Dependency checksum mismatch

[csvoisard]

Describe the bug
Is a dependency checksum mismatch a bug? Or should I just rebuild the go.sum file?

To Reproduce
Steps to reproduce the behavior:

% git clone --depth=1 https://github.com/derailed/k9s.git

% make build
...
verifying github.com/derailed/[email protected]: checksum mismatch
        downloaded: h1:1uKE/vzrNaMVzQxBg/pdoQHOTIB458Fo2ZT5ybBca4o=
        go.sum:     h1:8MKMjYBJdYNktTKeh98TeT127jZY6CFAsurrENoTZCY=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [build] Error 1

I worked around the problem by rebuilding the go.sum file so that the new checksum does not fail the build:

% git rm go.sum
rm 'go.sum'

% go mod tidy

% git dc
diff --git go.sum go.sum
index 311b078..e29fb3f 100644
--- go.sum
+++ go.sum
@@ -385,7 +385,7 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da h1:ZOjWpVsFZ06eIhnh4mkaceTiVoktdU67+M7KDHJ268M=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk=
-github.com/derailed/popeye v0.11.2 h1:8MKMjYBJdYNktTKeh98TeT127jZY6CFAsurrENoTZCY=
+github.com/derailed/popeye v0.11.2 h1:1uKE/vzrNaMVzQxBg/pdoQHOTIB458Fo2ZT5ybBca4o=
 github.com/derailed/popeye v0.11.2/go.mod h1:HygqX7A8BwidorJjJUnWDZ5AvbxHIU7uRwXgOtn9GwY=
 github.com/derailed/tcell/v2 v2.3.1-rc.3 h1:9s1fmyRcSPRlwr/C9tcpJKCujbrtmPpST6dcMUD2piY=
 github.com/derailed/tcell/v2 v2.3.1-rc.3/go.mod h1:nf68BEL8fjmXQHJT3xZjoZFs2uXOzyJcNAQqGUEMrFY=

% make build # completes without checksum failure

Expected behavior
make build on fresh checkout of master branch completes without a dependency checksum failure.

Versions (please complete the following information):

• OS: CentOS Linux release 7.4.1708
• K9s: master branch as of 12 Jan 2024
• K8s: v1.27.4+k3s1

[tsgit]

I'm running into the same issue, using the steps described above allows to make build

I see another difference in the go.sum

--- a/go.sum
+++ b/go.sum
@@ -245,7 +245,7 @@ github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b h1:L/djgY7ZbZ/38+wUt
 github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b/go.mod h1:TLcE0RE5+8oIx2/NPWem/dq1DeaMoC+fPEH7hoSzPLo=
 github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a h1:nJ2G8zWKASyVClGVgG7sfM5mwoZlZ2zYpIzN2OhjWkw=
 github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a/go.mod h1:ubLFmlsv8/DFUQrZwY5syT5/8Er3ugSr4rDFwHsE3hg=
-github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU=
+github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:RaZipoaQSrVX+YQx5Q5DUHZ/TfBa0fDLxyYpogMImGY=
 github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb/go.mod h1:DmTY2Mfcv38hsHbG78xMiTDdxFtkHpgYNVDPsF2TgHk=
 github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
 github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
@@ -385,7 +385,7 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da h1:ZOjWpVsFZ06eIhnh4mkaceTiVoktdU67+M7KDHJ268M=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk=
-github.com/derailed/popeye v0.11.2 h1:8MKMjYBJdYNktTKeh98TeT127jZY6CFAsurrENoTZCY=
+github.com/derailed/popeye v0.11.2 h1:1uKE/vzrNaMVzQxBg/pdoQHOTIB458Fo2ZT5ybBca4o=
 github.com/derailed/popeye v0.11.2/go.mod h1:HygqX7A8BwidorJjJUnWDZ5AvbxHIU7uRwXgOtn9GwY=
 github.com/derailed/tcell/v2 v2.3.1-rc.3 h1:9s1fmyRcSPRlwr/C9tcpJKCujbrtmPpST6dcMUD2piY=
 github.com/derailed/tcell/v2 v2.3.1-rc.3/go.mod h1:nf68BEL8fjmXQHJT3xZjoZFs2uXOzyJcNAQqGUEMrFY=

• OS: Fedora 39 x86_64 with all updates
• K9s: master branch at 5445ff4

[derailed]

