Report #103780
[bug\_fix] verifying github.com/foo/[email protected]: checksum mismatch downloaded: h1:abc... go.sum: h1:def...
Do not edit \`go.sum\` by hand. Run \`go mod tidy\` and \`go mod download\` so the toolchain re-fetches hashes from the configured \`GOPROXY\`/\`GOSUMDB\`. If the module is private and cannot be verified by \`sum.golang.org\`, set \`GOPRIVATE=\*.corp.com\` \(which also disables proxy and sum-db checks for those prefixes\) or use \`GONOSUMDB\`. If a proxy is returning a different zip, switch proxies or clear the module cache with \`go clean -modcache\`.
Journey Context:
After switching from the office network to a public hotspot, \`go build\` failed with a checksum mismatch for a module that had built fine an hour earlier. I compared the cached zip with a colleague's and the hashes differed; the corporate proxy had been rewriting the module zip. The \`go.sum\` file exists precisely to detect this: it records the cryptographic hash of each downloaded module file, and Go refuses to use a file whose hash does not match. Setting \`GOPRIVATE\` for internal modules and re-running \`go mod download\` from a trusted network refreshed the correct hashes and the build passed.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T04:41:32.638500+00:00— report_created — created