x/website: Download redirection for GPG signature files does not work

[fd0]

What version of Go are you using (go version)?

$ go version
go version go1.13.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/fd0/.cache/go-build"
GOENV="/home/fd0/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/fd0/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/zsh-1000/go-build763029635=/tmp/go-build -gno-record-gcc-switches"

What did you do?

I've tried to download the GPG signature files for Go and discovered some odd behavior:

Go releases can be downloaded by accessing e.g. https://golang.org/dl/go1.13.4.src.tar.gz. There's a redirect to https://dl.google.com/go/go1.13.4.src.tar.gz:

$ curl -i https://golang.org/go1.13.4.src.tar.gz
HTTP/2 302
date: Wed, 20 Nov 2019 19:08:18 GMT
content-type: text/html; charset=utf-8
content-length: 67
location: https://dl.google.com/go/go1.13.4.src.tar.gz
[...]

<a href="https://dl.google.com/go/go1.13.4.src.tar.gz">Found</a>.

So I can just use curl -L or wget to download the release:

$  wget --no-verbose https://golang.org/dl/go1.13.4.src.tar.gz
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
2019-11-20 19:04:36 URL:https://dl.google.com/go/go1.13.4.src.tar.gz [21619153/21619153] -> "go1.13.4.src.tar.gz" [1]

This does not work for the GPG signature files:

$ wget --no-verbose https://golang.org/dl/go1.13.4.src.tar.gz.asc
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
2019-11-20 19:05:15 URL:https://golang.org/dl/go1.13.4.src.tar.gz.asc [330/330] -> "go1.13.4.src.tar.gz.asc" [1]

$ cat go1.13.4.src.tar.gz.asc
<!DOCTYPE html>
<html>
<head>
<meta name="go-import" content="golang.org/dl git https://go.googlesource.com/dl">
<meta http-equiv="refresh" content="0; url=https://golang.org/dl/#go1.13.4.src.tar.gz.asc">
</head>
<body>
Nothing to see here; <a href="https://golang.org/dl/#go1.13.4.src.tar.gz.asc">move along</a>.
</body>
</html>

The server's response for a signature is a bit odd:

$ curl -i https://golang.org/dl/go1.13.4.src.tar.gz.asc
HTTP/2 200
date: Wed, 20 Nov 2019 19:09:40 GMT
content-type: text/html; charset=utf-8
content-length: 330
vary: Accept-Encoding
location: https://golang.org/dl/#go1.13.4.src.tar.gz.asc
[...]

<!DOCTYPE html>
<html>
<head>
<meta name="go-import" content="golang.org/dl git https://go.googlesource.com/dl">
<meta http-equiv="refresh" content="0; url=https://golang.org/dl/#go1.13.4.src.tar.gz.asc">
</head>
<body>
Nothing to see here; <a href="https://golang.org/dl/#go1.13.4.src.tar.gz.asc">move along</a>.
</body>
</html>

There's a location header which is ignored by browsers because the status code is 200, but browsers will honor the meta tag and redirect to https://golang.org/dl/.

The signature file can be accessed here though:

$ curl -i https://dl.google.com/go/go1.13.4.src.tar.gz.asc
HTTP/2 200
accept-ranges: bytes
content-disposition: attachment
content-length: 819
[...]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCAAGBQJdu22LAAoJEGSUxtaZfCFeXigQAKc6NflWvvbaZ6S7RCVuRNzA
[...]
-----END PGP SIGNATURE-----

What did you expect to see?

The URL https://golang.org/dl/go1.13.4.src.tar.gz.asc should redirect to https://dl.google.com/go/go1.13.4.tar.gz.asc as for the normal releases.

What did you see instead?

The server returns an odd result with a status code of 200 and a location header.

[fd0]

I've opened golang/website#6 which adds the redirection for GPG signature files and resolves this issue.

I don't understand why the odd response is returned, as far as I can see the matching case is this:

https://github.com/golang/website/blob/c0a416a8e8210aeeb71119dbb91c27c1c5f067ec/internal/dl/server.go#L195-L196

I can only reproduce this with files starting with goX.Y:

$ curl -i https://golang.org/dl/go123.555
HTTP/2 200
date: Wed, 20 Nov 2019 19:35:45 GMT
content-type: text/html; charset=utf-8
content-length: 302
vary: Accept-Encoding
location: https://golang.org/dl/#go123.555
strict-transport-security: max-age=31536000; includeSubDomains; preload
via: 1.1 google
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

<!DOCTYPE html>
<html>
<head>
<meta name="go-import" content="golang.org/dl git https://go.googlesource.com/dl">
<meta http-equiv="refresh" content="0; url=https://golang.org/dl/#go123.555">
</head>
<body>
Nothing to see here; <a href="https://golang.org/dl/#go123.555">move along</a>.
</body>
</html>

But in this case isGoGet should be false (since I don't include go-get=1):

https://github.com/golang/website/blob/c0a416a8e8210aeeb71119dbb91c27c1c5f067ec/internal/dl/server.go#L169

so the location header should not be set here:

https://github.com/golang/website/blob/c0a416a8e8210aeeb71119dbb91c27c1c5f067ec/internal/dl/server.go#L202-L204

I'll stop here, I've found no way to run this server locally.

[gopherbot]

Change https://golang.org/cl/208158 mentions this issue: internal/dl: redirect to downloadBaseURL for GPG signatures

[fd0]

@dmitshur do you think it's worth investigating the odd behavior I discovered? I can create new issue for that if needed.