Dependency checksum mismatch in Google sumdb.

[chrisdoherty4]

Welcome

• Yes, I'm using a binary release within 2 latest major releases. Only such installations are supported.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).
• Yes, I've tried with the standalone linter if available. (https://golangci-lint.run/usage/linters/)

Description of the problem

See blizzy78/varnamelen#13.

There's a checksum mismatch in the golang database for github.com/blizzy78/varnamelen@v0.6.1. See 'Verbose output of running' for the golangci-lint install.

The output of installing the dependency directly is as follows.

$ GOPROXY=direct go get github.com/blizzy78/varnamelen@v0.6.1
go: downloading github.com/blizzy78/varnamelen v0.6.1
go: github.com/blizzy78/varnamelen@v0.6.1: verifying module: checksum mismatch
        downloaded: h1:iYAU/3A6cpfRm2ZI0P/lece4jsc7GEbzsxTu+vBCChQ=
        sum.golang.org: h1:kttPCLzXFa+0nt++Cw9fb7GrSSM4KkyIAoX/vXsbuqA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Version of golangci-lint

latest (1.45.2)

Configuration file

n/a

Go environment

GOPROXY=direct

Verbose output of running

$ GOPROXY=direct go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
go: downloading github.com/blizzy78/varnamelen v0.6.1
/Users/cpd/.go/pkg/mod/github.com/golangci/golangci-lint@v1.45.2/pkg/golinters/varnamelen.go:7:2: github.com/blizzy78/varnamelen@v0.6.1: verifying module: checksum mismatch
        downloaded: h1:iYAU/3A6cpfRm2ZI0P/lece4jsc7GEbzsxTu+vBCChQ=
        sum.golang.org: h1:kttPCLzXFa+0nt++Cw9fb7GrSSM4KkyIAoX/vXsbuqA=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Code example or link to a public repository

n/a

[boring-cyborg]

Hey, thank you for opening your first Issue ! 🙂 If you would like to contribute we have a guide for contributors.

[chrisdoherty4]

@ldez You could try downgrading the dep? I was going to try myself to unblock golangci-lint.

[blizzy78]

As mentioned in blizzy78/varnamelen#13 (comment), this is my fault.

I think it should be enough to tag varnamelen's current commit in master with v0.6.2, then use that as a dependency in golangci-lint. There were no functionality changes in between, so v0.6.2 will be the same as the intended v0.6.1.