private repo - go 1.13 - `go mod ..` failed: ping "sum.golang.org/lookup" .. verifying package .. 410 gone

Question

I am using golang 1.13 .

I have a project that depends on a private gitlab project.

I have the ssh keys for the same.

When I try to retrieve the dependencies for a newly created module, I am getting the following error:

$ go version
go version go1.13 linux/amd64

$ go mod why
go: downloading gitlab.com/mycompany/myproject v0.0.145
verifying gitlab.com/mycompany/myproject@v0.0.145: gitlab.com/mycompany/myproject@v0.0.145: reading https://sum.golang.org/lookup/gitlab.com/mycompany/myproject@v0.0.145: 410 Gone

I have no idea why it is trying to ping sum.golang.org/lookup since it is a private gitlab project.

My ~/.gitconfig contains the following (based on my looking up in google search for similar errors)

# Enforce SSH
[url "ssh://git@github.com/"]
  insteadOf = https://github.com/
[url "ssh://git@gitlab.com/"]
        insteadOf = https://gitlab.com/
[url "ssh://git@bitbucket.org/"]
  insteadOf = https://bitbucket.org/
[url "git@gitlab.com:"]
        insteadOf = https://gitlab.com/

The error still persists.

I would expect the package to be downloaded from my private gitlab project repository to the current project.

Is there anything I need to do in my private gitlab project repository to make it ready for 'go get' ?

The private gitlab project repository already contains the go.sum and go.mod for the project as well.

Anything that I am missing ?

edit: 1) The private repo name and the company name contains no asterisks or any other special characters. only alphabets and not even numeric characters.

Would you happen to have a file in your private repo with an asterisk in its name by any chance ? — Weev, Sep 11 '19 at 09:38
well, no. only alphabetical characters and not even numeric. — noveaustack, Sep 11 '19 at 09:43

noveaustack · Answer 1 · 2019-09-13T10:40:06.970

Answering my own question after looking up,

Setting the GOPRIVATE variable seems to help.

GOPRIVATE=gitlab.com/mycompany/*  go mod why

" The new GOPRIVATE environment variable indicates module paths that are not publicly available. It serves as the default value for the lower-level GONOPROXY and GONOSUMDB variables, which provide finer-grained control over which modules are fetched via proxy and verified using the checksum database. " from https://golang.org/doc/go1.13

Aliter:

Setting the env variable GONOSUMDB also seems to work. Specifically, invoking the following command seems to help.

    GONOSUMDB=gitlab.com/mycompany/* go mod why

The above env variable prevents the ping to sum.golang.org/lookup for a checksum match. It also prevents leaking the names of private repos to a public checksum db. [ Source - https://docs.gomods.io/configuration/sumdb/ ]

Also - here at

  * GONOSUMDB=prefix1,prefix2,prefix3 sets a list of module path prefixes, again possibly containing globs, that should not be looked up using the database.

source: https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md

Related Issues:

https://github.com/golang/go/issues/32291
https://github.com/golang/go/issues/33985 ["Go 1.13 has been released, and this issue was filed well after the freeze window. The proposed changes will not happen in 1.13, but don't assume they will necessarily happen in 1.14 either." from issue 33985 above. ]

Muhammad Soliman · Answer 2 · 2020-02-20T05:00:27.923

Basically it failed to verify private repository. However I don't like turning off checksum, but you can easily set GOSUMDB to off before trying to get module. something like this:

GOSUMDB=off go get github.com/mycompany/myproject

ref: https://github.com/golang/go/issues/35164#issuecomment-546503518

A second and better solution is to set GOPRIVATE environment variable that controls which modules the go command considers to be private (not available publicly) and should therefore NOT use the proxy or checksum database. The variable is a comma-separated list of glob patterns (same syntax of Go's path.Match) of module path prefixes. For example,

export GOPRIVATE=*.corp.example.com,rsc.io/private

Or

go env -w GOPRIVATE=github.com/mycompany/*

Last solution you can try is to turn off such checks for all private repositories that you don't want to go public or being verified through sum.golang.org/lookup/github.com/mycompany/...

GONOSUMDB=gitlab.com/mycompany/* go mod why

Note that:

If you have issues fetching modules or repos over https, you may want to add the following to your ~/.gitconfig to make go get/fetch repositories using ssh instead of https

[url "ssh://git@github.com/"] insteadOf = https://github.com/

score 1 · Answer 3 · answered Jul 09 '20 at 12:17

1

Change following go variable's setting and then upgrade your package,

$ export GO111MODULE=on
$ export GOPROXY=direct
$ export GOSUMDB=off
$ go get -u <your dependency package>

answered Jul 09 '20 at 12:17

Siyaram Malav

4,414
2
31
31

It will be better to avoid deactivating checksum control for public modules (this is what does `export GOSUMDB=off`). Instead, configure `GOPRIVATE` to cover private repos. – Younes Mar 08 '23 at 11:28

score 1 · Answer 4 · edited Feb 03 '21 at 02:53

1

I have this scenario too and this works for me.

edit your .git/config and add two lines in it.( I have this in a global .gitconfig in home dir)

[url "ssh://youprivate.com"]
     insteadOf = https://yourprivate.com

export GOSUMDB=off

Then everything will OK.

edited Feb 03 '21 at 02:53

Dharman

30,962
25
85
135

answered Feb 03 '21 at 02:47

4t8dds

565
7
19

It will be better to avoid deactivating checksum control for public modules (this is what does `export GOSUMDB=off`). Instead, configure `GOPRIVATE` to cover private repos. – Younes Mar 08 '23 at 11:28

private repo - go 1.13 - `go mod ..` failed: ping "sum.golang.org/lookup" .. verifying package .. 410 gone

4 Answers4

Linked