Giters

magefile / mage

a Make/rake-like dev tool using Go

Home Page:https://magefile.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Bug: mage release 1.12 raises go get checksum errors

eaglebush opened this issue · comments

commented

Bug Description
go get raises checksum errors

What did you do?
Fetched the package: go get -u github.com/gbrlsnchs/jwt/v3

What actually happened?

go get: github.com/magefile/mage@v1.12.0: verifying module: checksum mismatch
        downloaded: h1:M4awaYdobNRmzXXOSBRACIvzXqeiYWS2IitX1i0fxNI=
        sum.golang.org: h1:WzvfTqwh4lBipPALjO9uYA91ui/4+T5Yw//A9LN93TY=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
go get: github.com/magefile/mage@v1.12.0: verifying module: checksum mismatch
        downloaded: h1:M4awaYdobNRmzXXOSBRACIvzXqeiYWS2IitX1i0fxNI=
        sum.golang.org: h1:WzvfTqwh4lBipPALjO9uYA91ui/4+T5Yw//A9LN93TY=```

**Environment**
 - Mage Version: 1.12
 - OS: windows
 - Go 1.17.5
commented

@eaglebush what version of go are you on?

commented

Same here, go 1.17.5 on Debian. Exact same checksum variance.

Did the tag move after being initially created?

commented

I did a git checkout of v1.12.0 and compared it to what go downloaded into ${GOPATH}/pkg/mod/github.com/magefile/mage@v1.12.0. They are not the same. Here's the diff:

Only in /home/mgl/3psrc/mage: .git
Only in /home/mgl/3psrc/mage/.github: workflows
diff -ur /home/mgl/3psrc/mage/.goreleaser.yml ./.goreleaser.yml
--- /home/mgl/3psrc/mage/.goreleaser.yml	2021-12-17 10:58:54.426399836 -0500
+++ ./.goreleaser.yml	2021-12-17 10:56:16.592780769 -0500
@@ -26,8 +26,7 @@
       goarm: 6
   env:
     - CGO_ENABLED=0
-archives:
-- 
+archive:
   name_template: "{{.Binary}}_{{.Version}}_{{.Os}}-{{.Arch}}"
   replacements:
     amd64: 64bit
diff -ur /home/mgl/3psrc/mage/magefile.go ./magefile.go
--- /home/mgl/3psrc/mage/magefile.go	2021-12-17 10:58:54.430399877 -0500
+++ ./magefile.go	2021-12-17 10:56:16.592780769 -0500
@@ -1,5 +1,4 @@
-//go:build mage
-// +build mage
+//+build mage
 
 // This is the build script for Mage. The install target is all you really need.
 // The release target is for generating official releases and is really only
@@ -10,7 +9,6 @@
 	"errors"
 	"fmt"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"runtime"
@@ -71,9 +69,6 @@
 
 // Generates a new release. Expects a version tag in v1.x.x format.
 func Release(tag string) (err error) {
-	if _, err := exec.LookPath("goreleaser"); err != nil {
-		return fmt.Errorf("can't find goreleaser: %w", err)
-	}
 	if !releaseTag.MatchString(tag) {
 		return errors.New("TAG environment variable must be in semver v1.x.x format, but was " + tag)
 	}
@@ -86,8 +81,8 @@
 	}
 	defer func() {
 		if err != nil {
-			sh.RunV("git", "tag", "--delete", tag)
-			sh.RunV("git", "push", "--delete", "origin", tag)
+			sh.RunV("git", "tag", "--delete", "$TAG")
+			sh.RunV("git", "push", "--delete", "origin", "$TAG")
 		}
 	}()
 	return sh.RunV("goreleaser")
Only in .: .travis.yml
commented

With some quick experimenting, it looks like the tag was initially placed at commit 404c119 (that exactly matches what go downloaded) and that is what the go proxy has cached for it

commented

Ug... yeah, there was a problem with my release script, and so it created a v1.12 before I was ready, so I deleted it and retried. And... now I have blown up the world, evidently.

commented

I made a v1.12.1 ... it's the exact same code as v1.12.0, but hopefully since it's a new tag and not the same as the one deleted, it won't cause problems.

commented

@eaglebush what version of go are you on?

I'm on Go 1.17.5

commented

Let me know if this has solved your problem, so we can close the issue. Thanks. And sorry for the bother!

commented

It's fine now. Thanks.