Reputation: 2686
go.sum are different when using go mod vendor/download
I have a problem with the usage of commands go mod vendor and go mod download in a go module.
When I'm using go mod vendor, the generated go.sum has extra-lines. E.g, when I'm using go mod download, the go.sum contains:
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
However if I remove the go.sum and run go mod vendor, I have 2 lines:
github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
This is problematic because if I commit the go.sum after running go mod vendor, any further go mod download (which may be used by someone else or in CI) will not work because of mismatching hashes which lead to a security issue.
Is there something I'm doing wrong in the usage of go mod vendor and go mod download? Why would they produce different hashes in the go.sum?
Here is the kind of error which instantly happens:
verifying [email protected]: checksum mismatch
downloaded: h1:tIKKCv/bUyBNvVsB6YLo0Ds9ZFdGJ0FKkFun22nwvCI=
go.sum: h1:qta5K5jjJg+TnsD76tcFK7Bjf402WP9MIbPsJGU11Ms=
SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.
(Note: I replaced the name of the package by xxx because it carries my company name)
Upvotes: 0
Views: 8382
Answers (3)
Reputation: 8670
I would say you just can delete the go.sum file and regenerate it.
so
rm go.sum
go mod tidy
Upvotes: 0
Reputation: 2686
The problem was actually that the git repository was using git-lfs, but git-lfs was not available on either client or server side, which lead to incoherent hashes when calculated with and without git-lfs.
Upvotes: 2
Reputation: 5187
The fact that go mod download did not add go.sum entries for the downloaded modules was arguably a bug, and it will be fixed in the upcoming Go 1.16 release (see https://golang.org/issue/41341).
Upvotes: 0
Related Questions
- Content of go.sum and modules really used by a go application
- go mod vendor returns "all matched no packages"
- missing go.sum entry for module providing package <package_name>
- How to import gitsubmodule containing golang code with go.mod and go.sum file
- Why does go.sum include so many older packages
- go mod checksum mismatch
- Why do go module versions sometimes need 2 lines in go.sum
- What is this diff in my go.sum when it has already been checked in this way?
- Why go.mod keeps changing with go test
- Running go mod vendor updates my libraries