This doesn't seem like a problem with Go versions. The security error is correct. It looks like the module author tagged v1.1.1 with this go.mod file <https://proxy.golang.org/github.com/tredoe/osutil/@v/v1.1.1.mod> then changed the tag to point to a different commit with this file <https://github.com/tredoe/osutil/blob/v1.1.1/go.mod>.
The file on proxy.golang.org is hashed and included in the checksum database. It looks like the hash <https://sum.golang.org/lookup/github.com/tredoe/osutil@v1.1.1> there is h1:fx79htI3WZA9Ep4jphLFq06l3iRDimfOWTrkKOz+OAA=. That's the correct one to put in go.sum. The incorrect version may still be in your module cache. You can remove it with `go clean -modcache` (though this will remove everything else there, too). On Mon, Aug 16, 2021 at 9:19 AM Ian Lance Taylor <i...@golang.org> wrote: > On Mon, Aug 16, 2021 at 9:11 AM Igor Chubin <i...@chub.in> wrote: > > > > When I generate `go.sum` with go 1.16, and try to build it with go of a > different version (1.13 in my case), I get `SECURITY ERROR`: > > > > ``` > > verifying github.com/tredoe/osutil@v1.1.1/go.mod: checksum mismatch > > downloaded: h1:fx79htI3WZA9Ep4jphLFq06l3iRDimfOWTrkKOz+OAA= > > go.sum: h1:wHEjPMepmXQXkZhf9H4sQcCtmC45KuFo5VR97zG9/dY= > > > > SECURITY ERROR > > This download does NOT match an earlier download recorded in go.sum. > > The bits may have been replaced on the origin server, or an attacker may > > have intercepted the download attempt. > > > > For more information, see 'go help module-auth'. > > ``` > > > > Then I fix (remove the entry and run `go mod tidy`) `go.sum` and try to > build it again. It works with 1.13, but the problem appears then with 1.16. > > > > So there should be some incompatibility between Go 1.13 and 1.16 (not > sure exactly when it was introduced, so don't know about 1.14 and 1.15). > > > > Currently, as a workaround, I added this to my build scripts: > > > > ``` > > sed -i /osutil/d go.sum \ > > && go mod download github.com/tredoe/osutil > > ``` > > > > but it is not a real solution, of course. > > > > How am I supposed to fix this problem? > > We no longer support Go 1.13. > > You can probably work around this problem temporarily and insecurely > by setting the GONOSUMDB environment variable. See the mentions of > GONOSUMDB at https://pkg.go.dev/cmd/go. > > Ian > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/CAOyqgcV56QDp1TXTaNsr%2B1UezWmoMbYRhk8iN58bDRzJq83xkA%40mail.gmail.com > . > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAGCADbZu-XbqPfj81u0Nh36vSYAP6CC31XF_vr%3DuvfZ1-s8jDQ%40mail.gmail.com.
