Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/website: Download redirection for GPG signature files does not work #35717

Closed
fd0 opened this issue Nov 20, 2019 · 3 comments
Closed

x/website: Download redirection for GPG signature files does not work #35717

fd0 opened this issue Nov 20, 2019 · 3 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@fd0
Copy link

fd0 commented Nov 20, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/fd0/.cache/go-build"
GOENV="/home/fd0/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/fd0/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/zsh-1000/go-build763029635=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I've tried to download the GPG signature files for Go and discovered some odd behavior:

Go releases can be downloaded by accessing e.g. https://golang.org/dl/go1.13.4.src.tar.gz. There's a redirect to https://dl.google.com/go/go1.13.4.src.tar.gz:

$ curl -i https://golang.org/go1.13.4.src.tar.gz
HTTP/2 302
date: Wed, 20 Nov 2019 19:08:18 GMT
content-type: text/html; charset=utf-8
content-length: 67
location: https://dl.google.com/go/go1.13.4.src.tar.gz
[...]

<a href="https://dl.google.com/go/go1.13.4.src.tar.gz">Found</a>.

So I can just use curl -L or wget to download the release:

$  wget --no-verbose https://golang.org/dl/go1.13.4.src.tar.gz
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
2019-11-20 19:04:36 URL:https://dl.google.com/go/go1.13.4.src.tar.gz [21619153/21619153] -> "go1.13.4.src.tar.gz" [1]

This does not work for the GPG signature files:

$ wget --no-verbose https://golang.org/dl/go1.13.4.src.tar.gz.asc
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
2019-11-20 19:05:15 URL:https://golang.org/dl/go1.13.4.src.tar.gz.asc [330/330] -> "go1.13.4.src.tar.gz.asc" [1]

$ cat go1.13.4.src.tar.gz.asc
<!DOCTYPE html>
<html>
<head>
<meta name="go-import" content="golang.org/dl git https://go.googlesource.com/dl">
<meta http-equiv="refresh" content="0; url=https://golang.org/dl/#go1.13.4.src.tar.gz.asc">
</head>
<body>
Nothing to see here; <a href="https://golang.org/dl/#go1.13.4.src.tar.gz.asc">move along</a>.
</body>
</html>

The server's response for a signature is a bit odd:

$ curl -i https://golang.org/dl/go1.13.4.src.tar.gz.asc
HTTP/2 200
date: Wed, 20 Nov 2019 19:09:40 GMT
content-type: text/html; charset=utf-8
content-length: 330
vary: Accept-Encoding
location: https://golang.org/dl/#go1.13.4.src.tar.gz.asc
[...]

<!DOCTYPE html>
<html>
<head>
<meta name="go-import" content="golang.org/dl git https://go.googlesource.com/dl">
<meta http-equiv="refresh" content="0; url=https://golang.org/dl/#go1.13.4.src.tar.gz.asc">
</head>
<body>
Nothing to see here; <a href="https://golang.org/dl/#go1.13.4.src.tar.gz.asc">move along</a>.
</body>
</html>

There's a location header which is ignored by browsers because the status code is 200, but browsers will honor the meta tag and redirect to https://golang.org/dl/.

The signature file can be accessed here though:

$ curl -i https://dl.google.com/go/go1.13.4.src.tar.gz.asc
HTTP/2 200
accept-ranges: bytes
content-disposition: attachment
content-length: 819
[...]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCAAGBQJdu22LAAoJEGSUxtaZfCFeXigQAKc6NflWvvbaZ6S7RCVuRNzA
[...]
-----END PGP SIGNATURE-----

What did you expect to see?

The URL https://golang.org/dl/go1.13.4.src.tar.gz.asc should redirect to https://dl.google.com/go/go1.13.4.tar.gz.asc as for the normal releases.

What did you see instead?

The server returns an odd result with a status code of 200 and a location header.

@fd0
Copy link
Author

fd0 commented Nov 20, 2019

I've opened golang/website#6 which adds the redirection for GPG signature files and resolves this issue.

I don't understand why the odd response is returned, as far as I can see the matching case is this:

https://github.com/golang/website/blob/c0a416a8e8210aeeb71119dbb91c27c1c5f067ec/internal/dl/server.go#L195-L196

I can only reproduce this with files starting with goX.Y:

$ curl -i https://golang.org/dl/go123.555
HTTP/2 200
date: Wed, 20 Nov 2019 19:35:45 GMT
content-type: text/html; charset=utf-8
content-length: 302
vary: Accept-Encoding
location: https://golang.org/dl/#go123.555
strict-transport-security: max-age=31536000; includeSubDomains; preload
via: 1.1 google
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

<!DOCTYPE html>
<html>
<head>
<meta name="go-import" content="golang.org/dl git https://go.googlesource.com/dl">
<meta http-equiv="refresh" content="0; url=https://golang.org/dl/#go123.555">
</head>
<body>
Nothing to see here; <a href="https://golang.org/dl/#go123.555">move along</a>.
</body>
</html>

But in this case isGoGet should be false (since I don't include go-get=1):

https://github.com/golang/website/blob/c0a416a8e8210aeeb71119dbb91c27c1c5f067ec/internal/dl/server.go#L169

so the location header should not be set here:

https://github.com/golang/website/blob/c0a416a8e8210aeeb71119dbb91c27c1c5f067ec/internal/dl/server.go#L202-L204

I'll stop here, I've found no way to run this server locally.

@gopherbot
Copy link

Change https://golang.org/cl/208158 mentions this issue: internal/dl: redirect to downloadBaseURL for GPG signatures

@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Nov 21, 2019
@fd0
Copy link
Author

fd0 commented Nov 22, 2019

@dmitshur do you think it's worth investigating the odd behavior I discovered? I can create new issue for that if needed.

@golang golang locked and limited conversation to collaborators Nov 21, 2020
passionSeven added a commit to passionSeven/website that referenced this issue Oct 18, 2022
Fixes golang/go#35717

Change-Id: I6d063fb1d6c33b60a7bcf34cda832011a2fc120d
GitHub-Last-Rev: 9706ecb20d608d8688f4cf5dfea81c59ba718f6c
GitHub-Pull-Request: golang/website#6
Reviewed-on: https://go-review.googlesource.com/c/website/+/208158
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants