Skip to content

Verifiable Builds

GoReleaser has support for creating verifiable builds. A verifiable build is one that records enough information to be precise about exactly how to repeat it. All dependencies are loaded via, and verified against the checksum database A GoReleaser-created verifiable build will include module information in the resulting binary, which can be printed using go version -m mybinary.

Configuration options available are described below.

# goreleaser.yaml

  # Proxy a module from, making the builds verifiable.
  # This will only be effective if running against a tag. Snapshots will ignore
  # this setting.
  # Notice: for this to work your `build.main` must be a package, not a `.go` file.
  proxy: true

  # If proxy is true, use these environment variables when running `go mod`
  # commands (namely, `go mod tidy`).
  # Default: `os.Environ()` merged with what you set the root `env` section.
    - GOPROXY=,direct

  # Sets the `-mod` flag value.
  # Since: v1.7
  mod: mod

  # Which Go binary to use.
  # Default: `go`.
  gobinary: go1.17

  # Directory in which the go.mod file is.
  # Default: ''
  # Since: v1.25
  dir: ./src


You can use debug.ReadBuildInfo() to get the version/checksum/dependencies of the module.


VCS Info will not be embedded in the binary, as in practice it is not being built from the source, but from the Go Mod Proxy.


If you have a file, make sure to run go work sync, so the main module (.) is the first line inside the use block.