github.com/goreleaser/goreleaser@v1.25.1/www/docs/customization/verifiable_builds.md (about) 1 # Verifiable Builds 2 3 GoReleaser has support for creating verifiable builds. A [verifiable build][vgo] 4 is one that records enough information to be precise about exactly how to repeat 5 it. All dependencies are loaded via `proxy.golang.org`, and verified against the 6 checksum database `sum.golang.org`. A GoReleaser-created verifiable build will 7 include module information in the resulting binary, which can be printed using 8 `go version -m mybinary`. 9 10 Configuration options available are described below. 11 12 ```yaml 13 # goreleaser.yaml 14 15 gomod: 16 # Proxy a module from proxy.golang.org, making the builds verifiable. 17 # This will only be effective if running against a tag. Snapshots will ignore 18 # this setting. 19 # Notice: for this to work your `build.main` must be a package, not a `.go` file. 20 proxy: true 21 22 # If proxy is true, use these environment variables when running `go mod` 23 # commands (namely, `go mod tidy`). 24 # 25 # Default: `os.Environ()` merged with what you set the root `env` section. 26 env: 27 - GOPROXY=https://proxy.golang.org,direct 28 - GOSUMDB=sum.golang.org 29 - GOPRIVATE=example.com/blah 30 31 # Sets the `-mod` flag value. 32 # 33 # Since: v1.7 34 mod: mod 35 36 # Which Go binary to use. 37 # 38 # Default: `go`. 39 gobinary: go1.17 40 41 # Directory in which the go.mod file is. 42 # 43 # Default: '' 44 # Since: v1.25 45 dir: ./src 46 ``` 47 48 !!! tip 49 50 You can use `debug.ReadBuildInfo()` to get the version/checksum/dependencies 51 of the module. 52 53 !!! warning 54 55 VCS Info will not be embedded in the binary, as in practice it is not being 56 built from the source, but from the Go Mod Proxy. 57 58 !!! warning 59 60 If you have a `go.work` file, make sure to run `go work sync`, so the main 61 module (`.`) is the first line inside the `use` block. 62 63 [vgo]: https://research.swtch.com/vgo-repro