What vgo commit did you build from?

What happens if you attempt to go get the same repository with the ordinary go tool?

Are you using the credential helper?

What vgo commit did you build from?

I don't know, I just updated it before running it... how can I know the commit?

What happens if you attempt to go get the same repository with the ordinary go tool?

The simple go get does some stuff in the background and says nothing, if I run go get -v -u I see the repo itself downloaded and some dependencies downloaded, few others blocked by our firewall (-insecure seems to allow the download for everything).

Are you using the credential helper?

I don't think so, I exchanged the keys with github so my remote is like

$ git remote -v
origin	git@github.com:MY_ORGANIZATION/MY_REPO.git (fetch)
origin	git@github.com:MY_ORGANIZATION/MY_REPO.git (push)

The error text shows the command being run. It is one of the few git commands that doesn't actually care about having a git repo to run, so you can just try it in any directory you want:

git ls-remote -q https://github.com/MY_ORGANIZATION/MY_REPO

Does it work?

Possible duplicate of #26145 but the error message from git is different (no mention of terminal prompts disabled).

Ok, so

$ git ls-remote -q https://github.com/MY_ORGANIZATION/MY_REPO
remote: Repository not found.
fatal: repository 'https://github.com/MY_ORGANIZATION/MY_REPO/' not found

but

$ git ls-remote git@github.com:MY_ORGANIZATION/MY_REPO.git
3fe3e3f8b07ff40cdf5de8685360715c4c06df9c	HEAD
1fd67741650c052e30bce6d780cd26c273ba0ab2	refs/heads/dev
1498d237221b9e19d55148dded8fafc7316a47bf	refs/heads/evo
3fe3e3f8b07ff40cdf5de8685360715c4c06df9a	refs/heads/master
3e86bf596a1f63631b91cc9cbbc0866b88cb67c3	refs/pull/1/head
14aef40c003sw32ab1402b2471d164c549624e5c	refs/pull/2/head
...

Maybe I am able to reach the repository only via ssh?

If you can make the https form work then vgo (and old go get) will be happy. The two possible ways to do that are:

1. Add to $HOME/.gitconfig:

   [url "ssh://git@github.com/MYORGANIZATION/"]
   insteadOf = https://github.com/MYORGANIZATION/

2. Add to $HOME/.netrc:

   machine github.com login YOU password APIKEY

where APIKEY is an API key obtained from the GitHub API page with access to private repos.

Retitling this to "cmd/go: github private repos require special configuration".
Maybe for Go 1.12 we should think about some way to get this right by default. I'm not sure exactly how.

The first option, adding

[url "ssh://git@github.com/MYORGANIZATION/"]
    insteadOf = https://github.com/MYORGANIZATION/

to $HOME/.gitconfig work like a charm!!
Thanks!

Hi Guys,

I don't know if this is the correct issue to comment on so please forgive me if it's not correct, I ended up here because of an Issue I am having with Gitlab. We have a project structure where we use subgroups for project organisation by client/project/repo. So our package import paths are 3 levels deep rather than the standard 2 you see on Github. This is fine except for an issue with go get. Gitlab has a strict security policy where requests for the go-import meta data is incorrect for private sub groups by design for unauthenticated requests. So for example if I wanted to go get my.gitlab.com/foo/bar/fizz the meta data request would be https://my.gitlab.com/foo/bar/fizz?go-get=1 and the meta data returned would be:

<html><head><meta name="go-import" content="my.gitlab.com/foo/bar git https://my.gitlab.com/foo/bar.git" /></head></html>

Gitlab recently did implement support for a HTTP header to override this behaviour over here: https://gitlab.com/gitlab-org/gitlab-ce/issues/42817 so we can send a Private-Token header to get the correct meta. However I cannot find a way where I can get go get to send that header to resolve the source path.

We could update our import paths to include a .git suffix but that feels a little broken?

I guess what we need is a way for go get to find crednetial information for these sorts of projects, perhaps another file that lives alongside go.mod and go.sub like go.creds or something, which could contain credential information (you wouldn't want to check that into a repo tho). Or perhaps a way to override go-import meta data locally? 🤷‍♂️

To add to the list of options in this space (#26134 (comment)), we should also add use of a keychain/keyring as a third option (which is independent of remote VCS). Instructions vary quite widely between platforms, unsurprisingly:

• Mac: https://help.github.com/articles/updating-credentials-from-the-osx-keychain/
• Linux: https://wiki.archlinux.org/index.php/GNOME/Keyring (or equivalent)
• Windows: ???

I've switched back from using the ssh solution on Linux to using Gnome keyring (even though I don't use Gnome) to great effect... not least because it can be used to unify all credentials.

@FiloSottile are there are any security implications that I'm unaware of with respect to the use of keychain/keyrings for this sort of thing?

Note that this issue only applies to the hard-coded hosting sites.

I have reason to believe that this statement may have been mistaken. I plan to investigate further.

This issue somehow ended up in the Proposals queue in Feb. 2021, but I'm not sure why — I think it may be just a bug.

I've started to suspect that this may just be a problem in the way that we probe for which protocol to use.

It appears that both GitHub and GitLab support SSH by having everyone use the username git, and then treating the public key presented by the user as the “effective user ID”. So probably when we probe for SSH support, in addition to trying ssh with the user's actual username, we should also try ssh with the hard-coded username git.

This needs some more thought and investigation

If you need conditional git includes, using hasconfig:remote is better:

[includeIf "hasconfig:remote.*.url:https://github.com/org/*"]
  path = org.gitconfig

That said, should this be retitled to focus on ssh probing?

if you want to use gitdir, you'll need to set the GOAUTH variable https://pkg.go.dev/cmd/go#hdr-GOAUTH_environment_variable