私人回购邮件1.13-`go mod ..`失败：ping“ sum.golang.org/lookup” ..验证程序包.. 410不见了

I am using golang 1.13 .

I have a project that depends on a private gitlab project.

I have the ssh keys for the same.

When I try to retrieve the dependencies for a newly created module, I am getting the following error:

$ go version
go version go1.13 linux/amd64

$ go mod why
go: downloading gitlab.com/mycompany/myproject v0.0.145
verifying gitlab.com/mycompany/myproject@v0.0.145: gitlab.com/mycompany/myproject@v0.0.145: reading https://sum.golang.org/lookup/gitlab.com/mycompany/myproject@v0.0.145: 410 Gone

I have no idea why it is trying to ping sum.golang.org/lookup since it is a private gitlab project.

My ~/.gitconfig contains the following (based on my looking up in google search for similar errors)

# Enforce SSH
[url "ssh://git@github.com/"]
  insteadOf = https://github.com/
[url "ssh://git@gitlab.com/"]
        insteadOf = https://gitlab.com/
[url "ssh://git@bitbucket.org/"]
  insteadOf = https://bitbucket.org/
[url "git@gitlab.com:"]
        insteadOf = https://gitlab.com/

The error still persists.

I would expect the package to be downloaded from my private gitlab project repository to the current project.

Is there anything I need to do in my private gitlab project repository to make it ready for 'go get' ?

The private gitlab project repository already contains the go.sum and go.mod for the project as well.

Anything that I am missing ?

edit: 1) The private repo name and the company name contains no asterisks or any other special characters. only alphabets and not even numeric characters.

Would you happen to have a file in your private repo with an asterisk in its name by any chance ?

Answering my own question after looking up,

Setting the GOPRIVATE variable seems to help.

GOPRIVATE=gitlab.com/mycompany/*  go mod why

" The new GOPRIVATE environment variable indicates module paths that are not publicly available. It serves as the default value for the lower-level GONOPROXY and GONOSUMDB variables, which provide finer-grained control over which modules are fetched via proxy and verified using the checksum database. " from https://golang.org/doc/go1.13

Aliter:

Setting the env variable GONOSUMDB also seems to work. Specifically, invoking the following command seems to help.

    GONOSUMDB=gitlab.com/mycompany/* go mod why

The above env variable prevents the ping to sum.golang.org/lookup for a checksum match. It also prevents leaking the names of private repos to a public checksum db. [ Source - https://docs.gomods.io/configuration/sumdb/ ]

Also - here at

  * GONOSUMDB=prefix1,prefix2,prefix3 sets a list of module path prefixes, again possibly containing globs, that should not be looked up using the database.

source: https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md

Related Issues:

• https://github.com/golang/go/issues/32291
• https://github.com/golang/go/issues/33985 ["Go 1.13 has been released, and this issue was filed well after the freeze window. The proposed changes will not happen in 1.13, but don't assume they will necessarily happen in 1.14 either." from issue 33985 above. ]