Golang checksum error

Community Support
1

I’m trying to vendor the temporal golang sdk and I’m running into a checksum error.

go get go.temporal.io/sdk
go: downloading go.temporal.io/sdk v1.10.0
go get: go.temporal.io/sdk@v1.10.0: verifying module: checksum mismatch
downloaded: h1:t0t/mtBxetBZUhvLB2mE2g7lgZcJDRAf1OPkV63+CfM=
sum.golang.org: h1:JfzXWB+/EcDcC6poz6/k0dc57qas+Es1LMcIXEvP8IA=

I’ve cleaned my modcache and reset the go.mod and sum files and still am encountering this issue. Is this affecting anyone else?

2

Here is the full log message when attempting to re-initialize the module:

github.com/vendasta/gosdks/temporal imports
	go.temporal.io/sdk/activity: go.temporal.io/sdk@v1.10.0: verifying module: checksum mismatch
	downloaded: h1:t0t/mtBxetBZUhvLB2mE2g7lgZcJDRAf1OPkV63+CfM=
	sum.golang.org: h1:JfzXWB+/EcDcC6poz6/k0dc57qas+Es1LMcIXEvP8IA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

github.com/vendasta/gosdks/temporal imports
	go.temporal.io/sdk/client: go.temporal.io/sdk@v1.10.0: verifying module: checksum mismatch
	downloaded: h1:t0t/mtBxetBZUhvLB2mE2g7lgZcJDRAf1OPkV63+CfM=
	sum.golang.org: h1:JfzXWB+/EcDcC6poz6/k0dc57qas+Es1LMcIXEvP8IA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

github.com/vendasta/gosdks/temporal imports
	go.temporal.io/sdk/temporal: go.temporal.io/sdk@v1.10.0: verifying module: checksum mismatch
	downloaded: h1:t0t/mtBxetBZUhvLB2mE2g7lgZcJDRAf1OPkV63+CfM=
	sum.golang.org: h1:JfzXWB+/EcDcC6poz6/k0dc57qas+Es1LMcIXEvP8IA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

github.com/vendasta/gosdks/temporal imports
	go.temporal.io/sdk/worker: go.temporal.io/sdk@v1.10.0: verifying module: checksum mismatch
	downloaded: h1:t0t/mtBxetBZUhvLB2mE2g7lgZcJDRAf1OPkV63+CfM=
	sum.golang.org: h1:JfzXWB+/EcDcC6poz6/k0dc57qas+Es1LMcIXEvP8IA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

github.com/vendasta/gosdks/temporal imports
	go.temporal.io/sdk/workflow: go.temporal.io/sdk@v1.10.0: verifying module: checksum mismatch
	downloaded: h1:t0t/mtBxetBZUhvLB2mE2g7lgZcJDRAf1OPkV63+CfM=
	sum.golang.org: h1:JfzXWB+/EcDcC6poz6/k0dc57qas+Es1LMcIXEvP8IA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
3

I am not able to replicate with a fresh module and no cache. A go get go.temporal.io/sdk and downloads v1.10.0 and the go.sum file shows:

go.temporal.io/sdk v1.10.0 h1:JfzXWB+/EcDcC6poz6/k0dc57qas+Es1LMcIXEvP8IA

I wonder if you have a different checksum or different cache locally for whatever reason. You might be able to remove it from the module cache (in bash, the dir is $(go env GOMODCACHE)/go.temporal.io) and try to go-get it again.

4

Yeah, something is quite weird…:

  • i’ve blown away my mod cache entirely (verified with the directory you provided).
  • deleted vendor folder
  • deleted go.sum entries

I can run go get go.temporal.io/sdk@master and everything is vendored correctly. However, go get go.temporal.io/sdk@1.10.0 always results in a checksum issue?

5

I am afraid I cannot replicate in a fresh environment:

$ go clean -modcache
$ go mod init github.com/temporalio/temp
go: creating new go.mod: module github.com/temporalio/temp
$ go get go.temporal.io/sdk@v1.10.0
go: downloading go.temporal.io/sdk v1.10.0
go get: added go.temporal.io/sdk v1.10.0
$ grep temporal go.sum
go.temporal.io/api v1.5.0/go.mod h1:BqKxEJJYdxb5dqf0ODfzfMxh8UEQ5L3zKS51FiIYYkA=
go.temporal.io/sdk v1.10.0 h1:JfzXWB+/EcDcC6poz6/k0dc57qas+Es1LMcIXEvP8IA=
go.temporal.io/sdk v1.10.0/go.mod h1:J3kkGHdnPCyPhGO3dsijYNTUE7JgX51vJmjKJY4BF8c=

Do you happen to have any other environments you can test on? Might there be some proxy set (either in the OS or via the GOPROXY env var) or something else intercepting traffic?

6

I have to somehow be hitting a cached version within the go proxy / checksum db. For the time being I’m adding go.temporal.io to the GOPRIVATE env variable to disable the checksum safety check.

export GOPRIVATE="go.temporal.io"