Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECURITY: verifying github.com/google/[email protected]: checksum mismatch #3508

Open
mangelajo opened this issue Mar 26, 2024 · 2 comments
Open

SECURITY: verifying github.com/google/[email protected]: checksum mismatch #3508

mangelajo opened this issue Mar 26, 2024 · 2 comments

Comments

@mangelajo
Copy link

We are using cadvisor on a project, and suddenly we are getting a hash missmatch:

verifying github.com/google/[email protected]: checksum mismatch
	downloaded: h1:L9S9Pdb/uu1HA2PGmgBG4q/V3s9Ct3VWsLicarHVvfQ=
	go.sum:     h1:9M++63nWvdq6Oci6wUDuAfQNTZpuz1ZObln0Bhs9xN0=

I wanted to confirm if the release has been re-tagged, if it's a know developer action this is ok. If not we could be facing a security issue.

I had the previous hash version for v0.49.1 stored on a different computer, so I decided to run a diff between the new hash of 0.49.1, this is what I get:

[majopela@centauro google]$ diff -r [email protected] [email protected]_sec_warnig/
diff -r [email protected]/build/release.sh [email protected]_sec_warnig/build/release.sh
74c74
<   docker buildx build --platform "linux/${arch}" --build-arg VERSION="$VERSION" -f deploy/Dockerfile -t "$arch_specific_image"  --progress plain --push .
---
>   docker buildx build --platform "linux/${arch}" --provenance=false --build-arg VERSION="$VERSION" -f deploy/Dockerfile -t "$arch_specific_image"  --progress plain --push .

It seems to be related to the provenance check of the images used in the build process or as base images, which is security-related.

Thank you
@mangelajo
Copy link
Author

It seems to be related to: 570d8a7

If this was intentional, for my experience, never re-tag an existing tag, caches in github, and in go proxies will make a big mess, we should always create a new minor version.

mangelajo added a commit to flightctl/flightctl that referenced this issue Mar 26, 2024
@mangelajo
Revert cadvisor to v0.49.0
8e94612 
v0.49.1 seems to have been re-tagged upstream and the
caching of goproxies and github is causing issues.

We should stay on v0.49.0 until v0.49.2 is released.

Related-Issue: google/cadvisor#3508

Signed-off-by: Miguel Angel Ajo Pelayo <[email protected]>
@mangelajo mangelajo mentioned this issue Mar 26, 2024
Merged
avishayt pushed a commit to flightctl/flightctl that referenced this issue Mar 26, 2024
@mangelajo @avishayt
Revert cadvisor to v0.49.0
f588eab 
v0.49.1 seems to have been re-tagged upstream and the
caching of goproxies and github is causing issues.

We should stay on v0.49.0 until v0.49.2 is released.

Related-Issue: google/cadvisor#3508

Signed-off-by: Miguel Angel Ajo Pelayo <[email protected]>
@AllanOricil AllanOricil mentioned this issue Apr 10, 2024
Open
@djaglowski djaglowski mentioned this issue Apr 15, 2024
Closed
@atoulme atoulme mentioned this issue Apr 15, 2024
Closed
@penglei
Copy link

penglei commented Jun 26, 2024
edited
Loading

Our team also encountered this issue, and upon investigation, I found that the checksum for tag v0.49.1 in the official Go proxy and SUMDB is incorrect. After removing the GOPROXY and GOSUMDB configurations from go env and letting go module fetch tag v0.49.1 from GitHub directly, the calculated checksum differs. I suggest that cadvisor creates a new tag v0.49.2 to address this issue, as it imposes a significant burden on environment management for large project maintainers.
@bobbypage

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@penglei @mangelajo