Checksum Database Auditor
Source Spotter verifies that the Go Module Mirror and Checksum Database is behaving honestly, and has not presented inconsistent information to clients.
The Checksum Database works by putting module checksums in a Merkle Tree, and periodically signing and publishing the root of the tree, called a Signed Tree Head (STH). Different parties can exchange STHs to verify that the Checksum Database has not given them inconsistent information, which may indicate that the Module Mirror has served one of the parties a malicious module.
You can verify that your Go toolchain's view of the Checksum Database is consistent with Source Spotter's view
by uploading the STH from your $GOPATH to Source Spotter's STH Gossip endpoint:
curl --data-binary "@$(go env GOPATH)/pkg/sumdb/sum.golang.org/latest" https://gossip.api.sourcespotter.com/sum.golang.org
Source Spotter will audit the STH and reply with its assessment.
Monitored Databases
| Database | Largest STH Seen At | Largest STH | Largest Verified STH | Verify Backlog | Download Backlog |
|---|---|---|---|---|---|
| sum.golang.org | 2025-10-30 20:58:11 UTC | 45752995 | 45752995 (Download) | 0 | 0 |
Inconsistent STHs
If Source Spotter detects an STH that is inconsistent with the checksum database's Largest Verified STH shown above, it will be disclosed here:
| Database | Tree Size | STH Root Hash | Expected Root Hash | Download |
|---|
Duplicate Records
If Source Spotter detects that a checksum database has published more than one record for a module version, it will be disclosed here:
| Database | Module | Version | Position | Previous Position |
|---|
Gossip
To retrieve the latest STH that we've observed, GET the gossip endpoint, https://gossip.api.sourcespotter.com/$GOSUMDB
For example, the gossip endpoint for sum.golang.org is https://gossip.api.sourcespotter.com/sum.golang.org
To upload an STH that you've observed, POST it to the gossip endpoint.
For example, to upload the STH that your Go toolchain has observed for sum.golang.org, you can run:
curl --data-binary "@$(go env GOPATH)/pkg/sumdb/sum.golang.org/latest" https://gossip.api.sourcespotter.com/sum.golang.org
Source Spotter responds to an uploaded STH with a plain text document containing one of the following status codes, followed by a colon, followed by a longer human-readable message:
consistent- the uploaded STH is consistent with other STHs seen by Source Spotterinconsistent- the uploaded STH is inconsistent with other STHs seen by Source Spotter, meaning the Checksum Database has violated its integrity by presenting different information to different clients; the uploaded STH will be published on this page as evidence of the perfidypending- Source Spotter doesn't know yet if the uploaded STH is consistent with other STHs seen by Source Spotter; it will be saved for future auditing and published on this page if it's inconsistent