envoy@v1.32.3/go.mod checksum mismatch #1083
Comments
|
Hi @jarrodhroberson , Would you like to share your project setup ? |
|
Here's an example: https://github.com/emilhauk/envoy-checksum-error |
|
Can you try this |
|
For what it's worth, I am experiencing the same issue and so tried the suggested fix above which yields the same error: > go get github.com/envoyproxy/go-control-plane/envoy@latest
verifying github.com/envoyproxy/go-control-plane/envoy@v1.32.3/go.mod: checksum mismatch
downloaded: h1:c955gQjaXHsMxMjHjEZ7nwIzMJYxXpN+sJIGufsSbg4=
go.sum: h1:F6hWupPfh75TBXGKA++MCT/CZHFq5r9/uwt/kQYkZfE=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.I would note that in my case, the Looking at the changelog I see that there are changes to I suspect that this change may be the root cause of the issue, I have not tested but this line raised some suspicion for me: Line 6 in 2d07f5a |
|
I also tried your suggestion, but to no avail. I get different hashes though (same as in the example repo linked above). Then, I tried to install this using a basic docker container, which apparently works just fine 🙈: The issue seems to be local or system related, but affecting several others as well it seems. I have tried the following:
I don't get how this is the only package of countless on my machine that's acting up. Any insights and/or suggestions would be greatly appreciated 😃 |
|
I can not share my project, it is not public. I am not using this directly, it is being accessed as a dependency of a dependency. I think it a Google Cloud SDK dependency. I tracked it down to "opentelemetry" using this version. I can get it to work LOCALLY by either setting GONOSUMDB or replacing my local hash with the expected one. But, when I try and deploy to Google App Engine Standard, I am NOT in control of the build environment and can not set GONOSUMDB (which I think is a hack work around). I did finally get an absolutely crap workaround to get it to deploy by replacing the hash in go.sum with the one that GAE build expects. Which is "correct" I have no idea because the next time I tried to deploy, the hashes were reversed and I got the error again. The only reason that the checksum would be different for the exact same version is someone replaced a published binary and did not bump the version number for some reason. I know this because when I first started using Go and releasing my code I did the same thing and it bit me immediately. Deleting the contents of go.mod and deleting go.sum completely can affect the hashes that are retrieved. I have tried everything, including doing that. I have experienced the order of the hashes reversing as a previous poster says. That is why, replacing the hash in my go.sum before pushing to Google App Engine for deployment is not a solution, the hash that GAE pulls seems to be non-deterministic. I am using GOPROXY=direct, which should pull directly from the source, There is no acceptable client side fix for this if you do not control the version of the library directly. |
|
I created a new empty project, and the very first time I used this is the imports and since whatever you guys did, you broke Google Cloud Platform libraries in a very bad way. |
|
Hello. |
|
Hey, it seems pkg.dev cached a very short release prior to the main one (only partially). |
This comment has been minimized.
This comment has been minimized.
|
Hi, any update on this? ETA? @valerian-roche |
|
Please release a clean (new) version. My proxy is also picking this up. |
|
Not the desired fix I know, but for others who want a workaround whilst this is resolved, you can:
|
|
Corporate AppSec policy forbids use of any proxy, so using |
|
this is not a solution for those of us that can not set GOSUMDB or
GOPROXY because builds are happening in a CI environment or a cloud build
environment like Google Cloud Platform.
I finally got it to work by adding `go.sum` to my `.gitcloudignore` but
this is a TERRIBLE work around security wise.
I also tried using `vendor` directory and it fails if the `go.sum` is
included with the build as well, since it still checks and picks up the
wrong one.
Why did you change the binary of a release?
…On Mon, Jan 27, 2025 at 10:00 AM Lee Brotherston ***@***.***> wrote:
Not the desired fix I know, but for others who want a workaround whilst
this is resolved, you can:
- Remove the package:
- go get ***@***.***
- Remove any locally cached copies of the module
- Re-add the module forcing a SUMDB & Proxy that has the "right"
version:
- GOSUMDB="sum.golang.org" GOPROXY="https://proxy.golang.org/" go
get github.com/envoyproxy/go-control-plane
- GOSUMDB="sum.golang.org" GOPROXY="https://proxy.golang.org/" go
mod tidy
—
Reply to this email directly, view it on GitHub
<#1083 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABF7725KZMW7NDDZFG4EEL2MZCZ7AVCNFSM6AAAAABU5KE63OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMJVHE4TKMRYGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Jarrod Roberson
678.551.2852
|
|
FWIW I am nothing to do with this project, just another person on the internet who uses this module like you. I'm offering what worked for me in case that's useful for others, I do realize that this is not an ideal solution, and I'm not suggesting as such. |
|
Did you move a tag? Could you cut a new no-change release 1.32.4 as this is quite an annoyance to deal with? |
|
Sounds great, a new version with the new checksum would perfectly solve my issue, with integration tests! |
|
@valerian-roche Would that be possible? |
|
Don't want to post a "+1" but if it helps with the decision this sounds like the proper solution and also what solved this last time it happened in #512. |
this does not fix those of us suffering from this because of transient dependencies out of our control. The fact that this has happened TWICE should be of GREAT concern, especially since this breaks ALL OF GOOGLE CLOUD PLATFORM client libraries right now. This should never happen once much less twice. Where ever you are initially publishing to should never let you deploy the same version number a second time to begin with. |
|
I released I am hoping this will end the multiple issues we had since the module split. If you see other issues please raise them, as it is hard to have visibility on the |
Hi I apologize for the issue created here, but none of us were maintainers of this repository at this time. |
Thank you Valerian :) |
|
Thanks @valerian-roche! This is fixed for me now. |
|
Thanks @valerian-roche and team |
|
@jarrodhroberson , |
|
there is no way to fix a past version that have a different checksum
because of different binaries in different caches.
you can make as many new releases as you want, it does not fix the one in
the past that is broken and included in the opentelementry that google
cloud platform client(s) use.
you would need to have opentelementry make a new release that does not use
that version and get google to release a new version that uses the new
opentelementry verison.
