Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dapr 1.9.1 Checksum mismatch #474

Open
coreywagehoft opened this issue Nov 6, 2023 · 5 comments
Open

Dapr 1.9.1 Checksum mismatch #474

coreywagehoft opened this issue Nov 6, 2023 · 5 comments
Labels
bug Something isn't working

Comments

@coreywagehoft
Copy link

Describe the bug

When building a docker container with go we have a step which calls go mod download. We are getting the following error:

#11 [builder 6/9] RUN go mod download
#11 7.066 verifying github.com/dapr/[email protected]: checksum mismatch
#11 7.066 	downloaded: h1:f5gV8HtGz6iBJSsh6eI+/Ews4sGC3W9gX0/oD9ANVqM=
#11 7.066 	go.sum:     h1:SwfLYwqFwBNn1B8pCzGGG49utjV3oMQLZOlOkmf63T8=
#11 7.066 
#11 7.066 SECURITY ERROR
#11 7.066 This download does NOT match an earlier download recorded in go.sum.
#11 7.066 The bits may have been replaced on the origin server, or an attacker may
#11 7.066 have intercepted the download attempt.
#11 7.066 
#11 7.066 For more information, see 'go help module-auth'.
#11 ERROR: process "/bin/sh -c go mod download" did not complete successfully: exit code: 1

To Reproduce

  • Have an application with an earlier version of the Dapr SDK in your go.mod file
  • Update to Dapr 1.9.1

Expected behavior

  • Not get a checksum mismatch when updating Dapr.
@coreywagehoft coreywagehoft added the bug Something isn't working label Nov 6, 2023
@mikeee
Copy link
Member

mikeee commented Dec 2, 2023

How did you upgrade the reference? I can't reproduce it

@jerbob92
Copy link

jerbob92 commented Feb 27, 2024

I have no idea how this keeps happening with Dapr go-sdk, this is the only project I keep having this issue.
The reason this happens is that the hash of the repository is different from what is known in the Go sum DB, to validate this:

  • Install https://github.com/vikyd/go-checksum: go install github.com/vikyd/go-checksum
  • Clone Dapr: git clone https://github.com/dapr/go-sdk.git
  • Checkout 1.9.1: cd go-sdk; git checkout v1.9.1; cd ..
  • Get the checksum of the go.mod file: go-checksum go-sdk/go.mod, note GoCheckSum (h1:bK9bNEsC6hY3RMKh69r0nBjLqb6njeWTEGVMOgP9g20=)
  • Get the checksum of the repository content: go-checksum go-sdk github.com/dapr/[email protected], note GoCheckSum (h1:WTzL+kH5evyGL6LUZvNIRK8U+CfDFl9btTgv8DFpjI8=)
  • Get the checksums from the Go sum DB: curl https://goproxy.io/sumdb/sum.golang.org/lookup/github.com/dapr/[email protected]

Note that the hash of the go.mod from the repo and Go sum DB match up (h1:bK9bNEsC6hY3RMKh69r0nBjLqb6njeWTEGVMOgP9g20=) but that the repo hash doesn't match up: h1:f5gV8HtGz6iBJSsh6eI+/Ews4sGC3W9gX0/oD9ANVqM= vs h1:WTzL+kH5evyGL6LUZvNIRK8U+CfDFl9btTgv8DFpjI8=.

@jerbob92
Copy link

Something else that I just noticed. When I do:
go get github.com/dapr/go-sdk@2a85a7bb6a1447929720d7df779bff7f0ed41c24 (which is one commit after v1.9.1, 29bf88b)

And then do go mod vendor, I don't only get the difference between the two commits (git diff 29bf88b1b089e2c99b27b2d0f8d460a936f749fe...2a85a7bb6a1447929720d7df779bff7f0ed41c24):

diff --git a/client/client.go b/client/client.go
index a40a36f..7a82fe9 100644
--- a/client/client.go
+++ b/client/client.go
@@ -283,7 +283,7 @@ func NewClientWithAddressContext(ctx context.Context, address string, opts ...Cl
        }
 
        if cOpts.useTLS || strings.Contains(address, "https://") {
-               option = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+               option = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{MinVersion: tls.VersionTLS12}))
        } else {
                option = grpc.WithTransportCredentials(insecure.NewCredentials())
        }

But I actually get the following change in my vendor folder:

diff --git a/vendor/github.com/dapr/go-sdk/client/client.go b/vendor/github.com/dapr/go-sdk/client/client.go
index ad5ac0da..7a82fe92 100644
--- a/vendor/github.com/dapr/go-sdk/client/client.go
+++ b/vendor/github.com/dapr/go-sdk/client/client.go
@@ -283,7 +283,7 @@ func NewClientWithAddressContext(ctx context.Context, address string, opts ...Cl
        }
 
        if cOpts.useTLS || strings.Contains(address, "https://") {
-               option = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+               option = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{MinVersion: tls.VersionTLS12}))
        } else {
                option = grpc.WithTransportCredentials(insecure.NewCredentials())
        }
@@ -294,6 +294,7 @@ func NewClientWithAddressContext(ctx context.Context, address string, opts ...Cl
                address,
                option,
                grpc.WithUserAgent(userAgent()),
+               grpc.WithBlock(),
        )
        cancel()
        if err != nil {

The extra change comes from #471 (commit 5eecffa4fa3df1825d5149471edd83e4aa89e7ba), which should be part of v1.9.1, and it is on Git, but not in the Go package. So this is another indication there is some difference between what's on Git an what is known to the Go registries.

@mikeee
Copy link
Member

mikeee commented Feb 27, 2024

It does look like the tag has been modified. I appreciate it's frustrating. There is a release coming up soon that should not face the same issue, I'll keep this issue appraised of the latest as well as investigate how we can ensure this doesn't happen going forwards.

@jerbob92
Copy link

Thank you @mikeee! Will keep an eye out, for now I have set the dependency to go get github.com/dapr/go-sdk@2a85a7bb6a1447929720d7df779bff7f0ed41c24 to get around this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants