Checksum mismatch error when building with golang.org/x/crypto@v0.31.0

Question

I have a go project, and when I do go build I get the following checksum error from the Golang crypto package:

% go build cmd/myproject/main.go
go: downloading github.com/golang-jwt/jwt v4.5.1+incompatible
verifying golang.org/x/crypto@v0.31.0: checksum mismatch
downloaded: h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
go.sum:     h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.
make: *** [build] Error 1

Why am I getting this error? I ran this same command last week and it worked fine with no issues. I notice that version 0.31.0 of the Golang crypto package was just released on December 11th, 2024 (5 days ago). So the timing makes me suspicious that something in that package was broken in the new version?

I deleted my go.sum file and then did go get crypto@v0.30.0 to see if downgrading to an older version of the package would work. But then go build complained about a missing go.sum file. To be honest, I don't fully understand how to go.mod and go.sum files work.

Answer 1

That you get v4.5.1+incompatible is strange, you should either get v3.2.2+incompatible (the latest version without module support), v4.5.1 (when importing github.com/golang-jwt/jwt/v4) or v5.2.1 when importing github.com/golang-jwt/jwt/v5

You could change your import to either github.com/golang-jwt/jwt/v5 (see “Migration Guide”) or github.com/golang-jwt/jwt/v4 and look if the error goes away or provide us with a minimal, reproducible example, so we can investigate further.

By the way, ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= is what I get for golang.org/x/crypto v0.31.0.