1env GO111MODULE=on
2env sumdb=$GOSUMDB
3env proxy=$GOPROXY
4env GOPROXY GONOPROXY GOSUMDB GONOSUMDB
5env dbname=localhost.localdev/sumdb
6
7# disagreeing with the sumdb produces security errors
8# (this also populates tiles on the sumdb server).
9cp go.mod.orig go.mod
10env GOSUMDB=$sumdb' '$proxy/sumdb-wrong
11! go get rsc.io/quote
12stderr 'go: rsc.io/quote@v1.5.2: verifying module: checksum mismatch'
13stderr 'downloaded: h1:3fEy'
14stderr 'localhost.localdev/sumdb: h1:wrong'
15stderr 'SECURITY ERROR\nThis download does NOT match the one reported by the checksum server.'
16! go get rsc.io/sampler
17! go get golang.org/x/text
18
19go mod edit -require rsc.io/quote@v1.5.2
20! go mod tidy
21stderr 'go: rsc.io/quote@v1.5.2: verifying go.mod: checksum mismatch'
22stderr 'SECURITY ERROR\n'
23
24rm go.sum
25
26# switching to truthful sumdb detects timeline inconsistency
27cp go.mod.orig go.mod
28env GOSUMDB=$sumdb
29! go get rsc.io/fortune
30stderr 'SECURITY ERROR\ngo.sum database server misbehavior detected!'
31stderr 'proof of misbehavior:'
32
33# removing the cached wrong tree head and cached tiles clears the bad data
34rm $GOPATH/pkg/sumdb/$dbname/latest
35go clean -modcache
36go get rsc.io/fortune
37
38-- go.mod.orig --
39module m
40
41go 1.16
42-- m.go --
43package m
44
45import _ "rsc.io/quote"
View as plain text