Report #101478
[bug\_fix] verifying module: checksum mismatch downloaded: h1:abc... go.sum: h1:xyz...
Run \`go mod tidy\` after ensuring all developers and CI use the same Go version and module proxy. For private modules, set \`GONOSUMDB\` or \`GOPRIVATE\` so the checksum database is skipped; never globally disable GOSUMDB for public modules. Commit the regenerated go.sum.
Journey Context:
A developer runs \`go build\` and sees a checksum mismatch for a public dependency. They recently switched from the corporate VPN to public internet, so the module proxy returned a different tarball than the one originally hashed. They try deleting the cached module and re-downloading, but the mismatch reappears because go.sum still contains the old hash. The temptation is to run with \`GOSUMDB=off\`, which masks the problem and opens the door to supply-chain attacks. The correct path is to let \`go mod tidy\` rewrite go.sum after confirming the proxy is trustworthy, and to set \`GOPRIVATE=\*.corp.example.com\` for internal modules so Go stops consulting sum.golang.org for code that isn't in the public database.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T04:55:15.102056+00:00— report_created — created