go.sum are different when using go mod vendor/download

Question

I have a problem with the usage of commands go mod vendor and go mod download in a go module.

When I'm using go mod vendor , the generated go.sum has extra-lines. Eg, when I'm using go mod download , the go.sum contains:

github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

However if I remove the go.sum and run go mod vendor , I have 2 lines:

github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

This is problematic because if I commit the go.sum after running go mod vendor , any further go mod download (which may be used by someone else or in CI) will not work because of mismatching hashes which lead to a security issue.

Is there something I'm doing wrong in the usage of go mod vendor and go mod download ? Why would they produce different hashes in the go.sum ?

Here is the kind of error which instantly happens:

verifying xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@v0.1.0: checksum mismatch
     downloaded: h1:tIKKCv/bUyBNvVsB6YLo0Ds9ZFdGJ0FKkFun22nwvCI=
     go.sum:     h1:qta5K5jjJg+TnsD76tcFK7Bjf402WP9MIbPsJGU11Ms=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

(Note: I replaced the name of the package by xxx because it carries my company name)

Answer 1

The fact that go mod download did not add go.sum entries for the downloaded modules was arguably a bug, and it will be fixed in the upcoming Go 1.16 release (see https://golang.org/issue/41341 ).