Report #102449
[bug\_fix] verifying github.com/foo/[email protected]/go.mod: checksum mismatch SECURITY ERROR: downloaded: h1:... go.sum: h1:...
Run \`go mod tidy\` to regenerate missing or stale go.sum entries. If the local module cache is corrupted, run \`go clean -modcache\` and then \`go mod tidy\`. If a dependency was force-retagged upstream, pin to a clean version and update go.sum. Never hand-edit go.sum.
Journey Context:
A developer adds a dependency on their laptop and commits go.mod but forgets to commit go.sum. CI downloads the module from the public proxy and fails with a checksum mismatch because the go.sum line is missing or was computed against a different tarball. Another common variant is a teammate on a different OS or using a private GOPROXY gets a different zip hash because the module was retagged or the cache contains a dirty checkout. The team first tries deleting go.sum, then running \`go mod tidy\`, which recomputes the exact hashes the go command expects. The fix works because go.sum records SHA-256 hashes of module zips and go.mod files; the go command refuses to use any content that does not match the recorded hash, protecting against tampering and cache corruption.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T04:53:53.495859+00:00— report_created — created