@csvoisard @tsgit Hum...
What go version are you running?
Also you could try clear out your cache: go clean --modcache --cache && make build

[tsgit]

go version go1.21.5 linux/amd64

I ran

  go clean -modcache
  go mod tidy 

which didn't help

[tsgit]

I can make build with the modified go.sum file, but not with the go.sum as pulled from the repo

$ git pull
Already up to date.
$ git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
$ go clean --modcache --cache
$ make build
go: downloading k8s.io/klog/v2 v2.120.0
go: downloading k8s.io/client-go v0.29.0
go: downloading github.com/mattn/go-colorable v0.1.13
go: downloading github.com/rs/zerolog v1.31.0
go: downloading github.com/spf13/cobra v1.8.0
go: downloading gopkg.in/yaml.v2 v2.4.0
go: downloading k8s.io/cli-runtime v0.29.0
go: downloading github.com/fvbommel/sortorder v1.1.0
go: downloading k8s.io/api v0.29.0
go: downloading k8s.io/apimachinery v0.29.0
go: downloading k8s.io/metrics v0.29.0
go: downloading github.com/adrg/xdg v0.4.0
go: downloading github.com/derailed/tcell/v2 v2.3.1-rc.3
go: downloading github.com/derailed/tview v0.8.3
go: downloading github.com/fsnotify/fsnotify v1.7.0
go: downloading github.com/mattn/go-runewidth v0.0.15
go: downloading github.com/sahilm/fuzzy v0.1.0
go: downloading golang.org/x/text v0.14.0
go: downloading github.com/atotto/clipboard v0.1.4
go: downloading github.com/cenkalti/backoff/v4 v4.2.1
go: downloading github.com/fatih/color v1.16.0
go: downloading sigs.k8s.io/yaml v1.4.0
go: downloading github.com/mattn/go-isatty v0.0.20
go: downloading github.com/spf13/pflag v1.0.5
go: downloading github.com/go-logr/logr v1.4.1
go: downloading github.com/evanphx/json-patch v5.6.0+incompatible
go: downloading github.com/google/uuid v1.5.0
go: downloading k8s.io/utils v0.0.0-20230726121419-3b25d923346b
go: downloading github.com/google/gnostic-models v0.6.8
go: downloading github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7
go: downloading github.com/peterbourgon/diskv v2.0.1+incompatible
go: downloading github.com/imdario/mergo v0.3.15
go: downloading golang.org/x/term v0.15.0
go: downloading golang.org/x/net v0.19.0
go: downloading github.com/gogo/protobuf v1.3.2
go: downloading github.com/google/gofuzz v1.2.0
go: downloading github.com/xeipuuv/gojsonschema v1.2.0
go: downloading gopkg.in/yaml.v3 v3.0.1
go: downloading github.com/derailed/popeye v0.11.2
go: downloading helm.sh/helm/v3 v3.13.3
go: downloading k8s.io/apiextensions-apiserver v0.29.0
go: downloading k8s.io/kubectl v0.29.0
verifying github.com/derailed/[email protected]: checksum mismatch
        downloaded: h1:1uKE/vzrNaMVzQxBg/pdoQHOTIB458Fo2ZT5ybBca4o=
        go.sum:     h1:8MKMjYBJdYNktTKeh98TeT127jZY6CFAsurrENoTZCY=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [Makefile:28: build] Error 1

[tsgit]

$ git stash pop
On branch master
Your branch is up to date with 'origin/master'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   go.sum

no changes added to commit (use "git add" and/or "git commit -a")
Dropped refs/stash@{0} (8fcfa31223cbbf5863e5937330e5ee3d73366695)
$ make build
go: downloading github.com/gdamore/encoding v1.0.0
go: downloading golang.org/x/sys v0.15.0
go: downloading github.com/lucasb-eyer/go-colorful v1.2.0
go: downloading github.com/rivo/uniseg v0.4.3
go: downloading github.com/derailed/popeye v0.11.2
go: downloading github.com/anchore/clio v0.0.0-20231016125544-c98a83e1c7fc
go: downloading github.com/anchore/grype v0.74.0
go: downloading helm.sh/helm/v3 v3.13.3
go: downloading k8s.io/apiextensions-apiserver v0.29.0
go: downloading k8s.io/kubectl v0.29.0
.....
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.2
go: downloading go.starlark.net v0.0.0-20230525235612-a134d8f9ddca
go: downloading github.com/go-logr/stdr v1.2.2
go: downloading github.com/docker/go-metrics v0.0.1

