Security checksum error when vendoring google/gnostic

[alecholmez]

When vendoring this repo on alpine 3.13 the following happens:

go: downloading github.com/googleapis/gnostic v0.5.3
verifying github.com/googleapis/gnostic@v0.5.3: checksum mismatch
	downloaded: h1:2qsuRm+bzgwSIKikigPASa2GhW8H2Dn4Qq7UxD8K/48=
	go.sum:     h1:FP6YXyar5+eeXU8lBWDHJMZLHinornnILMJYBLgqKXk=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

This does not happen on mac os, have tried to specify GOPROXY and GOSUMDB, also tried running go clean -modcache to no luck. Any insight would be helpful!

[dprotaso]

We're seeing this as well - was the v0.5.3 tag rewritten?

[dprotaso]

Even the golang sum db has the older sha

https://sum.golang.org/lookup/github.com/googleapis/gnostic@v0.5.3

[dprotaso]

oh nm - i misread

[dprotaso]

@alecholmez what's your GOPROXY setting - we're using direct so I wonder if that's it

[alecholmez]

I had goproxy=direct and gosumdb=off

[dprotaso]

So I confirmed that v0.5.3 was re-tagged to include the commit -e21f238

[dprotaso]

golang's proxy server has v0.5.3 pointing to 42aec32

see: https://proxy.golang.org/github.com/googleapis/gnostic/@v/v0.5.3.zip

[dprotaso]

this is also a dupe of #237

[timburks]

Repeating from #237: Sorry about the messiness! I've just pushed a v0.5.4 that points to e21f238 and repointed v0.5.3 at 42aec32.