sumdb/note: catch a Verifiers that returns the wrong Verifier

The Verifier method gets the name and hash of the signature, and is
supposed to only return a Verifier for that name and hash. If it
doesn't, we can catch it by double checking the KeyHash and Name method
return values against the signature.

Change-Id: I39b2e3616ac389718ebc7eaa6263a43b9152b2fa
Trust: Filippo Valsorda <>
Run-TryBot: Filippo Valsorda <>
TryBot-Result: Gopher Robot <>
Reviewed-by: Al Cutter <>
Reviewed-by: Russ Cox <>
2 files changed
tree: 64901af172c7563babf5153ff6ad615e31e4e39a
  1. gosumcheck/
  2. internal/
  3. modfile/
  4. module/
  5. semver/
  6. sumdb/
  7. zip/
  8. codereview.cfg
  9. go.mod
  10. go.sum



This repository holds packages for writing tools that work directly with Go module mechanics. That is, it is for direct manipulation of Go modules themselves.

It is NOT about supporting general development tools that need to do things like load packages in module mode. That use case, where modules are incidental rather than the focus, should remain in x/tools, specifically x/tools/go/packages.

The specific case of loading packages should still be done by invoking the go command, which remains the single point of truth for package loading algorithms.