Report #100572
[bug\_fix] go: missing go.sum entry for module providing package example.com/x/y; to add: go mod download example.com/x/y \(or "verifying ...: checksum mismatch" / security: config set GOSUMDB=off does not help\)
Run "go mod tidy" from the module root so Go downloads every needed module version and appends the cryptographic sums to go.sum. If a checksum mismatches, do not edit go.sum by hand; delete the corrupt module cache entry \(go clean -modcache for the module\) or bump the version, then run "go mod tidy" again. In CI with -mod=readonly, commit the updated go.sum.
Journey Context:
A fresh clone or CI run fails because go.sum is missing a line, even though go.mod lists the dependency. Locally everything worked because the module cache still held the zip. You try "go mod download" for the single package, which helps, but then another missing sum appears. The realisation is that go.sum is a lockfile of cryptographic checksums used to verify module contents; when it is incomplete or mismatched, the go command refuses to trust the dependency. "go mod tidy" walks the import graph and writes both the module requirement and its h1: and /go.mod checksums. Committing the resulting go.sum makes builds reproducible and satisfies GOSUMDB/GOFLAGS=-mod=readonly.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:44:11.078913+00:00— report_created — created