Should go.sum file be checked in to the git repository?

I have a program with source code hosted on GitHub that uses Go Modules introduced in go 1.11.

go.mod file describes my dependencies, but go.sum file seems to be a lockfile. Should I be adding go.sum to my repository or should I gitignore it?

https://github.com/golang/go/wiki/Modules#releasing-modules-all-versions:

> Ensure your go.sum file is committed along with your go.mod file.

(Building on a previous answer.)

Yes, commit go.sum.

> Ensure your go.sum file is committed along with your go.mod file. See FAQ below for more details and rationale.

From the FAQ: > ### Should I commit my 'go.sum' file as well as my 'go.mod' file? > Typically your module's go.sum file should be committed along with > your go.mod file. > > - go.sum contains the expected cryptographic checksums of the content of specific module versions. > - If someone clones your repository and downloads your dependencies using the go command, they will receive an error if there is any > mismatch between their downloaded copies of your dependencies and the > corresponding entries in your go.sum. > - In addition, go mod verify checks that the on-disk cached copies of module downloads still match the entries in go.sum. > - Note that go.sum is not a lock file as used in some alternative dependency management systems. (go.mod provides enough information > for reproducible builds). > - See very brief rationale here from > Filippo Valsorda on why you should check in your go.sum. See the > "Module downloading and > verification" > section of the tip documentation for more details. See possible future > extensions being discussed for example in > #24117 and > #25530.