Skip to content

Fix go install method of installation #716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 18, 2021
Merged

Fix go install method of installation #716

merged 1 commit into from
Sep 18, 2021

Conversation

@luhring
Copy link
Contributor

@luhring luhring commented Sep 18, 2021

Summary

Cosign's installation instructions tell users to run go install github.com/sigstore/cosign/cmd/cosign@latest. This installation method appears to have been broken since fb04df8 (via #637), when a replace directive was added to go.mod.

The replace block was downgrading a few K8s modules (k8s.io/api, k8s.io/apimachinery, and k8s.io/client-go) to a slightly older version (from v0.22.1 to v0.21.4). Presumably, this was done because #637 also introduced a dependency on the module knative.dev/pkg, which is not compatible with v0.22.1 of the K8s modules.

A more stable alternative solution to this problem is to adjust the K8s module versions in the require block to the desired version (v0.21.4). Because of how MVS works, once none of the K8s modules in the module graph need a version as new as v0.22.1, Go will select version v0.21.4 for these modules, which resolves the issue with knative.dev/pkg, which allows all cosign builds to succeed.

Thus, this PR makes the above updates to the require block and removes the replace block.

Testing

This fix can be verified in a clean environment via Docker. This command installs Cosign using a testing branch in my fork of Cosign:

docker run --rm --env 'GOPRIVATE=github.com/luhring/cosign' golang:1.16 sh -c 'go install github.com/luhring/cosign/cmd/cosign@fix-go-install--testing && cosign --help'

This test:

  • uses Go 1.16, but I've also tested with 1.17
  • sets GOPRIVATE in order to bypass the Go proxy, to ensure the fork code is used directly
  • uses a slightly different branch than this PR uses: fix-go-install--testing. This is because I needed to set the module name in go.mod to github.com/luhring/cosign so that go install doesn't error out early.
  • should show Cosign's CLI help at the end if the installation was successful

Ticket Link

Fixes #588

Release Note

Fix go install method of installation

Signed-off-by: Dan Luhring [email protected]

@dlorenc
Copy link
Member

dlorenc commented Sep 18, 2021

Wow, thank you! This is great work!

@dlorenc dlorenc merged commit ae960b9 into sigstore:main Sep 18, 2021
@github-actions github-actions bot added this to the v1.3.0 milestone Sep 18, 2021
@syhv-git syhv-git mentioned this pull request Sep 18, 2021
Closed
@ShubhamPalriwala ShubhamPalriwala mentioned this pull request Sep 19, 2021
Closed
This was referenced Sep 19, 2021
Closed
Closed
Closed
cpanato referenced this pull request in cpanato/cosign Sep 19, 2021
@luhring @cpanato
Remove go.mod replace directive (#716)
9ea4693 
Signed-off-by: Dan Luhring <[email protected]>
@cpanato cpanato mentioned this pull request Sep 20, 2021
Merged
cpanato referenced this pull request in cpanato/cosign Sep 20, 2021
@luhring @cpanato
Remove go.mod replace directive (#716)
561aba0 
Signed-off-by: Dan Luhring <[email protected]>
Signed-off-by: Carlos Panato <[email protected]>
dekkagaijin pushed a commit that referenced this pull request Sep 20, 2021
@cpanato @luhring
Remove go.mod replace directive (#716) (#726)
be15523 
Signed-off-by: Dan Luhring <[email protected]>
Signed-off-by: Carlos Panato <[email protected]>
Co-authored-by: Dan Luhring <[email protected]>
@luhring luhring deleted the fix-go-install branch November 1, 2021 23:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@dlorenc dlorenc dlorenc approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.3.0

Development

Successfully merging this pull request may close these issues.

Error when downloading cosign

2 participants

@luhring @dlorenc