Go modules: checksum mismatch

P

10

40

I recently started using modules in Go, but I frequently encounter issues where everything works fine on one machine, but a checksum mismatch is encountered when building the codebase on another machine.

The issue always concerns the same third party dependency (github.com/ericlagergren/decimal):

go: verifying github.com/ericlagergren/[email protected]: checksum mismatch
    downloaded: h1:HQGCJNlqt1dUs/BhtEKmqWd6LWS+DWYVxi9+Jo4r0jE=
    go.sum:     h1:x4oNpFLLl+8l+iLgksNHzZewTS0SKp6m0hlLwzXRbqA=

I've tried various things: removing & regenerating go.sum, upgrading Go itself to the latest patch version and removing the dependency from go.mod but nothing seems to fix this issue.

Does anyone have an idea how to fix this issue?

Patentor answered 10/1, 2019 at 17:15 Comment(0)

I

12

Which version of Go are you using? There's a good chance you're running into the aftermath of the 1.11.2 -> 1.11.4:

Which still isn't completely resolved. Remember that go mod is still in development, so things like this will probably happen up and until 1.13.

Be sure to read up on minor releases for Go, and how these things can happen: https://github.com/golang/go/wiki/MinorReleases

TL;DR - Upgrade Go

Incredulous answered 10/1, 2019 at 17:32 Comment(2)

Thanks for your response. Actually, I was on 11.1 (I assume that's 11.1.0). I already something about issues in earlier versions of Go, so yesterday I updated to 11.1.4 locally. This didn't seem to change the problem: however I think that on platforms like Heroku the older go 11.1.0 is still used. – Patentor 11/1, 2019 at 9:56

I changed the settings on Heroku to use 1.11.4 and it seems my problem is solved. Thanks so much! – Patentor 11/1, 2019 at 10:5

G

72

You can run go clean -modcache, delete go.sum and then go mod tidy which will re-download all deps with the correct checksum (this updates the pkg cache in $GOPATH/pkg/mod/).

To update vendor/ folder run: go mod vendor.

Gazebo answered 27/2, 2019 at 7:57 Comment(14)

This fixed it for me. After running those commands, I ended up with different hashes in my go.sum file. I commited that to version control and magically my CI cheered up :-) – Lucre 25/4, 2019 at 12:42

I have no idea how that happened but those commands fix it. Thanks! – Luca 29/4, 2019 at 0:32

Probably a history rewrite commit happened in that repo that changed the checksum. – Gazebo 6/8, 2019 at 6:20

I followed the step and cleaned the -modcache. Then I wasted my 1 hours downloading the dependencies again. :( There needs to be a better solution. – Cookgeneral 7/8, 2019 at 11:33

@MarufTuhin I think you can search the cache folder for your version in the $GOPATH/pkg/mod and delete it. – Gazebo 7/8, 2019 at 11:36

to avoid long download time, one could just remove checksum mismatching mod entries from go.sum and run go mod tidy, this will just update the checksum of that module! – Fredela 18/5, 2020 at 5:2

go mod tidy - it doesn`t delete older packages – Lepidolite 8/12, 2020 at 14:57

@Lepidolite go mod tidy does not delete anything from the package cache, however go clean -modcache does, the tidy part only checks your go.mod file and your go files imports and tries to reconcile the dependencies. Also go mod tidy does not update the vendor folder, for that run go mod vendor – Gazebo 9/12, 2020 at 12:3

@AlexEfimov go clean -modcache do nothing with checksum mismatch issues. – Lepidolite 9/12, 2020 at 12:15

Hmm, strange, it did until now for me. Try doing a rm -rf $GOPATH/pkg/mod/ or manually deleting those files. Which version of go are you using? – Gazebo 9/12, 2020 at 13:42

@AlexEfimov go version go1.13.4 linux/amd64 so why your rm -rf $GOPATH/pkg/mod/ is better than sed '/^github.com\/ericlagergren\/decimal@/d' ./go.sum > temp.txt && mv temp.txt go.sum ? – Lepidolite 14/12, 2020 at 6:45

didn't work for me. had to remove go.sum file before run go mod tidy – Goatsbeard 28/12, 2021 at 16:47

I had 4 checksums for one module that was hosted in bitbucket (with dash seperated additional numbers in 3 checksums). I manually deleted the additional 3 checksums, ran go mod tidy – Seizure 6/3, 2023 at 7:52

Didn't solve the issue – Insincere 6/3 at 20:36

L

27

remove go.sum : rm go.sum
regenerate go.sum : go mod tidy

Lyudmila answered 10/3, 2021 at 16:46 Comment(2)

Makes sense, I thought about that too, ran it, and ... it did not work, same error =S Solution: do the same for other projects included as a dependency which in turn were having shared libraries that were causing the initial error – Writing 8/1, 2022 at 10:23

Yes, this will fix the problem, but this ignores the whole purpose of go.sum. What if the downloaded package was replaced in the source repository and now contains malicious code? – Adherence 7/2 at 17:4

I

12

Which version of Go are you using? There's a good chance you're running into the aftermath of the 1.11.2 -> 1.11.4:

Which still isn't completely resolved. Remember that go mod is still in development, so things like this will probably happen up and until 1.13.

