Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/website: Download redirection for GPG signature files does not work #35717

Closed
fd0 opened this issue Nov 20, 2019 · 3 comments
Closed

x/website: Download redirection for GPG signature files does not work #35717

fd0 opened this issue Nov 20, 2019 · 3 comments

Comments

@fd0
Copy link

@fd0 fd0 commented Nov 20, 2019

What version of Go are you using (go version)?

$ go version
go version go1.13.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/fd0/.cache/go-build"
GOENV="/home/fd0/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/fd0/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/zsh-1000/go-build763029635=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I've tried to download the GPG signature files for Go and discovered some odd behavior:

Go releases can be downloaded by accessing e.g. https://golang.org/dl/go1.13.4.src.tar.gz. There's a redirect to https://dl.google.com/go/go1.13.4.src.tar.gz:

$ curl -i https://golang.org/go1.13.4.src.tar.gz
HTTP/2 302
date: Wed, 20 Nov 2019 19:08:18 GMT
content-type: text/html; charset=utf-8
content-length: 67
location: https://dl.google.com/go/go1.13.4.src.tar.gz
[...]

<a href="https://dl.google.com/go/go1.13.4.src.tar.gz">Found</a>.

So I can just use curl -L or wget to download the release:

$  wget --no-verbose https://golang.org/dl/go1.13.4.src.tar.gz
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
2019-11-20 19:04:36 URL:https://dl.google.com/go/go1.13.4.src.tar.gz [21619153/21619153] -> "go1.13.4.src.tar.gz" [1]

This does not work for the GPG signature files:

$ wget --no-verbose https://golang.org/dl/go1.13.4.src.tar.gz.asc
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
2019-11-20 19:05:15 URL:https://golang.org/dl/go1.13.4.src.tar.gz.asc [330/330] -> "go1.13.4.src.tar.gz.asc" [1]

$ cat go1.13.4.src.tar.gz.asc
<!DOCTYPE html>
<html>
<head>
<meta name="go-import" content="golang.org/dl git https://go.googlesource.com/dl">
<meta http-equiv="refresh" content="0; url=https://golang.org/dl/#go1.13.4.src.tar.gz.asc">
</head>
<body>
Nothing to see here; <a href="https://golang.org/dl/#go1.13.4.src.tar.gz.asc">move along</a>.
</body>
</html>

The server's response for a signature is a bit odd:

$ curl -i https://golang.org/dl/go1.13.4.src.tar.gz.asc
HTTP/2 200
date: Wed, 20 Nov 2019 19:09:40 GMT
content-type: text/html; charset=utf-8
content-length: 330
vary: Accept-Encoding
location: https://golang.org/dl/#go1.13.4.src.tar.gz.asc
[...]

<!DOCTYPE html>
<html>
<head>
<meta name="go-import" content="golang.org/dl git https://go.googlesource.com/dl">
<meta http-equiv="refresh" content="0; url=https://golang.org/dl/#go1.13.4.src.tar.gz.asc">
</head>
<body>
Nothing to see here; <a href="https://golang.org/dl/#go1.13.4.src.tar.gz.asc">move along</a>.
</body>
</html>

There's a location header which is ignored by browsers because the status code is 200, but browsers will honor the meta tag and redirect to https://golang.org/dl/.

The signature file can be accessed here though:

$ curl -i https://dl.google.com/go/go1.13.4.src.tar.gz.asc
HTTP/2 200
accept-ranges: bytes
content-disposition: attachment
content-length: 819
[...]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCAAGBQJdu22LAAoJEGSUxtaZfCFeXigQAKc6NflWvvbaZ6S7RCVuRNzA
[...]
-----END PGP SIGNATURE-----

What did you expect to see?

The URL https://golang.org/dl/go1.13.4.src.tar.gz.asc should redirect to https://dl.google.com/go/go1.13.4.tar.gz.asc as for the normal releases.

What did you see instead?

The server returns an odd result with a status code of 200 and a location header.

@fd0
Copy link
Author

@fd0 fd0 commented Nov 20, 2019

I've opened golang/website#6 which adds the redirection for GPG signature files and resolves this issue.

I don't understand why the odd response is returned, as far as I can see the matching case is this:

https://github.com/golang/website/blob/c0a416a8e8210aeeb71119dbb91c27c1c5f067ec/internal/dl/server.go#L195-L196

I can only reproduce this with files starting with goX.Y:

$ curl -i https://golang.org/dl/go123.555
HTTP/2 200
date: Wed, 20 Nov 2019 19:35:45 GMT
content-type: text/html; charset=utf-8
content-length: 302
vary: Accept-Encoding
location: https://golang.org/dl/#go123.555
strict-transport-security: max-age=31536000; includeSubDomains; preload
via: 1.1 google
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

<!DOCTYPE html>
<html>
<head>
<meta name="go-import" content="golang.org/dl git https://go.googlesource.com/dl">
<meta http-equiv="refresh" content="0; url=https://golang.org/dl/#go123.555">
</head>
<body>
Nothing to see here; <a href="https://golang.org/dl/#go123.555">move along</a>.
</body>
</html>

But in this case isGoGet should be false (since I don't include go-get=1):

https://github.com/golang/website/blob/c0a416a8e8210aeeb71119dbb91c27c1c5f067ec/internal/dl/server.go#L169

so the location header should not be set here:

https://github.com/golang/website/blob/c0a416a8e8210aeeb71119dbb91c27c1c5f067ec/internal/dl/server.go#L202-L204

I'll stop here, I've found no way to run this server locally.

@gopherbot
Copy link

@gopherbot gopherbot commented Nov 20, 2019

Change https://golang.org/cl/208158 mentions this issue: internal/dl: redirect to downloadBaseURL for GPG signatures

@fd0
Copy link
Author

@fd0 fd0 commented Nov 22, 2019

@dmitshur do you think it's worth investigating the odd behavior I discovered? I can create new issue for that if needed.

@golang golang locked and limited conversation to collaborators Nov 21, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants
You can’t perform that action at this time.