search

uber-go / dig

A reflection based dependency injection toolkit for Go.
https://go.uber.org/dig
MIT License
3.78k stars 206 forks source link

verifying go.uber.org/dig@v1.16.0: checksum mismatch #370

Closed Meroje closed 1 year ago

Meroje commented 1 year ago

Describe the bug The current v1.16.0 version cannot be downloaded directly or from another proxy than proxy.golang.org while also verifying the sum.

edit: the info file says it got this commit https://github.com/uber-go/dig/commit/7e2722294255db2818d377360e864bb6534e7812

To Reproduce

$ cd $(mktemp -d)
$ go mod init digsum
go: creating new go.mod: module digsum
$ GOPROXY=direct GOMODCACHE="$PWD/cache" go get -d go.uber.org/dig@v1.16.0
go: downloading go.uber.org/dig v1.16.0
go: go.uber.org/dig@v1.16.0: verifying module: checksum mismatch
    downloaded: h1:UvbC1KUaQKx6MQTALcKanqRuPQRX7Tnt1iIYZHH2shk=
    sum.golang.org: h1:O48QoUEj4ePocypAIE5jz+SrxVdG/izHM1CZ/Yjrwww=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Expected behavior It should work, regardless of the GOPROXY value.

Additional context I guess the tag has been moved after publication but not before it was cached by the proxy ?

Meroje commented 1 year ago

I guess you'll have to publish a new version anyway because of the l6 typo ? https://github.com/uber-go/dig/blob/cdbd7eb028bf80d536d4768330d7b471e03a078c/CHANGELOG.md#L18

un000 commented 1 year ago 
INFO[9:17AM]: go.uber.org/dig@v1.16.0: verifying module: checksum mismatch
    downloaded: h1:UvbC1KUaQKx6MQTALcKanqRuPQRX7Tnt1iIYZHH2shk=
    sum.golang.org: h1:O48QoUEj4ePocypAIE5jz+SrxVdG/izHM1CZ/Yjrwww=
Meroje commented 1 year ago

As v1.16.1 was released this can be closed because moving forward dig is installable again (event though v1.16.0 will remain "broken")

kaptinlin commented 1 year ago

go: downloading go.uber.org/dig v1.16.0 go.uber.org/fx imports go.uber.org/dig: go.uber.org/dig@v1.16.0: verifying module: checksum mismatch downloaded: h1:UvbC1KUaQKx6MQTALcKanqRuPQRX7Tnt1iIYZHH2shk= sum.golang.org: h1:O48QoUEj4ePocypAIE5jz+SrxVdG/izHM1CZ/Yjrwww=

abhinav commented 1 year ago

Seeing as the issue has been fixed in 1.16.1, perhaps we can retract 1.16.0.

@sywhang @r-hang what do you think about retracting the bad release to prevent this issue? https://go.dev/ref/mod#go-mod-file-retract