search

swaggo / http-swagger

Default net/http wrapper to automatically generate RESTful API documentation with Swagger 2.0.
MIT License
432 stars 74 forks source link

github.com/go-openapi/spec@v0.20.5 checksum broken #73

Open jonathanwin opened 2 years ago

jonathanwin commented 2 years ago

Hi,

It looks like the v0.20.5 tag of github.com/go-openapi/spec has been rewritten when v0.20.6 was released, causing "go get github.com/swaggo/http-swagger" to fail for all versions since v1.2.7 inclusive:

https://github.com/go-openapi/spec/issues/156

$ go get github.com/swaggo/http-swagger
go: github.com/swaggo/http-swagger@v1.3.0 requires
        github.com/go-openapi/spec@v0.20.5: verifying go.mod: checksum mismatch
        downloaded: h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
        sum.golang.org: h1:QbfOSIVt3/sac+a1wzmKbbcLXm5NdZnyBZYtCijp43o=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Unless the go-openapi/spec@v0.20.5 tag can be fixed rapidly, maybe this warrants a v1.3.1 release that upgrades to go-openapi/spec@v0.20.6 ?

ubogdan commented 2 years ago

I can't reproduce the issue. I think we are fine with the dependency upgrade.

ubogdan commented 2 years ago

@jonathanwin v1.3.1 released. Please confirm everything is fine now.

jonathanwin commented 2 years ago

Thanks a lot ! v1.3.1 works fine :-)

Turns out proxy.golang.org has the "original" v0.20.5 that corresponds to the checksum at sum.golang.org, so the issue only shows when GOPROXY=direct (or when proxy.golang.org is unreachable), while still using sum.golang.org.

\o/