diff --git a/src/cmd/go/internal/modfetch/sumdb.go b/src/cmd/go/internal/modfetch/sumdb.go
index 6e60e7d976..ea7d561d7b 100644
--- a/src/cmd/go/internal/modfetch/sumdb.go
+++ b/src/cmd/go/internal/modfetch/sumdb.go
@@ -34,12 +34,34 @@ import (
 // useSumDB reports whether to use the Go checksum database for the given module.
 func useSumDB(mod module.Version) bool {
 	if mod.Path == "golang.org/toolchain" {
+		must := true
 		// Downloaded toolchains cannot be listed in go.sum,
 		// so we require checksum database lookups even if
 		// GOSUMDB=off or GONOSUMDB matches the pattern.
 		// If GOSUMDB=off, then the eventual lookup will fail
 		// with a good error message.
-		return true
+
+		// Exception #1: using GOPROXY=file:// to test a distpack.
+		if strings.HasPrefix(cfg.GOPROXY, "file://") && !strings.ContainsAny(cfg.GOPROXY, ",|") {
+			must = false
+		}
+		// Exception #2: the Go proxy+checksum database cannot check itself
+		// while doing the initial download.
+		if strings.Contains(os.Getenv("GIT_HTTP_USER_AGENT"), "proxy.golang.org") {
+			must = false
+		}
+
+		// Another potential exception would be GOPROXY=direct,
+		// but that would make toolchain downloads only as secure
+		// as HTTPS, and in particular they'd be susceptible to MITM
+		// attacks on systems with less-than-trustworthy root certificates.
+		// The checksum database provides a stronger guarantee,
+		// so we don't make that exception.
+
+		// Otherwise, require the checksum database.
+		if must {
+			return true
+		}
 	}
 	return cfg.GOSUMDB != "off" && !module.MatchPrefixPatterns(cfg.GONOSUMDB, mod.Path)
 }