…On Tue, Feb 11, 2025 at 1:56 AM Matthieu MOREL ***@***.***> wrote:
@jarrodhroberson <https://github.com/jarrodhroberson> ,
Would you like to confirm that the release created by @valerian-roche
<https://github.com/valerian-roche> is fixing the issue you've met ?
—
Reply to this email directly, view it on GitHub
<#1083 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABF77ZT5SRDJUGCUPDM4WL2PGNJPAVCNFSM6AAAAABU5KE63OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNBZHE3DMNJXG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Jarrod Roberson
678.551.2852
|
|
@jarrodhroberson did you try to edit your |
|
FWIW. This simply fixed it for me. I never expected an already shipped release to be altered. That would be an anti-pattern. Time to move on and update... |
|
you are obviously not deploying to a remote system that you do not have
control over, like Google App Engine
…On Wed, Feb 12, 2025 at 4:20 AM Mike Owen ***@***.***> wrote:
FWIW. This simply fixed it for me.
go get -t -u ./...
go mod tidy
—
Reply to this email directly, view it on GitHub
<#1083 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABF7776D6MPDZOY2Y7IZJD2PMG5XAVCNFSM6AAAAABU5KE63OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJTGA4TGMJWG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
[image: mjnowen]*mjnowen* left a comment
(envoyproxy/go-control-plane#1083)
<#1083 (comment)>
FWIW. This simply fixed it for me.
go get -t -u ./...
go mod tidy
—
Reply to this email directly, view it on GitHub
<#1083 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABF7776D6MPDZOY2Y7IZJD2PMG5XAVCNFSM6AAAAABU5KE63OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJTGA4TGMJWG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Jarrod Roberson
678.551.2852
|
|
also how does that fix the problem where you have a mandatory dep that uses
a the fixed version that is broken and you can not manage or upgrade the
version of?
…On Wed, Feb 12, 2025 at 4:20 AM Mike Owen ***@***.***> wrote:
FWIW. This simply fixed it for me.
go get -t -u ./...
go mod tidy
—
Reply to this email directly, view it on GitHub
<#1083 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABF7776D6MPDZOY2Y7IZJD2PMG5XAVCNFSM6AAAAABU5KE63OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJTGA4TGMJWG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
[image: mjnowen]*mjnowen* left a comment
(envoyproxy/go-control-plane#1083)
<#1083 (comment)>
FWIW. This simply fixed it for me.
go get -t -u ./...
go mod tidy
—
Reply to this email directly, view it on GitHub
<#1083 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABF7776D6MPDZOY2Y7IZJD2PMG5XAVCNFSM6AAAAABU5KE63OVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNJTGA4TGMJWG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
Jarrod Roberson
678.551.2852
|
See envoyproxy/go-control-plane#1083 sadly an existing tag was moved breaking module checksums. As a workaround a new version was released
Solves the following error: verifying github.com/envoyproxy/go-control-plane/envoy@v1.32.3/go.mod: checksum mismatch See envoyproxy/go-control-plane#1083 Signed-off-by: hagen1778 <roman@victoriametrics.com>
Solves the following error: verifying github.com/envoyproxy/go-control-plane/envoy@v1.32.3/go.mod: checksum mismatch See envoyproxy/go-control-plane#1083
Solves the following error: verifying github.com/envoyproxy/go-control-plane/envoy@v1.32.3/go.mod: checksum mismatch See envoyproxy/go-control-plane#1083 (cherry picked from commit 18d6c71)
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
|
This is not stale, nor is it resolved. This is an issue that affects a multitude of packages that depend on this |
|
Still broken, google must be independently caching their dependencies because the internet hasn't fallen apart. That being said, the fact that this still hasn't been resolved is kind of insane given the scale of the issue. |
|
Can you clarify what resolution you are expecting? We released a new version and google released new versions to remove references to the corrupted one. We do not have control over the caching proxies which are creating the issue potentially, and therefore do not have a path forward that I know of. Excluding the bad module version was used by some users with success I believe, and we have not received other reports of issues since the new releases of the modules depending on the bad release. |
|
@valerian-roche I think that the problem is that the new version had the same version number as the broken one, and so everyone is getting mismatched sums depending on which one they have, and having the same version number will not cause go to update anything. I would suggest that the new fix is releasing a new version in the go sense, i.e. updating the version number ( |
|
There is actually a new tag already, see envoy/v1.32.4. For reference, we worked around this issue by adding this to When I looked, some of the Google Cloud libraries had new tags that used the new |
|
Ah I see, I must confess I didn't notice because the latest release is still showing as |
|
@LeeBrotherston wrote:
As far as I can tell, the tag seems to be enough on my system.
I could do both of those with a brand new go project. |
|
@richdawe-cio my mistake, apologies. |
I am trying to build a project and when I updated dependencies I started getting this error.
I can get around it locally by setting GONOSUMDB='github.com/envoyproxy/*' but this does not let me deploy it to google app engine where I can not specify that.
Is there a solution to this?
The text was updated successfully, but these errors were encountered: