Keep .sum files for modules

.sum files are used for verifying the downloaded modules, so are useful for security. Don't ignore them. Bingo deletes all *.tmp.* files. We need to rename not just .mod file but .sum file as well. We also need to copy the sum file to temporary file. Existing users don't have .sum files in their .bingo directory, so we ignore file not found errors for .sum files. Fixes #15
bwplotka · Dec 16, 2021 · 418731d · 418731d
1 parent c05be99
commit 418731d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/get.go b/get.go
@@ -328,10 +328,7 @@ func validateNewName(versions []string, old, new string) error {
 }
 
 func cleanGoGetTmpFiles(modDir string) error {
-	// Remove all sum and tmp files
-	if err := removeAllGlob(filepath.Join(modDir, "*.sum")); err != nil {
-		return err
-	}
+	// Remove all tmp files
 	if err := removeAllGlob(filepath.Join(modDir, "*.*.tmp.*")); err != nil {
 		return err
 	}
@@ -545,6 +542,8 @@ func getPackage(ctx context.Context, logger *log.Logger, c installPackageConfig,
 		tmpModFilePath = filepath.Join(c.modDir, fmt.Sprintf("%s.%d.tmp.mod", name, i))
 	}
 
+	outSumFile := strings.TrimSuffix(outModFile, ".mod")+".sum"
+
 	// If we don't have all information or update is set, resolve version.
 	var fetchedDirectives bingo.NonRequireDirectives
 	if target.Module.Version == "" || !strings.HasPrefix(target.Module.Version, "v") || target.Module.Path == "" || c.update != runner.NoUpdatePolicy {
@@ -603,7 +602,10 @@ func getPackage(ctx context.Context, logger *log.Logger, c installPackageConfig,
 
 	// We were working on tmp file, do atomic rename.
 	if err := os.Rename(tmpModFile.FileName(), outModFile); err != nil {
-		return errors.Wrap(err, "rename")
+		return errors.Wrap(err, "rename mod file")
+	}
+	if err := os.Rename(tmpModFile.SumFileName(), outSumFile); err != nil {
+		return errors.Wrap(err, "rename sum file")
 	}
 	return nil
 }
@@ -731,6 +733,7 @@ const gitignore = `
 # But not these files:
 !.gitignore
 !*.mod
+!*.sum
 !README.md
 !Variables.mk
 !variables.env

diff --git a/pkg/bingo/mod.go b/pkg/bingo/mod.go
@@ -137,6 +137,11 @@ func CreateFromExistingOrNew(ctx context.Context, r *runner.Runner, logger *log.
 				if err := copyFile(existingFile, modFile); err != nil {
 					return nil, err
 				}
+				existingSumFile := sumFilePath(existingFile)
+				sumFile := sumFilePath(modFile)
+				if err := copyFile(existingSumFile, sumFile); err != nil && !os.IsNotExist(err) {
+					return nil, err
+				}
 				return OpenModFile(modFile)
 			}
 			logger.Printf("bingo tool module file %v is malformed; it will be recreated; err: %v\n", existingFile, err)
@@ -150,6 +155,10 @@ func CreateFromExistingOrNew(ctx context.Context, r *runner.Runner, logger *log.
 	return OpenModFile(modFile)
 }
 
+func sumFilePath(modFilePath string) string {
+	return strings.TrimSuffix(modFilePath, ".mod")+".sum"
+}
+
 func copyFile(src, dst string) error {
 	source, err := os.Open(src)
 	if err != nil {
@@ -184,6 +193,10 @@ func (mf *ModFile) FileName() string {
 	return mf.filename
 }
 
+func (mf *ModFile) SumFileName() string {
+	return sumFilePath(mf.filename)
+}
+
 func (mf *ModFile) IsDirectivesAutoFetchDisabled() bool {
 	return mf.directivesAutoFetchDisabled
 }