Skip to content

cmd/go: go get -insecure requires GIT_SSL_NO_VERIFY #34568

New issue
New issue
Not planned
Not planned
cmd/go: go get -insecure requires GIT_SSL_NO_VERIFY#34568
Labels
GoCommandcmd/goNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
 
Backlog
@kyroy

Description

@kyroy
kyroy
opened on Sep 27, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOENV="/root/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/go/test/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build128427995=/tmp/go-build -gno-record-gcc-switches"

What did you do?

$ docker run  -ti --rm golang:1.13 bash
$ mkdir test && cd test && go mod init test
$ export GOPRIVATE=github.xxxx.xxxxx.corp

$ go get github.xxxx.xxxxx.corp/myorg/go
go get github.xxxx.xxxxx.corp/myorg/go: unrecognized import path "github.xxxx.xxxxx.corp/myorg/go" (https fetch: Get https://github.xxxx.xxxxx.corp/myorg/go?go-get=1: x509: certificate signed by unknown authority)

$ go get -insecure -x -v  github.xxxx.xxxxx.corp/myorg/go
# get https://github.xxxx.xxxxx.corp/?go-get=1
# get https://github.xxxx.xxxxx.corp/myorg?go-get=1
# get https://github.xxxx.xxxxx.corp/myorg/go?go-get=1
# get //github.xxxx.xxxxx.corp/myorg/go?go-get=1: 200 OK (0.068s)
get "github.xxxx.xxxxx.corp/myorg/go": found meta tag get.metaImport{Prefix:"github.xxxx.xxxxx.corp/myorg/go", VCS:"git", RepoRoot:"https://github.xxxx.xxxxx.corp/myorg/go.git"} at //github.xxxx.xxxxx.corp/myorg/go?go-get=1
mkdir -p /go/pkg/mod/cache/vcs # git3 https://github.xxxx.xxxxx.corp/myorg/go.git
# lock /go/pkg/mod/cache/vcs/1e0d9b889f3416a56ea37502ad1137f6723e61f8260c10aaf3fb8c45d44204fe.lockmkdir -p /go/pkg/mod/cache/vcs/1e0d9b889f3416a56ea37502ad1137f6723e61f8260c10aaf3fb8c45d44204fe # git3 https://github.xxxx.xxxxx.corp/myorg/go.git
cd /go/pkg/mod/cache/vcs/1e0d9b889f3416a56ea37502ad1137f6723e61f8260c10aaf3fb8c45d44204fe; git init --bare
0.005s # cd /go/pkg/mod/cache/vcs/1e0d9b889f3416a56ea37502ad1137f6723e61f8260c10aaf3fb8c45d44204fe; git init --bare
cd /go/pkg/mod/cache/vcs/1e0d9b889f3416a56ea37502ad1137f6723e61f8260c10aaf3fb8c45d44204fe; git remote add origin -- https://github.xxxx.xxxxx.corp/myorg/go.git
0.003s # cd /go/pkg/mod/cache/vcs/1e0d9b889f3416a56ea37502ad1137f6723e61f8260c10aaf3fb8c45d44204fe; git remote add origin -- https://github.xxxx.xxxxx.corp/myorg/go.git
cd /go/pkg/mod/cache/vcs/1e0d9b889f3416a56ea37502ad1137f6723e61f8260c10aaf3fb8c45d44204fe; git ls-remote -q origin
# get //github.xxxx.xxxxx.corp/?go-get=1: 200 OK (0.101s)
0.111s # cd /go/pkg/mod/cache/vcs/1e0d9b889f3416a56ea37502ad1137f6723e61f8260c10aaf3fb8c45d44204fe; git ls-remote -q origin
# get //github.xxxx.xxxxx.corp/myorg?go-get=1: 200 OK (1.277s)
go get github.xxxx.xxxxx.corp/myorg/go: git ls-remote -q origin in /go/pkg/mod/cache/vcs/1e0d9b889f3416a56ea37502ad1137f6723e61f8260c10aaf3fb8c45d44204fe: exit status 128:
	fatal: unable to access 'https://github.xxxx.xxxxx.corp/myorg/go.git/': server certificate verification failed. CAfile: none CRLfile: none

$ GIT_SSL_NO_VERIFY=1 go get -insecure github.xxxx.xxxxx.corp/myorg/go
go: finding github.xxxx.xxxxx.corp/myorg/go latest
go: downloading github.xxxx.xxxxx.corp/myorg/go v0.0.0-20190903123812-3090d622918c
go: extracting github.xxxx.xxxxx.corp/myorg/go v0.0.0-20190903123812-3090d622918c

What did you expect to see?

I would expect that the option -insecure also disables the SSL verification for git.

What did you see instead?

go get -insecure fails and I have to enable GIT_SSL_NO_VERIFY to be able to download my dependency.

Activity

kyroy
mentioned this on Sep 27, 2019
bcmills
added
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
on Sep 27, 2019
bcmills

bcmills commented on Sep 27, 2019

@bcmills
bcmills
on Sep 27, 2019
Contributor

We should probably revisit this in conjunction with #32966.

bcmills
added this to the Unplanned milestone on Sep 27, 2019
bcmills

bcmills commented on Sep 27, 2019

@bcmills
bcmills
on Sep 27, 2019
Contributor

CC @jayconrod @FiloSottile

jayconrod
modified the milestones: Unplanned, Backlog on Nov 12, 2019
witchard
mentioned this on Feb 27, 2020
gabyhelp
mentioned this on Jul 9, 2024
gabyhelp
mentioned this on Sep 28, 2024
gabyhelp
mentioned this on Jan 2, 2025
gabyhelp
mentioned this on Jan 15, 2025
seankhliao
added
GoCommandcmd/go
on Feb 22, 2025
gabyhelp
mentioned this in 2 issues on Mar 7, 2025
matloob

matloob commented on Mar 27, 2025

@matloob
matloob
on Mar 27, 2025 · edited by matloob
Contributor

Closing this issue. We can revisit if there's still interest in it for GOINSECURE.

matloob
closed this as not plannedon Mar 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    GoCommandcmd/goNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @jayconrod@kyroy@bcmills@seankhliao@matloob

        Issue actions
          cmd/go: go get -insecure requires GIT_SSL_NO_VERIFY · Issue #34568 · golang/go