编程知识 cdmana.com

GOPROXY 引發依賴 hash 校驗不通過

使用不同的 GOPROXY 下載依賴時,依賴的 hash 校驗無法通過。

問題複現與確認

# 新建一個測試項目
mkdir test
cd test
go mod init github.com/k8scat/test

# 查看當前的 GOPROXY
go env GOPROXY # https://proxy.golang.org,direct,這就是默認的 GOPROXY

# 下載依賴 github.com/zoom-lib-golang/zoom-lib-golang
go get github.com/zoom-lib-golang/zoom-lib-golang

# 查看此時的 go.sum
cat go.sum
# github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
# github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
# github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
# github.com/zoom-lib-golang/zoom-lib-golang v1.0.1 h1:91bM5KretkLZcjc7iaeejb935IARtVOr/WWCCa5SkIU=
# github.com/zoom-lib-golang/zoom-lib-golang v1.0.1/go.mod h1:t3p44iNBETLiJzk0HTH42PumtcP3AHi+Pd/ZY0SPpng=
# gopkg.in/dgrijalva/jwt-go.v3 v3.2.0 h1:N46iQqOtHry7Hxzb9PGrP68oovQmj7EhudNoKHvbOvI=
# gopkg.in/dgrijalva/jwt-go.v3 v3.2.0/go.mod h1:hdNXC2Z9yC029rvsQ/on2ZNQ44Z2XToVhpXXbR+J05A=

# 清理一下緩存,准備使用其他 GOPROXY 下載上面的依賴
go clean -modcache

# 設置另一個 GOPROXY
export GOPROXY=https://goproxy.io,direct

# 重新下載上面的依賴
go get github.com/zoom-lib-golang/zoom-lib-golang
# 錯誤信息:
# verifying github.com/zoom-lib-golang/[email protected]/go.mod: checksum mismatch
# downloaded: h1:Rg7IxW7rZUoP/T0YnpDtiypESDnadbv0YvxP0Gjdi6U=
# go.sum: h1:t3p44iNBETLiJzk0HTH42PumtcP3AHi+Pd/ZY0SPpng=

# SECURITY ERROR
# This download does NOT match an earlier download recorded in go.sum.
# The bits may have been replaced on the origin server, or an attacker may
# have intercepted the download attempt.

# For more information, see 'go help module-auth'.

# 删除 go.sum 試一下
go clean -modcache
rm -f go.sum

# 再次下載上面的依賴
go get github.com/zoom-lib-golang/zoom-lib-golang
# 錯誤信息:
# go: github.com/zoom-lib-golang/[email protected]: verifying go.mod: checksum mismatch
# downloaded: h1:Rg7IxW7rZUoP/T0YnpDtiypESDnadbv0YvxP0Gjdi6U=
# sum.golang.org: h1:t3p44iNBETLiJzk0HTH42PumtcP3AHi+Pd/ZY0SPpng=

# SECURITY ERROR
# This download does NOT match the one reported by the checksum server.
# The bits may have been replaced on the origin server, or an attacker may
# have intercepted the download attempt.

# For more information, see 'go help module-auth'.
複制代碼

出現的兩個錯誤導致的原因分別是:

  1. go getgo.sum 文件存在的時候,則會使用 go.sum 裏面記錄的依賴 hash 和實際下載的依賴 hash 進行對比,

如果不匹配,則出現上面第一次的錯誤 2. 如果 go.sum 不存在,則使用 GOSUMDB (默認是 sum.golang.org)對實際下載的依賴 hash 進行檢查,如果不匹配,則出現上面第二次嘗試時的錯誤

解决方案

  1. 關閉 GOSUMDB,即 export GOSUMDB=off
  2. 設置 GONOSUMDB,例如:export GONOSUMDB=*.corp.example.com,rsc.io/private

參考

個人博客

k8scat.com/posts/go/go…

版权声明
本文为[K8sCat]所创,转载请带上原文链接,感谢
https://cdmana.com/2021/10/20211014043004279m.html

Scroll to Top