When using different GOPROXY to download dependencies, the hash check of dependencies fails.
Problem recurrence and confirmation
Create a new test project
mkdir test
cd test
go mod init github.com/k8scat/test
# Check the current GOPROXY
go env GOPROXY # https://proxy.golang.org, direct, this is the default GOPROXY
# Download depends on github.com/zoom-lib-golang/zoom-lib-golang
go get github.com/zoom-lib-golang/zoom-lib-golang
# 查看此时的 go.sum
cat go.sum
# github.com/dgrijalva/jwt-go v3.2.0 + incompatible/go. Mod h1: E3ru hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ k8xsbh + + 11 =
# github.com/google/go-querystring v1.0.0 h1: Xkwi a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk =
# github.com/google/go-querystring v1.0.0 / go mod h1: odCYkC5MyYFN7vkCjXpyrEuKhc BUO6wN/zVPAxq5ck =
# github.com/zoom-lib-golang/zoom-lib-golang v1.0.1 h1:91 bm5kretklzcjc7iaeejb935iartvor/WWCCa5SkIU =
# github.com/zoom-lib-golang/zoom-lib-golang v1.0.1 / go mod h1: t3p44iNBETLiJzk0HTH42PumtcP3AHi + Pd/ZY0SPpng =
# gopkg. In/dgrijalva/JWT - go. V3 v3.2.0 h1: N46iQqOtHry7Hxzb9PGrP68oovQmj7EhudNoKHvbOvI =
# gopkg. In/dgrijalva/JWT - go. V3 v3.2.0 / go mod h1: hdNXC2Z9yC029rvsQ/on2ZNQ44Z2XToVhpXXbR + J05A =
Clean up the cache and get ready to download the above dependencies using another GOPROXY
go clean -modcache
Set up another GOPROXY
export GOPROXY=https://goproxy.io,direct
# Re-download the dependencies above
go get github.com/zoom-lib-golang/zoom-lib-golang
# error:
# verifying github.com/zoom-lib-golang/[email protected]/go.mod: checksum mismatch
# downloaded: h1:Rg7IxW7rZUoP/T0YnpDtiypESDnadbv0YvxP0Gjdi6U=
# go.sum: h1:t3p44iNBETLiJzk0HTH42PumtcP3AHi+Pd/ZY0SPpng=
# SECURITY ERROR
# This download does NOT match an earlier download recorded in go.sum.
# The bits may have been replaced on the origin server, or an attacker may
# have intercepted the download attempt.
# For more information, see 'go help module-auth'.
# Delete go.sum and try it out
go clean -modcache
rm -f go.sum
# Download the dependencies above again
go get github.com/zoom-lib-golang/zoom-lib-golang
# error:
# go: github.com/zoom-lib-golang/[email protected]: verifying go.mod: checksum mismatch
# downloaded: h1:Rg7IxW7rZUoP/T0YnpDtiypESDnadbv0YvxP0Gjdi6U=
# sum.golang.org: h1:t3p44iNBETLiJzk0HTH42PumtcP3AHi+Pd/ZY0SPpng=
# SECURITY ERROR
# This download does NOT match the one reported by the checksum server.
# The bits may have been replaced on the origin server, or an attacker may
# have intercepted the download attempt.
# For more information, see 'go help module-auth'.
Copy the codeThe two errors are caused by:
go get在go.sumIs used when the file existsgo.sumComparing the recorded dependency hashes with the actual downloaded dependency hashes
2. If go.sum does not exist, then GOSUMDB (default: sum.golang.org) is used to check the actual downloaded dependency hash. If it does not match, the error from the second attempt above occurs
The solution
- Shut down
GOSUMDB, i.e.,export GOSUMDB=off - Set up the
GONOSUMDB, such as:export GONOSUMDB=*.corp.example.com,rsc.io/private
reference
- Goproxy.cn – module proxy tailored for Chinese Go language developers
- Talk about gomod/goproxy/gosumdb
Personal blog
K8scat.com/posts/go/go…