Error building without CGO

[dornimaug]

Trying to built a program using go-git v5.5.0 with CGO_ENABLED set to 0 results in an error:

 	imports github.com/go-git/go-git/v5
 	imports github.com/go-git/go-git/v5/config
 	imports github.com/go-git/go-git/v5/plumbing
 	imports github.com/go-git/go-git/v5/plumbing/hash
 	imports github.com/pjbgf/sha1cd/cgo: build constraints exclude all Go files in /home/jenkins/go/pkg/mod/github.com/pjbgf/sha1cd@v0.2.0/cgo

This seems to have been added/changed in #618.

Using

hash.RegisterHash(crypto.SHA1, sha1.New)

as suggested in the PR, does not fix the problem.

[pjbgf]

@dornimaug thanks for reporting this. I will take a look at it later on today.

In the mean time, you may want to replace the go-git version with a version that preceded the change:

replace github.com/go-git/go-git/v5 => github.com/go-git/go-git/v5 v5.4.3-0.20221117033540-c798d4a42004

[eddycharly]

FWIW, same issue here:

package github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno
	imports github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/test
	imports github.com/go-git/go-git/v5
	imports github.com/go-git/go-git/v5/config
	imports github.com/go-git/go-git/v5/plumbing
	imports github.com/go-git/go-git/v5/plumbing/hash
	imports github.com/pjbgf/sha1cd/cgo: build constraints exclude all Go files in /home/runner/go/pkg/mod/github.com/pjbgf/sha1cd@v0.2.0/cgo

[sithembiso]

@pjbgf is this fix related to this:

# github.com/pjbgf/sha1cd/cgo
vendor/github.com/pjbgf/sha1cd/cgo/sha1.go:3:11: fatal error: 'lib/sha1.h' file not found
 #include <lib/sha1.h>
          ^~~~~~~~~~~~
1 error generated.

I'm still getting the same error if I set CGO_ENABLED=1 (my project requires CGO).

If I set it to CGO_ENABLED=0, I get the following still:

imports github.com/go-git/go-git/v5
imports github.com/go-git/go-git/v5/config
imports github.com/go-git/go-git/v5/plumbing
imports github.com/go-git/go-git/v5/plumbing/hash
imports github.com/pjbgf/sha1cd/cgo: build constraints exclude all Go files in /Users/sithembiso/myproj/vendor/github.com/pjbgf/sha1cd/cgo

[sithembiso]

Also just out of curiosity, why did we change the hashing library? Was it for better collision detection?

[pjbgf]

@sithembiso the fix for go-git is not yet merged. What you can do instead is replace the sha1cd version with the one fixed, with the below in your go.mod:

replace github.com/pjbgf/sha1cd => github.com/pjbgf/sha1cd v0.2.2

That should enable you to build with cgo disabled. As for the issue whilst vendoring, I will take a look and let you know.

As for the second question, TL;DR: SHA1 is no longer a secure hash algorithm to be used. The key Git implementations rely on a collision detection SHA1 version which can detect the patterns of a hash attack and produce circumvent it by yielding a different hash instead. Here's some info on the SHA1's state: https://shattered.io/. More info on when the Git CLI incorporated the same changes: git/git@28dc98e.

[yann-soubeyrand]

Hello @sithembiso,
Here’s my attempt at fixing the issue with vendoring: pjbgf/sha1cd#7. Could you please try to use replace github.com/pjbgf/sha1cd v0.2.1 => github.com/yann-soubeyrand/sha1cd main and let us know if it works?

[sithembiso]

It appears the issue was as a result if C files not being downloaded during go get .... I have tested this and created a PR here: pjbgf/sha1cd#9. It builds fine on my project now.

@pjbgf Thank you for the explanation and the resources. I was aware of SHA1's security issues, but I was wondering why we should consider "fixing" the SHA1 issues instead of moving to something like SHA256. I know it's naive of me considering how big a task that is.

[yann-soubeyrand]

Hello @sithembiso, your modification (embedding C sources in an unused variable), although it’s working perfectly fine, seems more like a workaround to me than a solution to the root problem (C sources being in a subfolder which Go module vendoring deliberately ignores golang/go#26366 (comment)). Have you tried my solution attempt?

[sithembiso]

@yann-soubeyrand thank you taking a look at this. I did try to load your package, but the files were still getting left behind for some reason. I don't know a lot about the internals of the vendoring tool, but I just assumed that it's only looking at the *.go files. It's interesting that this is not the case I'll try yours again in case I missed something.

[sithembiso]

I just checked, it works. I think go mod was having an issue with the main branch no being semver compatiable. So, I changed it to this:

replace github.com/pjbgf/sha1cd v0.2.2 => github.com/yann-soubeyrand/sha1cd v0.0.0-20221202213918-e3c2d15ebf42

And it builds now.

[pjbgf]

@dornimaug @sithembiso @eddycharly with the latest version of sha1cd those issues are now resolved:

replace github.com/pjbgf/sha1cd => github.com/pjbgf/sha1cd v0.2.3

I updated #625 so once merged this is no longer an issue.

Thanks @sithembiso @yann-soubeyrand for helping getting this resolved.

[thomb89]

i just updated this dependency and ran into an error, because our CI-Servers don't have gcc installed.

if there is now a dependency that uses cgo, shouldn't the readme be updated to remove the note about the "pure go" implementation?

[yann-soubeyrand]

Cgo is optional and the build should work without it. However, one now has to set CGO_ENABLED=0 because Cgo is enabled by default.