Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy.golang.org: incorrect ZIP for github.com/aws/[email protected] #45517

Closed
RomainMuller opened this issue Apr 12, 2021 · 3 comments
Closed

proxy.golang.org: incorrect ZIP for github.com/aws/[email protected] #45517

RomainMuller opened this issue Apr 12, 2021 · 3 comments
Labels
FrozenDueToAge

Comments

@RomainMuller
Copy link

RomainMuller commented Apr 12, 2021
edited
Loading

What version of Go are you using (go version)?

$ go version
go version go1.16.2 darwin/amd64

Does this issue reproduce with the latest release?

Yep.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/rmuller/Library/Caches/go-build"
GOENV="/Users/rmuller/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/rmuller/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/rmuller/go"
GOPRIVATE=""
GOPROXY="direct"
GOROOT="/usr/local/Cellar/go/1.16.2/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.16.2/libexec/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.16.2"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/rmuller/Development/Demos/Go/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/tg/vz53g2791rzc2h_86hxxz1cc0000gr/T/go-build2736582915=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Attempt to go mod download github.com/aws/jsii/[email protected] when GOPROXY=direct.

What did you expect to see?

Expected to obtain the same data from proxy.golang.org and direct.

What did you see instead?

$ GOPROXY=direct go mod download -json "github.com/aws/[email protected]"
go: github.com/aws/aws-cdk-go/[email protected] requires
	github.com/aws/[email protected]: verifying go.mod: checksum mismatch
	downloaded: h1:+9t6P1aXlPO0lXa8LtXGBUTcf5tbUekFFFQ4ewFIqAk=
	sum.golang.org: h1:9ddMDdGQwew6pQrfuTID/LxDDrpyrybwsWN84etzjQ8=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

This is because the ZIP file cached (and hashed) at proxy.golang.org for this version is actually the code from version 1.26.0.

At this stage I am not sure how this happened. We published github.com/aws/[email protected] about 6 days ago to GitHub and have not done any force-push or re-publish on that as far as I know. I also don't know that the tag has been moved or anything.

The cached entry on the proxy should be invalidated and re-fetched? If there is any indications to how this happened, and it is because of how we did things - please educate us!
@RomainMuller
Copy link
Author

RomainMuller commented Apr 12, 2021
edited
Loading

Looking at the proxy, it appears 1.27.0 was somehow "created" at the same time as 1.26.0 was:

$ curl -L "https://proxy.golang.org/github.com/aws/jsii-runtime-go/@v/v1.27.0.info"
{"Version":"v1.27.0","Time":"2021-03-22T15:53:25Z"}%
$ curl -L "https://proxy.golang.org/github.com/aws/jsii-runtime-go/@v/v1.26.0.info"
{"Version":"v1.26.0","Time":"2021-03-22T15:53:25Z"}%

The commit for 1.26.0 is aws/jsii-runtime-go@ec37187 (March 22nd).
The one for 1.27.0 is aws/jsii-runtime-go@8c33a80 (April 6th).

The ZIP files do however differ (they have different checksums, at least).

@FiloSottile
Copy link
Contributor

It is not possible to invalidate an existing version in the Checksum Database, as it is an immutable log by design.

Concretely, your best option is to publish a v1.27.1, and optionally retract v1.27.0.

To understand how this happened, I recommend looking at the GitHub events API, which will show whether a v1.27.0 tag was temporarily created and then deleted.

@RomainMuller
Copy link
Author

Alright - thanks for pointing me to the events API... It explains... everything.

Looks like we're on to actually retract this version and publish another one!

@RomainMuller RomainMuller mentioned this issue Apr 12, 2021
Merged
mergify bot pushed a commit to aws/jsii that referenced this issue Apr 12, 2021
@RomainMuller
chore(go): retract v1.27.0 (#2786)
796e286 
It was manually created, then deleted, then re-created and now does not
work properly as the proxy.golang.org has incorrect artifacts in, and
sum.golang.org has the incorrect checksum, and both of these are
designed to be immutable (as a security measure).

Fixing this requires retracting 1.27.0 and releasing a new version (e.g:
1.27.1).

Related: golang/go#45517

The original issue was found & reported by @cristim

Fixes #2775

---

By submitting this pull request, I confirm that my contribution is made under the terms of the [Apache 2.0 license].

[Apache 2.0 license]: https://www.apache.org/licenses/LICENSE-2.0
@golang golang locked and limited conversation to collaborators Apr 12, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RomainMuller @FiloSottile @gopherbot