checksum mismatch

Question

checksum mismatch

drew-richardson opened this issue 2 years ago · comments

I'm running into an issue with version v1.6.2. It works locally, but when someone else builds they get this error:

verifying github.com/cloudflare/cfssl@v1.6.2: checksum mismatch
	downloaded: h1:3T2oQHypP81rykPfkTxOCyJkRU3xQz5SySVahMpN5LE=
	go.sum:     h1:V7EcbVzttAkK3J7PmAxjf7wD7UpMtWSCI+Wl+mu87mw=

When I compare the code in pkg/mod, I see these differences

diff -ru a/.gitignore b/.gitignore
--- a/.gitignore	2022-08-30 10:47:39.000000000 -0700
+++ b/.gitignore	2022-08-30 10:48:55.000000000 -0700
@@ -5,4 +5,4 @@
 *.deb
 *.rpm
 test
-
+.DS_Store
diff -ru a/.goreleaser.yml b/.goreleaser.yml
--- a/.goreleaser.yml	2022-08-30 10:47:39.000000000 -0700
+++ b/.goreleaser.yml	2022-08-30 10:48:55.000000000 -0700
@@ -295,6 +295,7 @@
       - -s -w -X github.com/cloudflare/cfssl/cli/version.version={{.Version}}
 archives:
   - format: binary
+    allow_different_binary_count: true # https://github.com/goreleaser/goreleaser/pull/1841
 release:
   github:
     owner: cloudflare
diff -ru a/Makefile b/Makefile
--- a/Makefile	2022-08-30 10:47:39.000000000 -0700
+++ b/Makefile	2022-08-30 10:48:55.000000000 -0700
@@ -57,7 +57,13 @@
 .PHONY: github-release
 github-release:
 	@:$(call check_defined, GITHUB_TOKEN)
-	docker run -e GITHUB_TOKEN=$(GITHUB_TOKEN) --rm  -v $(PWD):/workdir -w /workdir cbroglie/goreleaser-cgo:1.12.12-musl goreleaser --rm-dist
+
+	docker run --rm --privileged \
+	 -e GITHUB_TOKEN=$(GITHUB_TOKEN) \
+    -v $(PWD):/cross \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -w /cross \
+    ghcr.io/gythialy/golang-cross:v1.18 --rm-dist
 
 .PHONY: docker-build
 docker-build:

A new tag might fix this issue (ex, v1.6.3).

Petr Vaněk · Answer 1 · Wed Sep 14 2022 19:57:06 GMT+0800 (China Standard Time)

I am experiencing similar error with hashes swapped:

verifying github.com/cloudflare/cfssl@v1.6.2: checksum mismatch
        downloaded: h1:V7EcbVzttAkK3J7PmAxjf7wD7UpMtWSCI+Wl+mu87mw=
        go.sum:     h1:3T2oQHypP81rykPfkTxOCyJkRU3xQz5SySVahMpN5LE=

Nicky Semenza · Answer 2 · Wed Oct 05 2022 01:51:43 GMT+0800 (China Standard Time)

sorry about that, I think the commit hash got changed while merging - v1.6.3 should fix!

Erik Stidham · Answer 3 · Fri Nov 04 2022 21:35:04 GMT+0800 (China Standard Time)

@nickysemenza what do you mean by

I think the commit hash got changed while merging

If I understand correctly, I think the checksum mismatch message would mean that the v1.6.2 tag was changed/moved (or there is something nefarious going on but since multiple people are seeing this with the same hashes I doubt that).

How does v1.6.3 fix the issue of an existing tag changing?

Petr Vaněk · Answer 4 · Fri Nov 04 2022 22:05:41 GMT+0800 (China Standard Time)

Yes, v1.6.2 tag was moved. The diff from first comment shows that, it was just one commit difference, see bba3a20 - update release make target to use go 1.18.

Well, v1.6.3 does not fix v1.6.2 tag issue directly, of course. But consumers of this package can bump to new version of cfssl and stop hitting the checksum issue.