Duplicate of #26232?

I encounter the same problem: go version go1.11.5 windows/amd64
Is there a go command flag or environment setting that can enable the connection with .netrc?

In the cmd\go\internal\web2\web.go can be found implementation of sending a GET request with .netrc config. But I think they are not used during go get and go build commands.

No flag should be necessary. Is it possible that your .netrc file is not located in $HOME/.netrc (%USERPROFILE%/_netrc on Windows)?

I tried out on Windows and on Linux. The netrc file was at the proper place in both cases.
With curl -n I could receive the correct git repoRoot.

From what I can see, go get does not currently use the cmd/go/internal/web2 package that handles netrc loading -- only go mod download would (which has different response expectations than go get, I think?). So, that may explain why go get -v ... doesn't show it -- it's because it doesn't use netrc. Based on #26232, it seems like whether this will even be supported is still in planning.

Change https://golang.org/cl/161698 mentions this issue: cmd/go/internal/web2: make netrc parsing more robust

From what I can see, go get does not currently use the cmd/go/internal/web2 package that handles netrc loading -- only go mod download would (which has different response expectations than go get, I think?). So, that may explain why go get -v ... doesn't show it -- it's because it doesn't use netrc. Based on #26232, it seems like whether this will even be supported is still in planning.

In this case it is important to have .netrc support for the go get since we can clone the git repo using ssh/git credentials but we cannot discover the repo that owns the package without it.

No flag should be necessary. Is it possible that your .netrc file is not located in $HOME/.netrc (%USERPROFILE%/_netrc on Windows)?
My .netrc is correctly located in $HOME/.netrc as you can see from the curl command with -n

Some more information

Meta import tag request (...?go-get=1) is done using function

This last internally uses the http.DefaultClient and does not have any type of authentication or .netrc parsing as happens in the web2 package.

Ran into same problem which led me to this github issue. At this point it's a blocker and can't use private gitlab repositories as libraries for other go projects. Any workaround or fix will be greatly appreciated. I see this is tagged to be in Go 1.13. If by chance it's possible, releasing it in Go 1.12 would greatly help.

yeah I'm really struggling too - just moved from nodejs to go and this really is a pain point for me aswell (gitlab private nested packages). I kinda just want to pay for npm-like private repos and just have something that works off the bat.

Same issue here with Go 1.12

Works with curl

$ curl -k -n https://gitlab.com/group/subgroup/myrepo?go-get=1
<html><head><meta name="go-import" content="gitlab.com/group/subgroup/myrepo git https://gitlab.com/group/subgroup/myrepo.git" /></head></html>

But when I try Go get it fails

$ go get -v gitlab.com/group/subgroup/myrepo
Fetching https://gitlab.com/group/subgroup/myrepo?go-get=1
Parsing meta tags from https://gitlab.com/group/subgroup/myrepo?go-get=1 (status code 200)
get "gitlab.com/group/subgroup/myrepo": found meta tag get.metaImport{Prefix:"gitlab.com/group/subgroup", VCS:"git", RepoRoot:"https://gitlab.com/group/subgroup.git"} at https://gitlab.com/group/subgroup/myrepo?go-get=1
get "gitlab.com/group/subgroup/myrepo": verifying non-authoritative meta tag
Fetching https://gitlab.com/group/subgroup?go-get=1
Parsing meta tags from https://gitlab.com/group/subgroup?go-get=1 (status code 200)
Fetching https://gitlab.com/group/subgroup?go-get=1
Parsing meta tags from https://gitlab.com/group/subgroup?go-get=1 (status code 200)
get "gitlab.com/group/subgroup": found meta tag get.metaImport{Prefix:"gitlab.com/group/subgroup", VCS:"git", RepoRoot:"https://gitlab.com/group/subgroup.git"} at https://gitlab.com/group/subgroup?go-get=1
Fetching https://gitlab.com/group?go-get=1
Parsing meta tags from https://gitlab.com/group?go-get=1 (status code 200)
Fetching https://gitlab.com?go-get=1
Parsing meta tags from https://gitlab.com?go-get=1 (status code 200)
go get gitlab.com/group/subgroup/myrepo: git ls-remote -q https://gitlab.com/group/subgroup.git in /home/alethenorio/go/pkg/mod/cache/vcs/3e751597139208a6e518d0bd38652d0e04d1c2a63f7d667f6fb54374ccef23c7: exit status 128:
	remote: The project you were looking for could not be found.
	fatal: repository 'https://gitlab.com/group/subgroup.git/' not found

Would someone here who has experienced a problem on this issue be willing to open up a problem report on the GitLab side? Maybe it is a case of documentation being incorrect, or maybe there is a bug on the GitLab side, or maybe there is a bug on the go tool side... but one of the challenges is I would assume the core Go team are not expert GitLab users and hence it would likely be worthwhile to make sure someone from GitLab is also looking at this set of problem(s). Perhaps there is a workaround, for example, or other possible near-term solution...

