godog: Security error when getting v0.8.0 with go mod

Hello, I couldn’t find the issue in the list so I open a new one. When trying to add github.com/cucumer/godog with go mod, it raise a security error regarding the checksum server

go mod tidy             
go: finding github.com/DATA-DOG/godog/gherkin latest
go: downloading github.com/DATA-DOG/godog v0.8.0
go: finding github.com/cucumber/godog/gherkin latest
go: downloading github.com/cucumber/godog v0.8.0
verifying github.com/cucumber/godog@v0.8.0: checksum mismatch
        downloaded: h1:pwbfDlZsYqH55uKW35jLxhBzNYYGncYc9XLnGRfkVtk=
        sum.golang.org: h1:sJ0MaOGfNeJWD+DiBjL4VTwrUJrFdiq5sF5b4wPgS+o=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

I think you should be alerted on this 😃 Was using github.com/DATA-DOG/godog until now without any issue.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 19 (13 by maintainers)

Commits related to this issue

Update dependence "github.com/cucumber/godog" to v0.8.1 As [discussion](https://github.com/cucumber/godog/issues/212#issuecomment-685416938) in [issue](https://github.com/cucumber/godog/issues/212) s... — committed to Alex-duzhichao/fabric-contract-api-go by Alex-duzhichao 3 years ago
Update dependence "github.com/cucumber/godog" to v0.8.1 As [discussion](https://github.com/cucumber/godog/issues/212#issuecomment-685416938) in [issue](https://github.com/cucumber/godog/issues/212) s... — committed to Alex-duzhichao/fabric-contract-api-go by Alex-duzhichao 3 years ago

Most upvoted comments

You have to change the version if you can.

The security error is due to a change to the modules after its first upload/download so the version of the commit stored by go is not the same one as the current downlodable one for 0.8.0. You have to go to 0.8.1 if you wish to use this version.

If you cannot change the version of godog, you can just setup the variable GONOSUMDB=github.com/cucumber/godog.

titouanfreville on Sep 2, 2020

@titouanfreville I’ve released v0.8.1, could you give that a shot please and let me know how that goes for you?

mxygem on Feb 10, 2020

I had a same issue, but bumping godog version to 0.8.1 fixes this issue 🙂

devholic on Feb 11, 2020

Seems to also encounter it when downloading without goflags (to install it globally)

GOFLAGS="" go get github.com/cucumber/godog
verifying github.com/cucumber/godog@v0.8.0/go.mod: checksum mismatch
        downloaded: h1:FQ2MobPXycdSajAK3inNgLSAKGFmZqbE4S/CExz41Ys=
        sum.golang.org: h1:Cp3tEV1LRAyH/RuCThcxHS/+9ORZ+FMzPva2AZ5Ki+A=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

titouanfreville on Feb 8, 2020

Clean any trace of the old godog, in GOPATH/src, GOPATH/mod

And get the package again. go get github.com/cucumber/godog

inluxc on Feb 7, 2020