Go Checksum Database

The Go team is providing a global go.sum database for authenticating module content.

As of Go 1.13, the go command by default downloads and authenticates modules using the Go checksum database. See sum.golang.google.cn/privacy for privacy information about this service and the go command documentation for configuration details including how to disable the use of this server or using different ones.

Services

sum.golang.google.cn - an auditable checksum database which will be used by the go command to authenticate modules. This serves contents that are signed by sum.golang.org. Check out the Secure the Public Go Module Ecosystem Proposal for more details.

Status: Launched

These services are ready for production use. Please file issues if you spot them, with the title prefix "sum.golang.google.cn".

Environment setup

Older versions of the go command prior to Go 1.13 cannot directly use the checksum database.

FAQ

If I don't set GOPRIVATE and request a private module from this service, what leaks?

The proxy and checksum database protocols only send module paths and versions to the remote server. If you request a private module, the mirror will try to download it just as any Go user would and fail in the same way. Information about failed requests isn't published anywhere. The only trace of the request will be in internal logs, which are governed by the privacy policy.