github.com/go-openapi/spec@v0.20.5: verifying module: checksum mismatch

[jonathanwin]

$ go get github.com/go-openapi/spec@v0.20.5

go: downloading github.com/go-openapi/spec v0.20.5
go: github.com/go-openapi/spec@v0.20.5: verifying module: checksum mismatch
        downloaded: h1:7VP8zufGZEIV+zfSwHGTWgbMINz/WhW3oFsA47Rhjsk=
        sum.golang.org: h1:skHa8av4VnAtJU5zyAUXrrdK/NDiVX8lchbG+BfcdrE=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

It looks like you have might have rewritten the 0.20.5 tag to point to 0.20.6:
https://github.com/go-openapi/spec/tags
v0.20.6 [1005cfb]
v0.20.5 [1005cfb]

This breaks any package using v0.20.5, e.g. github.com/swaggo/http-swagger@v1.2.7 and all later versions so far

[jonathanwin]

I suspect the best plan would be to rewrite the v0.20.5 tag again with it's original commit.

[casualjim]

I think that the original commit is lost, or at least I wouldn't know how to find it. That's why I pushed a 0.20.6 tag when I realized the mistake.

You should be able to fix this by doing go get -u github.com/go-openapi/spec@latest

I saw that swaggo also updated the deps in their repo

[jonathanwin]

Unless you force-pushed to master, or tagged something that wasn't pushed, or wasn't on master, then v0.20.5 should be somewhere between v0.20.4 and v0.20.6.
Assuming it's wasn't equal to v0.20.4, that leaves 95abe38 (v0.20.6~1) or 6ca6ff8 (v0.20.6~2)

Turns out proxy.golang.org has a copy of the "original" v0.20.5 that matches sum.golang.org's checksum, so the issue does not show except when GOPROXY=direct (or when proxy.golang.org is unreachable), while still using sum.golang.org.
This explains why swaggo cannot reproduce, but also lets us find the original tag by downloading proxy.golang.org's version:

cd $(go env GOPATH)/src &&
mkdir -p testprx &&
cd testprx &&
go mod init &&
go clean -modcache &&
GOPROXY="http://proxy.golang.org" go get github.com/go-openapi/spec@v0.20.5 &&
cd $(go env GOMODCACHE)/github.com/go-openapi/spec@v0.20.5

It looks identical to the commit 95abe38 (v0.20.6~1)

\o/

[fredbi]

I believe this issue is now outdated, as the latest tag is now v0.20.9. Therefore, closing this.