clean finish with k9s executable in ./execs/k9s

$ git diff origin/master
diff --git a/go.sum b/go.sum
index 14fd97e5..16a8bf29 100644
--- a/go.sum
+++ b/go.sum
@@ -245,7 +245,7 @@ github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b h1:L/djgY7ZbZ/38+wUt
 github.com/anchore/fangs v0.0.0-20231201140849-5075d28d6d8b/go.mod h1:TLcE0RE5+8oIx2/NPWem/dq1DeaMoC+fPEH7hoSzPLo=
 github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a h1:nJ2G8zWKASyVClGVgG7sfM5mwoZlZ2zYpIzN2OhjWkw=
 github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a/go.mod h1:ubLFmlsv8/DFUQrZwY5syT5/8Er3ugSr4rDFwHsE3hg=
-github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU=
+github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:RaZipoaQSrVX+YQx5Q5DUHZ/TfBa0fDLxyYpogMImGY=
 github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb/go.mod h1:DmTY2Mfcv38hsHbG78xMiTDdxFtkHpgYNVDPsF2TgHk=
 github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
 github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
@@ -385,7 +385,7 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da h1:ZOjWpVsFZ06eIhnh4mkaceTiVoktdU67+M7KDHJ268M=
 github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk=
-github.com/derailed/popeye v0.11.2 h1:8MKMjYBJdYNktTKeh98TeT127jZY6CFAsurrENoTZCY=
+github.com/derailed/popeye v0.11.2 h1:1uKE/vzrNaMVzQxBg/pdoQHOTIB458Fo2ZT5ybBca4o=
 github.com/derailed/popeye v0.11.2/go.mod h1:HygqX7A8BwidorJjJUnWDZ5AvbxHIU7uRwXgOtn9GwY=
 github.com/derailed/tcell/v2 v2.3.1-rc.3 h1:9s1fmyRcSPRlwr/C9tcpJKCujbrtmPpST6dcMUD2piY=
 github.com/derailed/tcell/v2 v2.3.1-rc.3/go.mod h1:nf68BEL8fjmXQHJT3xZjoZFs2uXOzyJcNAQqGUEMrFY=

[tsgit]

I think this is due to git-lfs resolving/not resolving large file references in the repos being downloaded

When I set export GIT_LFS_SKIP_SMUDGE=1

the build succeeds and the checked out zip module files have lfs references

seems related golang/go#41708

e.g. github.com/anchore/[email protected]/test-fixtures/assets/linux_amd64
is a 132byte lfs pointer

$ unzip -l go/pkg/mod/cache/download/github.com/anchore/go-macholibre/@v/v0.0.0-20220308212642-53e6d0aaf6fb.zip 
Archive:  go/pkg/mod/cache/download/github.com/anchore/go-macholibre/@v/v0.0.0-20220308212642-53e6d0aaf6fb.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
       59  00-00-1980 00:00   github.com/anchore/[email protected]/.bouncer.yaml
      128  00-00-1980 00:00   github.com/anchore/[email protected]/.gitattributes
      326  00-00-1980 00:00   github.com/anchore/[email protected]/.github/ISSUE_TEMPLATE/bug_report.md
      254  00-00-1980 00:00   github.com/anchore/[email protected]/.github/ISSUE_TEMPLATE/config.yml
      281  00-00-1980 00:00   github.com/anchore/[email protected]/.github/ISSUE_TEMPLATE/feature_request.md
      839  00-00-1980 00:00   github.com/anchore/[email protected]/.github/scripts/go-mod-tidy-check.sh
     2680  00-00-1980 00:00   github.com/anchore/[email protected]/.github/workflows/validations.yaml
      448  00-00-1980 00:00   github.com/anchore/[email protected]/.gitignore
     1768  00-00-1980 00:00   github.com/anchore/[email protected]/.golangci.yaml
    11357  00-00-1980 00:00   github.com/anchore/[email protected]/LICENSE
     3643  00-00-1980 00:00   github.com/anchore/[email protected]/Makefile
      749  00-00-1980 00:00   github.com/anchore/[email protected]/README.md
      394  00-00-1980 00:00   github.com/anchore/[email protected]/go.mod
     1929  00-00-1980 00:00   github.com/anchore/[email protected]/go.sum
       58  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/Makefile
      132  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/assets/linux_amd64
      130  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/assets/ls_amd64_signed
      130  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/assets/ls_arm64e_signed
      131  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/assets/ls_universal_signed
      763  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/fixture-ls/Makefile
      190  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/fixture-non-mach-o/Makefile
       29  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/fixture-non-mach-o/main.go
     5526  00-00-1980 00:00   github.com/anchore/[email protected]/universal_binary.go
     7259  00-00-1980 00:00   github.com/anchore/[email protected]/universal_binary_test.go
---------                     -------
    39203                     24 files

