verifying checksum mismatch
        downloaded: h1:PamBMopnHxO2nEIsU89ibVVnqnXR2yFTgGNc+PdG68o=
        go.sum:     h1:DnZGUjFbRkpytojHWwy6nfUSA7vFrzWXDLpFNzt74ZA=

This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Well that is annoying. For me it helped to move the go.sum away (mv go.sum go.sum.bak). Feels insecure, and please research this, but at least it compiled. In this case, the developers let me know it was not a problem.

By karlo