Another hash mismatch prevents building with GOPROXY=direct

[ChandlerSwift]

Describe the bug
I generally run go with GOPROXY=direct, which bypasses the Google-run module cache and downloads modules sources directly from their repos. Terragrunt fails to be built with this option set, due to a hash mismatch on a dependency.

I had reported a similar bug in #2900, but that one resolved itself with d7423b8#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6R42.

To Reproduce
I ran these commands in a current golang docker container, to make sure nothing in my environment was causing (additional) issues:

docker pull golang:latest
docker run -it golang:latest

$ git clone --depth=1 https://github.com/gruntwork-io/terragrunt.git
[...]
$ cd terragrunt
$ git rev-parse HEAD
af89a982c98d50d8a0015016c70f311462d5c57f
$ GOPROXY=direct go build main.go
go: downloading github.com/go-errors/errors v1.4.2
[...]
go: downloading github.com/hashicorp/terraform-registry-address v0.2.0
go: downloading github.com/googleapis/enterprise-certificate-proxy v0.3.3
go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
go: downloading github.com/aymerick/douceur v0.2.0
go: downloading github.com/felixge/httpsnoop v1.0.4
verifying github.com/googleapis/[email protected]: checksum mismatch
	downloaded: h1:G6q7VHBoU74wQHXFsZSLMPl0rFw0ZDrlZ3rt6/aTBII=
	go.sum:     h1:QRje2j5GZimBzlbhGA2V2QlGNgL8G6e+wGo/+/2bWI0=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

Expected behavior
This build should succeed.

Additional context
I'm not a go packaging expert, so take all this with a healthy grain of salt :) My understanding is that go's tooling all makes the (reasonable) assumption that a tagged release will not change. However, as mentioned in googleapis/enterprise-certificate-proxy#127:

There appears to have been an erroneous release of v0.3.3, where (presumably) commit googleapis/enterprise-certificate-proxy@f21be58 was tagged, instead of googleapis/enterprise-certificate-proxy@f3de1e7.
This has since been corrected, so googleapis/enterprise-certificate-proxy@f3de1e7 is the tagged commit now.

However, modules proxies and mirrors have already managed to get ahold of the erroneous tagged version, and is still distributing that version, while others end up with the correct version.

This leads to security-errors on go get:

verifying github.com/googleapis/[email protected]: checksum mismatch
       downloaded: h1:QRje2j5GZimBzlbhGA2V2QlGNgL8G6e+wGo/+/2bWI0=
       go.sum:     h1:G6q7VHBoU74wQHXFsZSLMPl0rFw0ZDrlZ3rt6/aTBII=

SECURITY ERROR
This download does NOT match an earlier download recorded in go.sum.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

We should upgrade to v0.3.4 of enterprise-certificate-proxy, which doesn't have this issue.

[ChandlerSwift]

Can confirm, this seems to be working now. Thanks for the lightning-fast response!

Edit: and a new test as well 🤯 That's awesome; thanks!