1 env GO111MODULE=on
2 env sumdb=$GOSUMDB
3 env proxy=$GOPROXY
4 env GOPROXY GONOPROXY GOSUMDB GONOSUMDB
5 env dbname=localhost.localdev/sumdb
6
7 # disagreeing with the sumdb produces security errors
8 # (this also populates tiles on the sumdb server).
9 cp go.mod.orig go.mod
10 env GOSUMDB=$sumdb' '$proxy/sumdb-wrong
11 ! go get rsc.io/quote
12 stderr 'go: rsc.io/quote@v1.5.2: verifying module: checksum mismatch'
13 stderr 'downloaded: h1:3fEy'
14 stderr 'localhost.localdev/sumdb: h1:wrong'
15 stderr 'SECURITY ERROR\nThis download does NOT match the one reported by the checksum server.'
16 ! go get rsc.io/sampler
17 ! go get golang.org/x/text
18
19 go mod edit -require rsc.io/quote@v1.5.2
20 ! go mod tidy
21 stderr 'go: rsc.io/quote@v1.5.2: verifying go.mod: checksum mismatch'
22 stderr 'SECURITY ERROR\n'
23
24 rm go.sum
25
26 # switching to truthful sumdb detects timeline inconsistency
27 cp go.mod.orig go.mod
28 env GOSUMDB=$sumdb
29 ! go get rsc.io/fortune
30 stderr 'SECURITY ERROR\ngo.sum database server misbehavior detected!'
31 stderr 'proof of misbehavior:'
32
33 # removing the cached wrong tree head and cached tiles clears the bad data
34 rm $GOPATH/pkg/sumdb/$dbname/latest
35 go clean -modcache
36 go get rsc.io/fortune
37
38 -- go.mod.orig --
39 module m
40
41 go 1.16
42 -- m.go --
43 package m
44
45 import _ "rsc.io/quote"
46
View as plain text