Be sure to read up on minor releases for Go, and how these things can happen: https://github.com/golang/go/wiki/MinorReleases

TL;DR - Upgrade Go

Incredulous answered 10/1, 2019 at 17:32 Comment(2)

Thanks for your response. Actually, I was on 11.1 (I assume that's 11.1.0). I already something about issues in earlier versions of Go, so yesterday I updated to 11.1.4 locally. This didn't seem to change the problem: however I think that on platforms like Heroku the older go 11.1.0 is still used. – Patentor 11/1, 2019 at 9:56

I changed the settings on Heroku to use 1.11.4 and it seems my problem is solved. Thanks so much! – Patentor 11/1, 2019 at 10:5

D

1

I encountered this problem because of the GOPROXY, and the problem was solved by changing the proxy address.

Doublequick answered 12/4, 2023 at 8:12 Comment(0)

E

0

I was having the same problem using 1.12.8 and no cache cleaning would help. Turns out I am still locked in the middle of GOPATH and the Mod world. I found a flag in another post (How do I migrate from Dep to Go Modules) that did the trick for me.

go run -mod=vendor main.go

Extravaganza answered 28/8, 2019 at 19:13 Comment(0)

W

0

I had the same issue. I updated the go version and removed the imports from go.mod and removed all entries from go.sum and ran go mo tidy, which downloaded all the dependencies without any issues.

Willodeanwilloughby answered 18/11, 2020 at 11:45 Comment(0)

L

0

You need to delete your package from the go.sum file. If you run from terminal mode, using CI/CD or Dockerfile you can use that sh command:

sed '/^github.com\/ericlagergren\/decimal@/d' ./go.sum > temp.txt && mv temp.txt go.sum

Which does:

sed - unix application
'/^ - starts line from
github.com\/hyperledger\/fabric v1.4.4 - your package name (actually RegEX line, shield / with \)
/d' - means delete line
go.sum - our golang sum file
> temp.txt - save output to temporary file
mv temp.txt go.sum - rewrite our go.sum with temporary file

P.S.: go mod tidy - only removes unused packages and add new versions. But it doesn`t delete olders.

Lepidolite answered 8/12, 2020 at 14:54 Comment(0)

B

0

you can try like this:

$ go get sigs.k8s.io/[email protected]
go: downloading sigs.k8s.io/controller-runtime v0.14.1
verifying sigs.k8s.io/[email protected]/go.mod: checksum mismatch
        downloaded: h1:GaRkrY8a7UZF0kqFFbUKG7n9ICiTY5T55P1RiE3UZlU=
        go.sum:     h1:G7mAYYxgmS0lVkHyy2hEOLQCFB0DlQFTMLWggykrydY=

remove the relate file on the mod cache

# rm -rf ~/go/pkg/mod/sigs.k8s.io/[email protected]/
# rm ~/go/pkg/mod/cache/download/sigs.k8s.io/controller-runtime/@v/v0.14.1.zip
# rm ~/go/pkg/mod/cache/download/sigs.k8s.io/controller-runtime/@v/v0.14.1.info
# rm ~/go/pkg/mod/cache/download/sigs.k8s.io/controller-runtime/@v/v0.14.1.mod
# rm ~/go/pkg/mod/cache/download/sigs.k8s.io/controller-runtime/@v/v0.14.1.lock
# rm ~/go/pkg/mod/cache/download/sigs.k8s.io/controller-runtime/@v/v0.14.1.ziphash

Boxboard answered 27/3, 2023 at 13:6 Comment(0)

C

0

you can also check / set the GOPROXY to prevent such cases when updating
go env GOPROXY
go env -w GOPROXY=https://proxy.golang.org,direct

this with go clean -modcache and go mod tidy should fix the issue

EDIT: source

Coulombe answered 6/12, 2023 at 10:6 Comment(0)

A

0

In my case, my teammate committed a different sum in the go.sum for the problematic package and all I had to do was to revert the go.sum to its previous state.

Which made a lot of sense in my case because the package I was having problems with hadn't been changed for years.

Adherence answered 7/2 at 17:39 Comment(0)

Recommended topics

Hot tags