Its already documented that the issue is go does not authenticate when it tries to access https://gitlab.com/my/private/repo this in-turn means gitlab returns the incorrect gitlab.com/my/repo.git path by design so as to not give away folder structure within a private organization.

The following code comment documents this:

# If a project is found and the user has access, we return the full project path
# If not, we return the first two components as if it were a simple `namespace/project` path,
# so that we don't reveal the existence of a nested project the user doesn't have access to.
# This means that for an unauthenticated request to `group/subgroup/project/subpackage`
# for a private `group/subgroup/project` with subpackage path `subpackage`, GitLab will respond
# as if the user is looking for project `group/subgroup`, with subpackage path `project/subpackage`.
# Since `go get` doesn't authenticate by default, this means that
# `go get gitlab.com/group/subgroup/project/subpackage` will not work for private projects.
# `go get gitlab.com/group/subgroup/project.git/subpackage` will work, since Go is smart enough
# to figure that out. `import 'gitlab.com/...'` behaves the same as `go get`.

https://gitlab.com/gitlab-org/gitlab-ce/issues/37832

Currently the only robust way I know of is to a) add a system ssh key pair that git will use and gitlab.com will accept and b) have go mod redirect the package to a full git path: i.e.

go.mod: 

module gitlab.com/my/private/group/foo

go 1.12

require (
	gitlab.com/my/private/group/bar v0.0.1
)

replace gitlab.com/my/private/group/bar => gitlab.com/my/private/group/bar.git v0.0.11

this allows the importing (within go) of gitlab.com/my/private/group/bar

certainly works, but requires manually updating the go.mod file if you want to change versions or to simply add a new dependency

This issue deals specifically with the access of https://gitlab.com/my/private/repo such that the http client (that go uses) adds credentials that gitlab.com will accept and (hopefully) the workaround will no longer be required.

The original report here in #29888 (comment) says:

As far I can see, go get is not forwarding .netrc credentials when using subgroups.

The issue one liner here currently reads "cmd/go: go module not forwarding credentials from .netrc to gitlab subgroups".

This issue on the gitlab side was opened a year ago, and is currently closed:
https://gitlab.com/gitlab-org/gitlab-ce/issues/37832

The GitLab 11.7 release notes from roughly 2 months ago say:

Go packages hosted in GitLab can be installed using go get, however this was not supported for private projects in subgroups. Starting with GitLab 11.7, any project can be used as a Go package, including private projects in subgroups.

Private packages are supported by the go get command using a .netrc file, and using a personal access token in the password field.

Thank you MortyChoi for the contribution!

I was pointed to this particular #29888 issue here by someone who stated roughly that the support for private projects in subgroups released in GitLab 11.7 "doesn't work at all".

Part of what I am not following is:

1. Did GitLab release and announce a capability in GitLab 11.7 that states it supports private projects in subgroups with the go command using a .netrc file, but that new capability never worked end-to-end with the go command?
2. If using a .netrc for private projects in subgroups with GitLab 11.7+ does work in some cases, what are those cases? (For example, does a .netrc with private projects in subgroups with GitLab 11.7+ work as long as one does go get gitlab.com/group/subgroup/project.git/subpackage rather than go get gitlab.com/group/subgroup/project/subpackage?)

@thepudds

1. yes, they released it without it ever worked for private repos. It is impossible because when go tries to discover the repo that owns the go package with ?go-get=1 request it does not forward the .netrc credentials. For this go uses a function that is part of web module and credentials are only supported in web2 module as I have previously mentioned.

2. it only works if all paths (groups, subgroups and repos) are public and open access otherwise it will fail.

Thanks for the answers. It seems surprising given what their release notes say.

I guess I'll ask again if anyone here is willing or interested in opening up an issue on the GitLab side. It seems they should at least update their documentation or release notes. It might also trigger a GitLab employee to show up here and comment further, which might help advance the resolution for this issue here. (I am not a GitLab user, so I am probably not the best person to open an issue there).

Change https://golang.org/cl/170879 mentions this issue: cmd/go/internal/web{,2}: consolidate web packages