使用不同的 GOPROXY 下载依赖时,依赖的 hash 校验无法通过。
问题复现与确认
#新建一个测试项目mkdirtestcdtestgomodinitgithub.com/k8scat/test#查看当前的GOPROXYgoenvGOPROXY#https://proxy.golang.org,direct,这就是默认的GOPROXY#下载依赖github.com/zoom-lib-golang/zoom-lib-golanggogetgithub.com/zoom-lib-golang/zoom-lib-golang#查看此时的go.sumcatgo.sum#github.com/dgrijalva/jwt-gov3.2.0+incompatible/go.modh1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=#github.com/google/go-querystringv1.0.0h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=#github.com/google/go-querystringv1.0.0/go.modh1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=#github.com/zoom-lib-golang/zoom-lib-golangv1.0.1h1:91bM5KretkLZcjc7iaeejb935IARtVOr/WWCCa5SkIU=#github.com/zoom-lib-golang/zoom-lib-golangv1.0.1/go.modh1:t3p44iNBETLiJzk0HTH42PumtcP3AHi+Pd/ZY0SPpng=#gopkg.in/dgrijalva/jwt-go.v3v3.2.0h1:N46iQqOtHry7Hxzb9PGrP68oovQmj7EhudNoKHvbOvI=#gopkg.in/dgrijalva/jwt-go.v3v3.2.0/go.modh1:hdNXC2Z9yC029rvsQ/on2ZNQ44Z2XToVhpXXbR+J05A=#清理一下缓存,准备使用其他GOPROXY下载上面的依赖goclean-modcache#设置另一个GOPROXYexportGOPROXY=https://goproxy.io,direct#重新下载上面的依赖gogetgithub.com/zoom-lib-golang/zoom-lib-golang#错误信息:#verifyinggithub.com/zoom-lib-golang/zoom-lib-golang@v1.0.1/go.mod:checksummismatch#downloaded:h1:Rg7IxW7rZUoP/T0YnpDtiypESDnadbv0YvxP0Gjdi6U=#go.sum:h1:t3p44iNBETLiJzk0HTH42PumtcP3AHi+Pd/ZY0SPpng=#SECURITYERROR#ThisdownloaddoesNOTmatchanearlierdownloadrecordedingo.sum.#Thebitsmayhavebeenreplacedontheoriginserver,oranattackermay#haveinterceptedthedownloadattempt.#Formoreinformation,see'gohelpmodule-auth'.#删除go.sum试一下goclean-modcacherm-fgo.sum#再次下载上面的依赖gogetgithub.com/zoom-lib-golang/zoom-lib-golang#错误信息:#go:github.com/zoom-lib-golang/zoom-lib-golang@v1.0.1:verifyinggo.mod:checksummismatch#downloaded:h1:Rg7IxW7rZUoP/T0YnpDtiypESDnadbv0YvxP0Gjdi6U=#sum.golang.org:h1:t3p44iNBETLiJzk0HTH42PumtcP3AHi+Pd/ZY0SPpng=#SECURITYERROR#ThisdownloaddoesNOTmatchtheonereportedbythechecksumserver.#Thebitsmayhavebeenreplacedontheoriginserver,oranattackermay#haveinterceptedthedownloadattempt.#Formoreinformation,see'gohelpmodule-auth'.
出现的两个错误导致的原因分别是:
go get 在 go.sum 文件存在的时候,则会使用 go.sum 里面记录的依赖 hash 和实际下载的依赖 hash 进行对比, 如果不匹配,则出现上面第一次的错误
如果 go.sum 不存在,则使用 GOSUMDB (默认是 sum.golang.org)对实际下载的依赖 hash 进行检查,如果不匹配,则出现上面第二次尝试时的错误
解决方案
关闭 GOSUMDB,即 export GOSUMDB=off
设置 GONOSUMDB,例如:export GONOSUMDB=*.corp.example.com,rsc.io/private
参考
goproxy.cn - 为中国 Go 语言开发者量身打造的模块代理
谈谈gomod/goproxy/gosumdb
个人博客
https://k8scat.com/posts/go/goproxy-and-gosumdb/