I apologize if this is something unique to me, but I am wondering if there was anything odd about the 1.8.5 release. I am repeatedly getting these in CI:

Step #0: # get https://proxy.golang.org/github.com/cockroachdb/errors/@v/v1.8.5.mod: 200 OK (0.022s)
Step #0: verifying github.com/cockroachdb/errors@v1.8.5/go.mod: checksum mismatch
Step #0: 	downloaded: h1:GV8u+kb+Pb23w4FneavC3BBo/8XbnWqcCGhHKi3foME=
Step #0: 	go.sum:     h1:hOm5fabihW+xEyY1kuypGwqT+Vt7rafg04ytBtIpeIQ=
Step #0: 
Step #0: SECURITY ERROR
Step #0: This download does NOT match an earlier download recorded in go.sum.
Step #0: The bits may have been replaced on the origin server, or an attacker may
Step #0: have intercepted the download attempt.

I tried:
go clean -cache; go clean -modcache ; go mod tidy and yet on my ci go download -x; go mod verify fails to verify the checksum. Just double checking that you didn't have some sort of incident.

This may be related to #81 and #78

I'm not sure what is going on, but that sounds quite inconvenient. I'll issue a new release to clear up the problem.

Fixed by https://github.com/cockroachdb/errors/releases/tag/v1.8.6

@StevenACoffman can you confirm that 1.8.6 makes your problem go away? Thanks

Thanks!
So in addition to updating go.mod to v1.8.6 I also needed to add to my go.mod:

exclude github.com/cockroachdb/errors v1.8.5

This is because in our Dockerfile we have:

ENV GOFLAGS="-mod=readonly"
ENV GOPRIVATE="github.com/Khan"
ENV GO111MODULE=on

# Moving outside of $GOPATH forces modules on without having to set ENVs
WORKDIR /src/pkg

# Add go.mod and go.sum first to maximize caching
COPY ./pkg/go.mod ./pkg/go.sum /src/pkg/

RUN go mod download -x
RUN go mod verify

This is the same thing I've encountered in other libraries (exclude github.com/ryancurrah/gomodguard v1.2.1) where the central go module proxy got the wrong checksum. Not sure if maintainers even have any way to fix the central go module proxy checksums.

This fixes my issue though, so I appreciate your speedy response!