while

$ unset GIT_LFS_SKIP_SMUDGE && go clean -cache && go clean -modcache && make build

gives

...
go: downloading github.com/gorilla/websocket v1.5.0
verifying github.com/anchore/[email protected]: checksum mismatch
        downloaded: h1:RaZipoaQSrVX+YQx5Q5DUHZ/TfBa0fDLxyYpogMImGY=
        go.sum:     h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [Makefile:28: build] Error 1

and

$ go get github.com/anchore/[email protected]

gives

$ unzip -l go/pkg/mod/cache/download/github.com/anchore/go-macholibre/@v/v0.0.0-20220308212642-53e6d0aaf6fb.zip564302975.tmp
Archive:  go/pkg/mod/cache/download/github.com/anchore/go-macholibre/@v/v0.0.0-20220308212642-53e6d0aaf6fb.zip564302975.tmp
  Length      Date    Time    Name
---------  ---------- -----   ----
       59  00-00-1980 00:00   github.com/anchore/[email protected]/.bouncer.yaml
      128  00-00-1980 00:00   github.com/anchore/[email protected]/.gitattributes
      326  00-00-1980 00:00   github.com/anchore/[email protected]/.github/ISSUE_TEMPLATE/bug_report.md
      254  00-00-1980 00:00   github.com/anchore/[email protected]/.github/ISSUE_TEMPLATE/config.yml
      281  00-00-1980 00:00   github.com/anchore/[email protected]/.github/ISSUE_TEMPLATE/feature_request.md
      839  00-00-1980 00:00   github.com/anchore/[email protected]/.github/scripts/go-mod-tidy-check.sh
     2680  00-00-1980 00:00   github.com/anchore/[email protected]/.github/workflows/validations.yaml
      448  00-00-1980 00:00   github.com/anchore/[email protected]/.gitignore
     1768  00-00-1980 00:00   github.com/anchore/[email protected]/.golangci.yaml
    11357  00-00-1980 00:00   github.com/anchore/[email protected]/LICENSE
     3643  00-00-1980 00:00   github.com/anchore/[email protected]/Makefile
      749  00-00-1980 00:00   github.com/anchore/[email protected]/README.md
      394  00-00-1980 00:00   github.com/anchore/[email protected]/go.mod
     1929  00-00-1980 00:00   github.com/anchore/[email protected]/go.sum
       58  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/Makefile
  1149066  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/assets/linux_amd64
    72800  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/assets/ls_amd64_signed
    88736  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/assets/ls_arm64e_signed
   187040  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/assets/ls_universal_signed
      763  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/fixture-ls/Makefile
      190  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/fixture-non-mach-o/Makefile
       29  00-00-1980 00:00   github.com/anchore/[email protected]/test-fixtures/fixture-non-mach-o/main.go
     5526  00-00-1980 00:00   github.com/anchore/[email protected]/universal_binary.go
     7259  00-00-1980 00:00   github.com/anchore/[email protected]/universal_binary_test.go
---------                     -------
  1536322                     24 files

where the files in test-fixtures/assets have been dereferenced

[tsgit]

so I wonder if golang or k9s could avoid lfs dereferencing by default to avoid this kind of confusion ?

[csvoisard]

@csvoisard @tsgit Hum... What go version are you running? Also you could try clear out your cache: go clean --modcache --cache && make build

Apologies for the delayed response. I was running go version go1.21.6 linux/amd64

[tsgit]

I use

$ go version
go version go1.21.7 linux/amd64

Anyhow, avoiding git-lfs dereferencing of files via export GIT_LFS_SKIP_SMUDGE=1 is the workaround.