Skip to content
Latchkey

Go "checksum mismatch" - Fix go.sum Verification Errors in CI

Go computed a hash for a downloaded module that does not match the hash recorded in go.sum. Go treats this as a security failure and refuses to use the module -- the recorded checksum and the fetched bytes disagree.

What this error means

A go command aborts with verifying <module>@<version>: checksum mismatch followed by the recorded vs downloaded hashes. It is deterministic for a given go.sum and module source, and is a hard stop -- Go will not proceed with an unverified module.

go
verifying github.com/example/lib@v1.4.0: checksum mismatch
	downloaded: h1:abc123...
	go.sum:     h1:xyz789...

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.

Common causes

Stale or partial go.sum

go.sum was not updated after a dependency change, or holds an entry from a different module version, so the recorded hash no longer matches what is fetched.

Dependency was retagged or mutated upstream

A non-immutable tag (a force-pushed git tag) changed the module contents at the same version, so the new bytes hash differently than the recorded value.

Proxy returned different bytes

A misbehaving or man-in-the-middle proxy served content that does not match the recorded checksum -- which is exactly what the verification is designed to catch.

How to fix it

Regenerate go.sum from a clean cache

  1. Clear the module cache so a stale copy is not reused: go clean -modcache.
  2. Re-resolve and rewrite checksums: go mod tidy.
  3. Commit the updated go.sum and re-run the build.
Terminal
go clean -modcache
go mod tidy
go build ./...

Pin to an immutable, verified version

  1. If a tag was mutated upstream, move to a fixed release or a pseudo-version pinned to a commit.
  2. Confirm GONOSUMCHECK/GONOSUMDB are not masking the real problem -- do not disable verification.
  3. Use GOFLAGS=-mod=readonly in CI so go.sum drift fails loudly instead of being silently rewritten.

How to prevent it

  • Commit go.sum and run go mod tidy whenever dependencies change.
  • Build with -mod=readonly in CI so checksum drift is caught at PR time.
  • Prefer immutable release tags and the default checksum database for verification.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →