ggcr: retagging v0.20.4 causes "verifying module: checksum mismatch"

[WanzenBug]

Describe the bug

It looks like tag v0.20.4 was removed and added again, including a few extra commits. However, the first version has already been picked up by proxy.golang.org and sum.golang.org, which now causes issues when using the version

To Reproduce

This "works":

$ GOSUMDB=sum.golang.org GOMODCACHE=$(mktemp -d) GOPROXY=https://proxy.golang.org go mod download github.com/google/go-containerregistry@v0.20.4

This does not work:

$ GOSUMDB=sum.golang.org GOMODCACHE=$(mktemp -d) GOPROXY=direct go mod download github.com/google/go-containerregistry@v0.20.4
go: github.com/google/go-containerregistry@v0.20.4: verifying module: checksum mismatch
	downloaded: h1:wQ614GjDrt6MiV9fwIVBdJqmDuup3Fho6QfltIrnNSw=
	sum.golang.org: h1:w/Fdj3ef046SdV/GJU69cCnreaLpqbTo1X9XPyHbkd4=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Expected behavior

The mod should still match the reported checksum. Not sure if there is anything that can be done other then retagging a new v0.20.5.

Additional context

$ go version
go version go1.24.3 linux/amd64

[mjnowen]

+1 hitting this exact issue, due to corporate infrastructure banning use of GOPROXY, so must use GOPROXY=direct.

Please can you raise a new TAG and re-release. Tagging @imjasonh, @luhring, and @Subserial who created the v0.20.4 release.

[imjasonh]

@Subserial I'm not sure who deleted/re-created the tag, but we should never do that.

The fix will be to tag v0.20.5 and encourage folks to use that. We'll need to document that v0.20.4 is not usable as a Go module as a result of the tag change.

@Subserial please feel free to reach out to me the next time you want to run a release.

[imjasonh]

Tagged https://github.com/google/go-containerregistry/releases/tag/v0.20.5

Updated the description for https://github.com/google/go-containerregistry/releases/tag/v0.20.4

[imjasonh]

I'll close this issue but please ping if it's causing any other issues.

[mjnowen]

Fixed for me now. Thanks for the fast fix.

[Subserial]

Ah, sorry about that. I was having incremental issues with the releasing tools. I'll try not to break things if I have to deal with that in the future.