search

fido-device-onboard / go-fdo-server

Apache License 2.0
1 stars 3 forks source link

go-sqlite3 checksum mismatch when running ./update-deps.sh #2

Open runcom opened 1 week ago

runcom commented 1 week ago

Nature of the bug

Running ./update-deps.sh on a freshly clone errors out with checksum mismatch when verifying go-sqlite3

Steps taken to find bug

just run ./update-deps.sh the "fix" for me is to remove go.sum and re-run again - only to have a different hash in go.sum though

Steps to ensure bug is gone

no error

Optional: Reproduction

Just run ./update-deps.sh, my system spec are as follow:

➜  go-fdo-server git:(main) ./update-deps.sh 
verifying github.com/ncruces/go-sqlite3@v0.20.0: checksum mismatch
    downloaded: h1:iY9wQUVvfcWVmwFvHcO1CmjzCyssiO3sBu1IOxdUND0=
    go.sum:     h1:/nBLvYxj7sk9S6y57nmMFvoQ/KJtGo0pNi8J80s8oJU=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
verifying github.com/ncruces/go-sqlite3@v0.20.0: checksum mismatch
    downloaded: h1:iY9wQUVvfcWVmwFvHcO1CmjzCyssiO3sBu1IOxdUND0=
    go.sum:     h1:/nBLvYxj7sk9S6y57nmMFvoQ/KJtGo0pNi8J80s8oJU=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
Dependencies updated and go.mod tidied up.
➜  go-fdo-server git:(main) go version
go version go1.23.2 linux/amd64
➜  go-fdo-server git:(main) cat /etc/os-release 
NAME="Fedora Linux"
VERSION="41 (Workstation Edition)"
RELEASE_TYPE=stable
ID=fedora
VERSION_ID=41
VERSION_CODENAME=""
PLATFORM_ID="platform:f41"
PRETTY_NAME="Fedora Linux 41 (Workstation Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:41"
DEFAULT_HOSTNAME="fedora"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f41/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=41
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=41
SUPPORT_END=2025-05-13
VARIANT="Workstation Edition"
VARIANT_ID=workstation
runcom commented 1 week ago

The same happens when building in the container

[1/2] STEP 1/5: FROM golang:1.23-alpine AS builder
✔ docker.io/library/golang:1.23-alpine
Trying to pull docker.io/library/golang:1.23-alpine...
Getting image source signatures
Copying blob 4f4fb700ef54 done   | 
Copying blob 43c4264eed91 done   | 
Copying blob 4cc291be95ef done   | 
Copying blob 5c3c966382ef done   | 
Copying blob 2ac1f1163629 done   | 
Copying config 5a72c8b953 done   | 
Writing manifest to image destination
[1/2] STEP 2/5: WORKDIR /app
--> c845662c5973
[1/2] STEP 3/5: COPY . .
--> 551d8e0e6636
[1/2] STEP 4/5: RUN go mod download
verifying github.com/ncruces/go-sqlite3@v0.20.0: checksum mismatch
    downloaded: h1:/nBLvYxj7sk9S6y57nmMFvoQ/KJtGo0pNi8J80s8oJU=
    go.sum:     h1:iY9wQUVvfcWVmwFvHcO1CmjzCyssiO3sBu1IOxdUND0=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
Error: building at STEP "RUN go mod download": while running runtime: exit status 1
make: *** [Makefile:24: build] Error 1