Skip to content

Verifiable Builds

GoReleaser has support for creating verifiable builds. A verifiable build is one that records enough information to be precise about exactly how to repeat it. All dependencies are loaded via proxy.golang.org, and verified against the checksum database sum.golang.org. A GoReleaser-created verifiable build will include module information in the resulting binary, which can be printed using go version -m mybinary.

Configuration options available are described below.

# goreleaser.yaml

gomod:
  # Proxy a module from proxy.golang.org, making the builds verifiable.
  # This will only be effective if running against a tag. Snapshots will ignore
  # this setting.
  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
  proxy: true

  # If proxy is true, use these environment variables when running `go mod`
  # commands (namely, `go mod tidy`).
  #
  # Default: `os.Environ()` merged with what you set the root `env` section.
  env:
    - GOPROXY=https://proxy.golang.org,direct
    - GOSUMDB=sum.golang.org
    - GOPRIVATE=example.com/blah

  # Sets the `-mod` flag value.
  #
  # Since: v1.7
  mod: mod

  # Which Go binary to use.
  #
  # Default: `go`.
  gobinary: go1.17

Tip

You can use debug.ReadBuildInfo() to get the version/checksum/dependencies of the module.

Warning

VCS Info will not be embedded in the binary, as in practice it is not being built from the source, but from the Go Mod Proxy.

Warning

If you have a go.work file, make sure to run go work sync, so the main module (.) is the first line inside the use block.