Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] orchestrion pin called multiple times in different environment triggers a security error from the go toolchain #406

Closed
eliottness opened this issue Nov 20, 2024 · 1 comment · Fixed by #408
Labels
bug Something isn't working

Comments

@eliottness
Copy link
Contributor

eliottness commented Nov 20, 2024

Version of orchestrion

Happens starting in v0.9.4

Describe what happened:

Calling orchestrion pin fails with the following error in docker image golang:1.22

root@7057bd25e635:/home/eliott/dd/appsec-go-test-app# orchestrion pin
go: downloading github.com/stretchr/testify v1.9.0
verifying github.com/DataDog/[email protected]: checksum mismatch
        downloaded: h1:PtU7e7iR5hNpSartIcPP4DvrjCqk4BSA8iKe5axIx1w=
        go.sum:     h1:Gi0Z5Q3mm4HriahXCdDAYDUkYTss8CxwmYbt2xX7iFw=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Describe what you expected:

I would expect things to happen properly

Steps to reproduce the issue:

  1. git clone [email protected]:DataDog/appsec-go-test-app.git && cd appsec-go-test-app
  2. docker run -it -v $PWD:$PWD -w $PWD golang:1.22
  3. go install github.com/DataDog/[email protected]
  4. orchestrion pin

Additional environment details (Version of Go, Operating System, etc.):

Everything described happened inside the official golang:1.22 docker image

Current available work around is to not commit the result of orchestrion pin to your VCS.

@eliottness eliottness added the bug Something isn't working label Nov 20, 2024
@eliottness eliottness changed the title [BUG] orchestrion pin triggers a security error from the go toolchain [BUG] orchestrion pin called multiple times in different environment triggers a security error from the go toolchain Nov 20, 2024
@eliottness
Copy link
Contributor Author

Apparently this is triggered by us having GOPRIVATE=github.com/DataDog. Unsetting this fixes things

github-merge-queue bot pushed a commit that referenced this issue Nov 20, 2024
The go toolchain ignores directories starting with `_` and `.` as well
as those named `testdata`. We rename the documentation rool to `_docs`
so that it is not considered as part of the distribution package for the
root module. The same treatment is applied to `tools` for good measure.

Fixes #406
github-merge-queue bot pushed a commit that referenced this issue Nov 21, 2024
Triggered it on top of #406 because it left the `orchestrion.tool.go`
file empty. And an empty file is not valid go code...

---------

Signed-off-by: Eliott Bouhana <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant