Package management is a feature that Go has been criticized for doing poorly. Before 1.11, go get lacked support for package versioning and reproducible builds. At the time, many useful tools were born in the Go community, such as glide, dep, etc. After 1.11, Go introduced the Go Module, and there was no longer a GOPATH restriction, so you could write projects in any path you wanted, but support for private repositories was not very good at that time. After version 1.13, Go has optimized Go Module again and supports the
GOPRIVATE environment variable, which allows you to specify the address of a private repository, making it very easy to use. In the process of using it, you may encounter some problems, so I will summarize the problems I encountered below.
If you run
go get your.gitlab.com/pkg/example directly without any setup, you will probably encounter the following error.
In fact, the error message has already given us the solution, we just need to click https://golang.org/doc/faq#git_https to check it out.
Here is the original article.
Why does “go get” use HTTPS when cloning a repository?
Companies often permit outgoing traffic only on the standard TCP ports 80 (HTTP) and 443 (HTTPS), blocking outgoing traffic on other ports, including TCP port 9418 (git) and TCP port 22 (SSH). When using HTTPS instead of HTTP, git enforces certificate validation by default, providing protection against man-in-the-middle, eavesdropping and tampering attacks. The go get command therefore uses HTTPS for safety.
Git can be configured to authenticate over HTTPS or to use SSH in place of HTTPS. To authenticate over HTTPS, you can add a line to the $HOME/.netrc file that git consults:
For GitHub accounts, the password can be a personal access token. Git can also be configured to use SSH in place of HTTPS for URLs matching a given prefix. For example, to use SSH for all GitHub access, add these lines to your ~/.gitconfig:
Presumably this means that HTTPS is more secure, so the
go get command uses HTTPS.
If you want to use HTTPS, then you need to configure the HTTPS username and password.
Of course you can also use ssh, which requires modifying your git configuration.
Modify the current user’s
~/.gitconfig and add the following.
The same effect can be achieved by executing the following command.
After the operation, we can use
go get and use
go get -v to display the execution log.
As we all know, most domestic users set up proxies. If we set up proxies using the
GOPROXY environment variable and use private repositories before Go 1.12, we are likely to encounter the following error.
This is because it is impossible for the proxy service to access our private code repository, so it reports an error 404, and it does not work even with the
ssh authentication mentioned above.
After Go 1.13, you can set the environment variable
GONOPROXY to specify a domain name without a proxy, with comma-separated values.
go mod needs to checksum the downloaded dependencies, which is fine if your git repository is open, but not if it is a private repository that is not accessible, even on your company’s intranet. It is likely that the checksum will fail with the following error.
As with proxies, our private repository is not visible to
sum.golang.org, so there is certainly no way to perform a security check.
Likewise in Go 1.13 onwards, you can set the
GONOSUMDB environment variable to specify the domain name to skip checksums, with support for comma-separated multiple values.
Finally, Go 1.13 also introduced the
GOPRIVATE environment variable, which can be set once and for all to automatically skip the proxy server and checksum checks, and the value of this variable also supports comma separation, so you can fill in multiple values, e.g.
Of course, after setting
GOPRIVATE, you can also control it separately with
But we need to pay attention to the problem of
For example, if a company has a private repository:
your.corp.com, if you set it up like this.
Since the value of
none, the user will still download all private and shared repositories from the address of
GOPROXY, which may still report an error. The same goes for
GONOSUMDB, so be aware of this.