[GODRIVER-1851] verifying go.mongodb.org/mongo-driver@v1.4.5: checksum mismatch Created: 25/Jan/21  Updated: 27/Oct/23  Resolved: 02/Feb/21

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Drew Wells Assignee: Divjot Arora (Inactive)
Resolution: Gone away Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

We are seeing checksum mismatches for the mongo-driver package. https://github.com/mongodb/mongo-go-driver/releases/tag/v1.4.5

Did this tag published multiple times with different commit histories? Here's a blurb from our github-action, feel free to look at it here: https://github.com/infobloxopen/konk/pull/164/checks?check_run_id=1763876974 Click PR and it should scroll to the location.

 

2021-01-25T17:55:21.2288352Z verifying go.mongodb.org/mongo-driver@v1.4.5: checksum mismatch
2021-01-25T17:55:21.2289491Z 	downloaded: h1:TLtO+iD8krabXxvY1F1qpBOHgOxhLWR7XsT7kQeRmMY=
2021-01-25T17:55:21.2290496Z 	go.sum:     h1:z4/YQzLTxI+ymcrS//Wc2JBn2b9ojvpVH3BaYT8rqUc=
2021-01-25T17:55:21.2290924Z 
2021-01-25T17:55:21.2291238Z SECURITY ERROR
2021-01-25T17:55:21.2291743Z This download does NOT match an earlier download recorded in go.sum.
2021-01-25T17:55:21.2292419Z The bits may have been replaced on the origin server, or an attacker may
2021-01-25T17:55:21.2293009Z have intercepted the download attempt.
2021-01-25T17:55:21.2293328Z 
2021-01-25T17:55:21.2293915Z For more information, see 'go help module-auth'.
2021-01-25T17:55:27.4756800Z The command '/bin/sh -c go mod download' returned a non-zero code: 1

 



 Comments   
Comment by Divjot Arora (Inactive) [ 02/Feb/21 ]

Closing as we believe this should have gone away with the new v1.4.6 release. If anyone has this issue when upgrading to that release, please feel free to leave another comment or open a new ticket and we can investigate as needed.

Comment by Divjot Arora (Inactive) [ 02/Feb/21 ]

We've released version 1.4.6 of the driver, so hopefully this problem will go away.

Comment by Divjot Arora (Inactive) [ 27/Jan/21 ]

bbytheway@solutionreach.com Apologies for the inconvenience. I'm actively looking into what's causing this.

Comment by Ben Bytheway [ 27/Jan/21 ]

I wanted to add that I also ran into this issue today. It seems there are different packages of the driver getting served up, which breaks the hash verification. We had to pin the driver back to 1.4.4 for now:

 

verifying go.mongodb.org/mongo-driver@v1.4.5: 
    checksum mismatch 
    downloaded: h1:z4/YQzLTxI+ymcrS//Wc2JBn2b9ojvpVH3BaYT8rqUc= 
    go.sum: h1:TLtO+iD8krabXxvY1F1qpBOHgOxhLWR7XsT7kQeRmMY=

Comment by Divjot Arora (Inactive) [ 27/Jan/21 ]

Thanks for the helpful information. ligser@gmail.com The difference between your local setup and Dependabot seems like a promising place to start. I'll do some more investigation into that. Also, we're planning on doing a 1.4.6 release next Tuesday, so this issue may go away once that happens.

– Divjot

Comment by Roman Domrachev [ 27/Jan/21 ]

This might be a CDN issue.

On my local laptop (located in Moscow) I receive:

 go.mongodb.org/mongo-driver v1.4.5 h1:TLtO+iD8krabXxvY1F1qpBOHgOxhLWR7XsT7kQeRmMY=
 go.mongodb.org/mongo-driver v1.4.5/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc=

Dependabot (I dont know where it located) produce:

go.mongodb.org/mongo-driver v1.4.5 h1:z4/YQzLTxI+ymcrS//Wc2JBn2b9ojvpVH3BaYT8rqUc=
go.mongodb.org/mongo-driver v1.4.5/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc= 

And my CI located in DigitalOcean FRA region downloads a same as dependabot:

#16 216.1 verifying go.mongodb.org/mongo-driver@v1.4.5: checksum mismatch
#16 216.1 downloaded: h1:z4/YQzLTxI+ymcrS//Wc2JBn2b9ojvpVH3BaYT8rqUc=
#16 216.1 go.sum: h1:TLtO+iD8krabXxvY1F1qpBOHgOxhLWR7XsT7kQeRmMY=

Comment by Andrew Garner [ 27/Jan/21 ]

I encountered the exact same error after updating the go-openapi dependency using `go get -u github.com/go-openapi/validate` 

Running `go get go.mongodb.org/mongo-driver@v1.4.5` on my develop branch also produces the same error

Looks like it might be an error in the https://sum.golang.org/ database?

Comment by Divjot Arora (Inactive) [ 26/Jan/21 ]

dwells@infoblox.com I was unable to reproduce this issue. On a fresh host, I created a "v145test" module and ran "go get go.mongodb.org/mongo-driver@v1.4.5". After this, go.sum contains these lines:

go.mongodb.org/mongo-driver v1.4.5 h1:TLtO+iD8krabXxvY1F1qpBOHgOxhLWR7XsT7kQeRmMY=
go.mongodb.org/mongo-driver v1.4.5/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc=

The go.sum file in the source code for go-openapi/loads@v0.20.1 contains these lines as well. However, the go.sum file in the PR you linked contains this:

go.mongodb.org/mongo-driver v1.4.5 h1:z4/YQzLTxI+ymcrS//Wc2JBn2b9ojvpVH3BaYT8rqUc=

go.mongodb.org/mongo-driver v1.4.5/go.mod h1:WcMNYLx/IlOxLe6JRJiv2uXuCz6zBLndR4SoGjYphSc=

This seems to be the cause of this mismatch, so I think the next debugging step is to figure out this discrepancy. I downloaded infobloxopen/konk, ran "go build ./..." in the test/apiserver directory to fetch all of the existing modules, and then ran github.com/go-openapi/loads@v0.20.1. The final go.sum file contained the same line for the mongo-driver dependency as my module and openapi (hi:TLtO...).

I'm unable to figure out why the go.sum file in the linked PR contains hi:z4.... rather than hi:TLtO... as the checksum. Can you provide the exact commands that were run to upgrade the go-openapi/loads dependency so we can continue investigating?

– Divjot

Comment by Drew Wells [ 25/Jan/21 ]

We're using go 1.15.x https://github.com/infobloxopen/konk/blob/main/.github/workflows/pr.yaml#L92-L95

Comment by Divjot Arora (Inactive) [ 25/Jan/21 ]

Hi dwells@infoblox.com,

Thank you for the bug report. We apologize for any inconvenience this has caused you and will look into fixing it and possibly issuing another release ASAP. Can you share the version of Go you're using in your Github action to do this verification?

– Divjot

Generated at Thu Feb 08 08:37:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.