go mod checksum mismatch

Question

Thus far I'm the only developer on my team that can replicate this issue for the below package.

To correct the mismatch I've tried:

• go clean -modcache
• removing related entries in .mod .sum files
• entirely removing .mod and .sum files
• entirely removed the vendor directly
• uninstalling golang and purging all things go on my machine
• reinstalling latest version of go

> go get go.temporal.io/sdk@v1.10.0
go: downloading go.temporal.io/sdk v1.10.0
go get: go.temporal.io/sdk@v1.10.0: verifying module: checksum mismatch
    downloaded: h1:t0t/mtBxetBZUhvLB2mE2g7lgZcJDRAf1OPkV63+CfM=
    sum.golang.org: h1:JfzXWB+/EcDcC6poz6/k0dc57qas+Es1LMcIXEvP8IA=

I can install other versions just fine, just not v1.10.0. Does anyone have any suggestions or ideas on how to fix this?

EDIT:

As a work around I've added this package to GOPRIVATE which will exclude it from the checksum mismatch.

export GOPRIVATE="go.temporal.io"

Answer 1

Generally this occurs when the maintainer of the module attempts to move an existing tag from one commit to another. That isn't allowed: the Go checksum database stores a permanent, irrevocable checksum the first time it encounters a new module version, and that checksum is used to verify that the module hasn't been tampered with for previous downloads.

If there is a severe problem with a given release, that release can be retracted and a new patch issued. However, the new patch must have its own unique version (generally the same version with the patch number increased by one).

The proper fix here is to abandon v1.10.0 and get the upstream to tag a new release.