How are the checksums in
The checksums are hashes of the dependencies. The document you look for is https://go.dev/ref/mod#go-sum-files.
Each line in go.sum has three fields separated by spaces: a module path, a version (possibly ending with /go.mod), and a hash.
- The module path is the name of the module the hash belongs to.
- The version is the version of the module the hash belongs to. If the version ends with /go.mod, the hash is for the module’s go.mod file only; otherwise, the hash is for the files within the module’s .zip file.
- The hash column consists of an algorithm name (like h1) and a base64-encoded cryptographic hash, separated by a colon (:). Currently, SHA-256 (h1) is the only supported hash algorithm. If a vulnerability in SHA-256 is discovered in the future, support will be added for another algorithm (named h2 and so on).
Example go.sum line with
module version hash is like
github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs= github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
Answered By – Marco Järvinen
Answer Checked By – Jay B. (GoLangFix Admin)