Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vendored librairies checksum mismatch #4043

Open
jbtrystram opened this issue Mar 17, 2025 · 2 comments
Open

Vendored librairies checksum mismatch #4043

jbtrystram opened this issue Mar 17, 2025 · 2 comments

Comments

@jbtrystram
Copy link
Contributor

Trying to run make schema I get a security error.

 [coreos-assembler] make schema                                                                                                           main  ✭
make -C schema
make[1]: Entering directory '/tmp/coreos-assembler/schema'
./generate-schema.sh
Generating COSA Schema v1
Cloning into '/tmp/coreos-assembler/schematyper'...
remote: Enumerating objects: 100, done.
remote: Counting objects: 100% (49/49), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 100 (delta 46), reused 43 (delta 43), pack-reused 51 (from 1)
Receiving objects: 100% (100/100), 30.75 KiB | 2.05 MiB/s, done.
Resolving deltas: 100% (58/58), done.
go: downloading github.com/aws/aws-sdk-go v1.53.5
go: downloading golang.org/x/text v0.17.0
go: downloading github.com/jmespath/go-jmespath/internal/testify v1.5.1
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.3
go: downloading go.opentelemetry.io/otel v1.29.0
verifying github.com/googleapis/[email protected]: checksum mismatch
        downloaded: h1:G6q7VHBoU74wQHXFsZSLMPl0rFw0ZDrlZ3rt6/aTBII=
        go.sum:     h1:QRje2j5GZimBzlbhGA2V2QlGNgL8G6e+wGo/+/2bWI0=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
go: inconsistent vendoring in /tmp/coreos-assembler:
        gopkg.in/alecthomas/kingpin.v2: is replaced in ../go.mod, but not marked as replaced in vendor/modules.txt

        To ignore the vendor directory, use -mod=readonly or -mod=mod.
        To sync the vendor directory, run:
                go mod vendor
removed directory '/tmp/coreos-assembler/schema/tmp'
make[1]: *** [Makefile:3: schema] Error 1
make[1]: Leaving directory '/tmp/coreos-assembler/schema'
make: *** [Makefile:83: schema] Error 2

I noticed container/storage is also hitting a checksum mismatch.
I tried with a fresh clone of COSA as well, same issue.
@jbtrystram jbtrystram mentioned this issue Mar 17, 2025
Open
@ravanelli
Copy link
Member

We probably need to update the https://github.com/coreos/coreos-assembler/blob/main/go.sum#L173C1-L173C106, it is getting a new version.

@ravanelli
Copy link
Member

Remove this line and run make schema again, it will update the file.

jbtrystram added a commit to jbtrystram/coreos-assembler that referenced this issue Mar 17, 2025
@jbtrystram
Run make schema

Unverified

The signing certificate or its chain could not be verified.
Certificate subject
Certificate issuer
CN sigstore-intermediate
O sigstore.dev
Learn about vigilant mode
257809d 
In d20ee10 we introduced additionnal
images in the schema, update the generated go code to match.

Note that I had to delete entries in `go.sum` as the checksums had
changed. Fixes coreos#4043.
jbtrystram added a commit to jbtrystram/coreos-assembler that referenced this issue Mar 17, 2025
@jbtrystram
Run make schema

Unverified

The signing certificate or its chain could not be verified.
Certificate subject
Certificate issuer
CN sigstore-intermediate
O sigstore.dev
Learn about vigilant mode
b33dc1f 
In d20ee10 we introduced additionnal
images in the schema, update the generated go code to match.

Note that I had to force the update for some entries in `go.sum` as the
checksums had changed.
Fixes coreos#4043.
jbtrystram added a commit to jbtrystram/coreos-assembler that referenced this issue Mar 17, 2025
@jbtrystram
Run make schema

Unverified

The signing certificate or its chain could not be verified.
Certificate subject
Certificate issuer
CN sigstore-intermediate
O sigstore.dev
Learn about vigilant mode
95e26b8 
In cc869e1 we introduced additionnal
images in the schema, update the generated go code to match.

Note that I had to force the update for some entries in `go.sum` as the
checksums had changed.
Fixes coreos#4043.
jbtrystram added a commit to jbtrystram/coreos-assembler that referenced this issue Mar 20, 2025
@jbtrystram
Run make schema

Unverified

The signing certificate or its chain could not be verified.
Certificate subject
Certificate issuer
CN sigstore-intermediate
O sigstore.dev
Learn about vigilant mode
7d5f35b 
In cc869e1 we introduced additionnal
images in the schema, update the generated go code to match.

Note that I had to force the update for some entries in `go.sum` as the
checksums had changed.
Fixes coreos#4043.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ravanelli @jbtrystram