Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault 1.4.0 fails build with a checksum mismatch #8769

Closed
williamh opened this issue Apr 17, 2020 · 6 comments
Closed

Vault 1.4.0 fails build with a checksum mismatch #8769

williamh opened this issue Apr 17, 2020 · 6 comments
Labels
release/build

Comments

@williamh
Copy link

Hello,

I am working on upgrading the vault package on Gentoo linux to 1.4.0 and ran into an issue with the build.

Describe the bug

Vault 1.4.0 fails to build due to a checksum mismatch

To Reproduce
Steps to reproduce the behavior:

william@linux1 vault $ git describe --tags
v1.4.0
william@linux1 vault $ make
==> Checking that build is using go version >= 1.13.7...
==> Using go version 1.14.2...
verifying github.com/hashicorp/vault-plugin-auth-gcp@v0.6.0/go.mod: checksum mismatch
        downloaded: h1:76zmoG/Dhz82KD6bHKTyos/cmJbGwylyJ2LbP9SA3Xc=
        go.sum:     h1:8eBRzg+JIhAaDBfDndDAQKIhDrQ3WW8OPklxAYftNFs=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [Makefile:117: prep] Error 1
william@linux1 vault $

Expected behavior

The build should be successful.

Thanks much for your time,

William
@kalafut
Copy link
Contributor

kalafut commented Apr 17, 2020

@williamh Can you try adding set the GOPROXY=direct environment variable before the build in order to not use the Go module proxy? An incorrect version was cached recently and has been causing this error.

@williamh
Copy link
Author

@kalafut That got me further; it looks like I need to install go-bindata-assetfs to go further. I'll continue working on this. However, I have another question, There is a vendor directory in your repository, so I think this should contain all of the go dependencies. Is there an easy way to add the "-mod=vendor" switch to all of the appropriate places in your build system so we rely on the vendor directory instead of pulling go code from the network?

@kalafut
Copy link
Contributor

kalafut commented Apr 17, 2020
edited

@williamh You may want to look at how the make boostrap target works, or even the Dockerfile to review the requisite tools. Regarding the vendoring, I believe as of Go 1.14, referring to vendor/ (if present and consistent with go.mod) will actually be the default behavior (https://golang.org/doc/go1.14#go-command), though we've not yet updated our go.mod to 1.14.

@bweston92
Copy link

Had to use GOSUMDB=off so it doesn't check against sum.golang.org.

@kalafut
Copy link
Contributor

kalafut commented May 3, 2020

All plugin tags were updated in #8770 to address this for future Vault tags.

@kalafut kalafut closed this as completed May 3, 2020
@maolin-sen
Copy link

GOSUMDB=off
yes,well done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
release/build
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@williamh @kalafut @bweston92 @calvn @maolin-sen