docker/distribution v2.8.0 causes security error

[bryan-aguilar]

Describe the bug
go mod tidy produces a security error after upgrading docker/distribution

go: downloading github.com/docker/distribution v2.8.0+incompatible
github.com/aws-observability/aws-otel-collector/pkg/defaultcomponents imports
	github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awscontainerinsightreceiver imports
	github.com/open-telemetry/opentelemetry-collector-contrib/receiver/awscontainerinsightreceiver/internal/cadvisor imports
	github.com/google/cadvisor/container/docker imports
	github.com/docker/docker/client imports
	github.com/docker/distribution/reference: github.com/docker/distribution@v2.8.0+incompatible: verifying module: checksum mismatch
	downloaded: h1:u9vuu6qqG7nN9a735Noed0ahoUm30iipVRlhgh72N0M=
	sum.golang.org: h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY=

Steps to reproduce
Upgrade docker distribution and run go mod tidy

What did you expect to see?
No error

What did you see instead?
Error listed above.

Environment
go 1.17

[jbonzo]

Interesting. I experienced it but with the hashes flipped

verifying github.com/docker/distribution@v2.8.0+incompatible: checksum mismatch
        downloaded: h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY=
        go.sum:     h1:u9vuu6qqG7nN9a735Noed0ahoUm30iipVRlhgh72N0M=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

[ghost]

I got the same think today while trying to build a contain...

 > [build-go 7/9] RUN go mod download:
#29 1676.2 verifying github.com/docker/distribution@v2.8.0+incompatible: checksum mismatch
#29 1676.2 	downloaded: h1:u9vuu6qqG7nN9a735Noed0ahoUm30iipVRlhgh72N0M=
#29 1676.2 	go.sum:     h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY=
#29 1676.2
#29 1676.2 SECURITY ERROR
#29 1676.2 This download does NOT match an earlier download recorded in go.sum.
#29 1676.2 The bits may have been replaced on the origin server, or an attacker may
#29 1676.2 have intercepted the download attempt.
#29 1676.2
#29 1676.2 For more information, see 'go help module-auth'.
------
failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c go mod download]: exit code: 1

This is what may docker file looks like:

FROM golang:1.17rc2-alpine3.14 as build-go
ENV GOPATH ""
RUN go env -w GOPROXY=direct
RUN apk add git

WORKDIR /project
#
# Speed up dependancy with a layer
ADD go.mod .
ADD go.sum .
RUN go mod download
# now add the code
COPY . .
## build the app
RUN CGO_ENABLED=0 GOOS=linux go build -installsuffix cgo -o app .

I am running on a MacBook Pro (2020 Intel CPU)

[anuraaga]

#981 might be a way to work around this having this dependency

[ghost]

Also a notable work around... I found pinning the version to 2.7.1 worked.

[bryan-aguilar]

Also a notable work around... I found pinning the version to 2.7.1 worked.

This would work but does not address the dependabot security vulnerability that was triggered with versions < 2.8.0

[Aneurysm9]

#981 might be a way to work around this having this dependency

Unfortunately, not. While #981 is a good idea, the dependency also comes from upstream modules used in the collector distribution. I don't think that it would address those dependencies.

[ghost]

I found my root cause with this thread:

distribution/distribution#3590

I am using GOPROXY=direct and thus downloading directly from github the current state of the module. This does not agree with sum.golang.org, which must have acquired a previous state of the module with that tag. That state is still available from proxy.golang.org

[bryan-aguilar]

I found my root cause with this thread:

distribution/distribution#3590

I am using GOPROXY=direct and thus downloading directly from github the current state of the module. This does not agree with sum.golang.org, which must have acquired a previous state of the module with that tag. That state is still available from proxy.golang.org

This would also explain the issue on my end.

[bryan-aguilar]

Relevant upstream PR distribution/distribution#3596

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been marked as stall for 30 days with no activity.