 ERROR: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1

To Reproduce

• Have an application with an earlier version of the Dapr SDK in your go.mod file
• Update to Dapr 1.9.1

Expected behavior

• Not get a checksum mismatch when updating Dapr.

[mikeee]

How did you upgrade the reference? I can't reproduce it

[jerbob92]

I have no idea how this keeps happening with Dapr go-sdk, this is the only project I keep having this issue. The reason this happens is that the hash of the repository is different from what is known in the Go sum DB, to validate this:

• Install https://github.com/vikyd/go-checksum: go install github.com/vikyd/go-checksum
• Clone Dapr: git clone https://github.com/dapr/go-sdk.git
• Checkout 1.9.1: cd go-sdk; git checkout v1.9.1; cd ..
• Get the checksum of the go.mod file: go-checksum go-sdk/go.mod, note GoCheckSum (h1:bK9bNEsC6hY3RMKh69r0nBjLqb6njeWTEGVMOgP9g20=)
• Get the checksum of the repository content: go-checksum go-sdk github.com/dapr/go-sdk@v1.9.1, note GoCheckSum (h1:WTzL+kH5evyGL6LUZvNIRK8U+CfDFl9btTgv8DFpjI8=)
• Get the checksums from the Go sum DB: curl https://goproxy.io/sumdb/sum.golang.org/lookup/github.com/dapr/go-sdk@v1.9.1

Note that the hash of the go.mod from the repo and Go sum DB match up (h1:bK9bNEsC6hY3RMKh69r0nBjLqb6njeWTEGVMOgP9g20=) but that the repo hash doesn't match up: h1:f5gV8HtGz6iBJSsh6eI+/Ews4sGC3W9gX0/oD9ANVqM= vs h1:WTzL+kH5evyGL6LUZvNIRK8U+CfDFl9btTgv8DFpjI8=.

[jerbob92]

Something else that I just noticed. When I do: go get github.com/dapr/go-sdk@2a85a7bb6a1447929720d7df779bff7f0ed41c24 (which is one commit after v1.9.1, 29bf88b1b089e2c99b27b2d0f8d460a936f749fe)

And then do go mod vendor, I don't only get the difference between the two commits (git diff 29bf88b1b089e2c99b27b2d0f8d460a936f749fe...2a85a7bb6a1447929720d7df779bff7f0ed41c24):

diff --git a/client/client.go b/client/client.go
index a40a36f..7a82fe9 100644
--- a/client/client.go
+++ b/client/client.go
@@ -283,7 +283,7 @@ func NewClientWithAddressContext(ctx context.Context, address string, opts ...Cl
        }

        if cOpts.useTLS || strings.Contains(address, "https://") {
-               option = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+               option = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{MinVersion: tls.VersionTLS12}))
        } else {
                option = grpc.WithTransportCredentials(insecure.NewCredentials())
        }

But I actually get the following change in my vendor folder:

diff --git a/vendor/github.com/dapr/go-sdk/client/client.go b/vendor/github.com/dapr/go-sdk/client/client.go
index ad5ac0da..7a82fe92 100644
--- a/vendor/github.com/dapr/go-sdk/client/client.go
+++ b/vendor/github.com/dapr/go-sdk/client/client.go
@@ -283,7 +283,7 @@ func NewClientWithAddressContext(ctx context.Context, address string, opts ...Cl
        }

        if cOpts.useTLS || strings.Contains(address, "https://") {
-               option = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+               option = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{MinVersion: tls.VersionTLS12}))
        } else {
                option = grpc.WithTransportCredentials(insecure.NewCredentials())
        }
@@ -294,6 +294,7 @@ func NewClientWithAddressContext(ctx context.Context, address string, opts ...Cl
                address,
                option,
                grpc.WithUserAgent(userAgent()),
+               grpc.WithBlock(),
        )
        cancel()
        if err != nil {

The extra change comes from https://github.com/dapr/go-sdk/pull/471 (commit 5eecffa4fa3df1825d5149471edd83e4aa89e7ba), which should be part of v1.9.1, and it is on Git, but not in the Go package. So this is another indication there is some difference between what's on Git an what is known to the Go registries.

[mikeee]

It does look like the tag has been modified. I appreciate it's frustrating. There is a release coming up soon that should not face the same issue, I'll keep this issue appraised of the latest as well as investigate how we can ensure this doesn't happen going forwards.

[jerbob92]

Thank you @mikeee! Will keep an eye out, for now I have set the dependency to go get github.com/dapr/go-sdk@2a85a7bb6a1447929720d7df779bff7f0ed41c24 to get around this issue.