This error occurs when your go.mod file lists a dependency, but the corresponding checksums in go.sum are missing or corrupted, causing the build to fail for security reasons. You can fix it by running go mod tidy to synchronize your module files or go mod download to fetch the missing checksums directly.
If you recently added a dependency manually or restored a project from a version control system where go.sum was excluded, the checksums won't exist yet. The Go toolchain requires these hashes to verify that the downloaded code hasn't been tampered with. Running go mod tidy is the safest approach because it scans your source code, updates go.mod with only the actually used dependencies, and regenerates go.sum with the correct hashes.
Here is the standard command to resolve the issue:
go mod tidy
If you are in a situation where you cannot run tidy (for example, if you are trying to build a specific package without updating the whole module graph) or if the network is unstable, you can force the download of the missing module and its checksums:
go mod download
Sometimes, the issue persists if your local module cache is corrupted or if you are using a specific version of a module that isn't available in the proxy. In rare cases where go mod tidy fails to resolve the entry, you might need to clean the module cache and try again:
go clean -modcache
go mod tidy
Be careful not to manually edit go.sum to fix this. The file is generated automatically, and manual edits often introduce subtle errors or security vulnerabilities. If you are working in a CI/CD pipeline, ensure that the go.sum file is committed to your repository alongside go.mod. If you are using a monorepo or a workspace, verify that your go.work file is correctly configured and that you are running the commands from the root of the workspace.
If the error persists after running these commands, check your network connectivity to the Go module proxy (default is proxy.golang.org). You can also verify if the specific module version you are trying to use actually exists by checking the module's repository or using go list -m -versions <module-path>.