go get v2.26.0 checksum mismatch
bygui86 opened this issue · comments
Requirement - what kind of business use case are you trying to solve?
Building a PoC to introduce tracing in company project
Problem - what in Jaeger blocks you from solving the requirement?
As mentioned in the README, I try to run go get -u github.com/uber/jaeger-client-go/
but I get following error
go: downloading github.com/uber/jaeger-client-go v2.26.0+incompatible
go get: github.com/uber/jaeger-client-go@v2.26.0+incompatible: verifying module: checksum mismatch
downloaded: h1:ZI30Y3B7H1lHLDAv8Y3pngXEnDOIHdCbybgcZwqMLJg=
sum.golang.org: h1:h285ag9YqU5dfE+D2tc2mL93wjg1YLveCCDgm2y4Rsg=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
If I change to v2.25.0 in my go.mod file, everything works.
Proposal - what do you suggest to solve the problem or improve the existing situation?
No idea how to solve this.
Additional info
- OS: MacOS Big Sur 11.2.3
- Go version: go1.16.3 darwin/amd64
- Shell: zsh 5.8 (x86_64-apple-darwin19.6.0)
@joe-elliott this could be a side effect if retagging the release to a different commit. If we can't bust the cache, we may need to release a 2.26.1 patch.
I am currently able to pull 2.26.0 without issue:
@bygui86 do you mind trying again? perhaps cleaning the cache will help? (see below)
$ go mod init example.com/m
go: creating new go.mod: module example.com/m
$ go get -u github.com/uber/jaeger-client-go/
go: downloading github.com/uber/jaeger-client-go v2.26.0+incompatible
go: downloading github.com/uber/jaeger-lib v2.4.1+incompatible
go get: added github.com/opentracing/opentracing-go v1.2.0
go get: added github.com/uber/jaeger-client-go v2.26.0+incompatible
go get: added github.com/uber/jaeger-lib v2.4.1+incompatible
go get: added go.uber.org/atomic v1.7.0
$ go clean --modcache
$ go get -u github.com/uber/jaeger-client-go/
go: downloading github.com/uber/jaeger-client-go v2.26.0+incompatible
go: downloading github.com/opentracing/opentracing-go v1.2.0
go: downloading github.com/uber/jaeger-lib v2.4.1+incompatible
go: downloading go.uber.org/atomic v1.7.0
go: downloading github.com/uber/jaeger-lib v1.5.0
go: downloading github.com/uber/jaeger-client-go v1.6.0
I am seeing this same issue today and I can replicate @joe-elliott's pulling in a fresh project, but everytime I try to run the update in my existing project I still get an error
$ go clean --modcache
$ go get -u github.com/uber/jaeger-client-go
go: downloading github.com/uber/jaeger-client-go v2.26.0+incompatible
verifying github.com/uber/jaeger-client-go@v2.26.0+incompatible: checksum mismatch
downloaded: h1:h285ag9YqU5dfE+D2tc2mL93wjg1YLveCCDgm2y4Rsg=
go.sum: h1:ZI30Y3B7H1lHLDAv8Y3pngXEnDOIHdCbybgcZwqMLJg=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
I was able to fix it by deleting the go.sum
file first
$ rm go.sum
$ go get -u github.com/uber/jaeger-client-go
go: downloading github.com/uber/jaeger-client-go v2.26.0+incompatible
go: downloading github.com/uber/jaeger-lib v2.4.0+incompatible
go: downloading go.uber.org/atomic v1.7.0
go: downloading github.com/uber/jaeger-lib v1.5.0
go: downloading github.com/uber/jaeger-lib v2.4.1+incompatible
go: downloading github.com/uber/jaeger-client-go v1.6.0
go get: upgraded github.com/uber/jaeger-lib v2.4.0+incompatible => v2.4.1+incompatible
If the old hash got into your go.sum, you could see this mismatch.
Hello, the reason here is that module on proxy.golang.org has checksum:
h1:h285ag9YqU5dfE+D2tc2mL93wjg1YLveCCDgm2y4Rsg=
While when not using proxy.golang.org and having GOPROXY=direct results into module downloading from vcs with checksum:
h1:ZI30Y3B7H1lHLDAv8Y3pngXEnDOIHdCbybgcZwqMLJg=
I suppose the simplest thing to do is releasing new tag and never re-tag in the future.
I think @FZambia is right. I had the very same experience with go-proxy developing other libraries.
@joe-elliott unfortunately for me still does not work. Run following commands
$ rm -f go.sum
$ go clean --modcache
$ go mod download
go mod download: github.com/uber/jaeger-client-go@v2.26.0+incompatible: verifying module: checksum mismatch
downloaded: h1:ZI30Y3B7H1lHLDAv8Y3pngXEnDOIHdCbybgcZwqMLJg=
sum.golang.org: h1:h285ag9YqU5dfE+D2tc2mL93wjg1YLveCCDgm2y4Rsg=
SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
For more information, see 'go help module-auth'.
Here is my go.mod
file:
module github.com/bygui86/go-postgres-cicd
go 1.16
require (
github.com/DATA-DOG/go-sqlmock v1.5.0
github.com/ExpansiveWorlds/instrumentedsql v0.0.0-20171218214018-45abb4b1947d
github.com/HdrHistogram/hdrhistogram-go v1.1.0 // indirect
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/docker/go-connections v0.4.0
github.com/google/martian v2.1.0+incompatible // indirect
github.com/googleapis/gax-go v1.0.3 // indirect
github.com/gorilla/mux v1.8.0
github.com/lib/pq v1.10.0
github.com/mattn/go-sqlite3 v1.14.7 // indirect
github.com/opentracing/opentracing-go v1.2.0
github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5
github.com/openzipkin/zipkin-go v0.2.5
github.com/prometheus/client_golang v1.10.0
github.com/stretchr/testify v1.7.0
github.com/testcontainers/testcontainers-go v0.10.0
github.com/uber/jaeger-client-go v2.26.0+incompatible
github.com/uber/jaeger-lib v2.4.1+incompatible
go.uber.org/zap v1.16.0
)
I changed manually from github.com/uber/jaeger-client-go v2.25.0+incompatible
to github.com/uber/jaeger-client-go v2.26.0+incompatible
Released 2.27.0
Amazing thanks!!