On Mon, Aug 16, 2021 at 9:11 AM Igor Chubin <i...@chub.in> wrote: > > When I generate `go.sum` with go 1.16, and try to build it with go of a > different version (1.13 in my case), I get `SECURITY ERROR`: > > ``` > verifying github.com/tredoe/osutil@v1.1.1/go.mod: checksum mismatch > downloaded: h1:fx79htI3WZA9Ep4jphLFq06l3iRDimfOWTrkKOz+OAA= > go.sum: h1:wHEjPMepmXQXkZhf9H4sQcCtmC45KuFo5VR97zG9/dY= > > SECURITY ERROR > This download does NOT match an earlier download recorded in go.sum. > The bits may have been replaced on the origin server, or an attacker may > have intercepted the download attempt. > > For more information, see 'go help module-auth'. > ``` > > Then I fix (remove the entry and run `go mod tidy`) `go.sum` and try to build > it again. It works with 1.13, but the problem appears then with 1.16. > > So there should be some incompatibility between Go 1.13 and 1.16 (not sure > exactly when it was introduced, so don't know about 1.14 and 1.15). > > Currently, as a workaround, I added this to my build scripts: > > ``` > sed -i /osutil/d go.sum \ > && go mod download github.com/tredoe/osutil > ``` > > but it is not a real solution, of course. > > How am I supposed to fix this problem?
We no longer support Go 1.13. You can probably work around this problem temporarily and insecurely by setting the GONOSUMDB environment variable. See the mentions of GONOSUMDB at https://pkg.go.dev/cmd/go. Ian -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAOyqgcV56QDp1TXTaNsr%2B1UezWmoMbYRhk8iN58bDRzJq83xkA%40mail.gmail.com.
