cmd/go: mod verify tries to download replaced dependency

[wkaluza]

What version of Go are you using (go version)?

$ go version
go version go1.17.2 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/wkaluza/.cache/go-build"
GOENV="/home/wkaluza/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/wkaluza/go/pkg/mod"
GONOPROXY="github.com/wkaluza/*"
GONOSUMDB="github.com/wkaluza/*"
GOOS="linux"
GOPATH="/home/wkaluza/go"
GOPRIVATE="github.com/wkaluza/*"
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.17.2"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3476795626=/tmp/go-build -gno-record-gcc-switches"
GOROOT/bin/go version: go version go1.17.2 linux/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.2
uname -sr: Linux 5.11.0-38-generic
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.3 LTS
Release:	20.04
Codename:	focal
/lib/x86_64-linux-gnu/libc.so.6: GNU C Library (Ubuntu GLIBC 2.31-0ubuntu9.2) stable release version 2.31.
lldb --version: lldb version 10.0.0
gdb --version: GNU gdb (Ubuntu 9.2-0ubuntu1~20.04) 9.2

What did you do?

We have the following two files.

// go.mod
module m

go 1.17

replace quote_alias => rsc.io/quote v1.5.2

require rsc.io/quote v1.5.2

// main.go
package main

import (
	"fmt"
	q "quote_alias"
)

func main() {
	fmt.Println(q.Go())
}

Attempting to execute go run main.go results in an error.

main.go:5:2: rsc.io/quote@v1.5.2: missing go.sum entry; to add it:
	go mod download rsc.io/quote

Running go mod download rsc.io/quote and then go run main.go again gives another error:

main.go:5:2: module quote_alias provides package quote_alias and is replaced but not required; to add it:
	go get quote_alias

Executing go get quote_alias fails with the error:

go: downloading rsc.io/sampler v1.3.0
go: downloading golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c
go: rsc.io/quote@v1.5.2 used for two different module paths (quote_alias and rsc.io/quote)

The go.mod file is clearly malformed, but can be fixed by running go mod tidy. The result is as follows:

// go.mod
module m

go 1.17

replace quote_alias => rsc.io/quote v1.5.2

require quote_alias v0.0.0-00010101000000-000000000000

require (
	golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c // indirect
	rsc.io/sampler v1.3.0 // indirect
)

Now go run main.go works as expected. However, go mod verify fails with the following message:

quote_alias v0.0.0-00010101000000-000000000000: missing ziphash: open hash: no such file or directory

What did you expect to see?

I expected go mod tidy to fix the go.mod file (which it did) and for go mod verify to accept the result.

What did you see instead?

The go mod verify command treated the requirement with a placeholder ZeroPseudoVersion as a real package, attempted to look for it and failed.

---

Shouldn't go mod verify ignore ZeroPseudoVersion-ed requirements on principle? After all, a ZPV is a synthetic placeholder, not a real version string. If the discussion here reaches this conclusion, I may already have a fix and a regression test ready for review.

[wkaluza]

For completeness I should add that running go clean -modcache does not resolve the issue.

[wkaluza]

Ping...?
This is still present in go v1.21.3.