Description
Go version
go1.25
Output of go env in your module/workspace:
AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='blaze-bin/cloud/sdk/gcloud/gcloud_lite artifacts go goauth --location=us-west1'
GOBIN=''
GOCACHE='/usr/local/google/home/hzyi/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/usr/local/google/home/hzyi/.config/go/env'
GOEXE=''
GOEXPERIMENT='fieldtrack,boringcrypto'
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3533660362=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/usr/local/google/home/hzyi/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/usr/local/google/home/hzyi/go'
GOPRIVATE=''
GOPROXY='staging-qual-us-west1-go.pkg.dev/hanzhenyi3/go-remote'
GOROOT='/usr/lib/google-golang'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/usr/local/google/home/hzyi/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/lib/google-golang/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.25-20250216-RC00 cl/727547642 +d524e1eccd X:fieldtrack,boringcrypto'
GOWORK=''
PKG_CONFIG='pkg-config'What did you do?
I work on the GCP Artifact Registry team (private Go registries) and I am integrating with the GOAUTH environment variable in 1.24. I am working on a gcloud command that would output:
https://us-west1-go.pkg.dev/
Authorization: Bearer <token>
This is based on the sample at https://pkg.go.dev/cmd/go#hdr-GOAUTH_environment_variable
What did you see happen?
Go fails to attach the authorization when I run go mod download resulting in a 401 error (as I have access to the backend log, I can see in the backend that the request indeed does not have the auth header from the GOAUTH output).
Full error:
$ go mod download -x github.com/google/[email protected]
# get https://staging-qual-us-west1-go.pkg.dev/hanzhenyi3/go-remote/github.com/google/go-containerregistry/@v/v0.20.0.info
# get https://staging-qual-us-west1-go.pkg.dev/hanzhenyi3/go-remote/github.com/google/go-containerregistry/@v/v0.20.0.info: 401 Unauthorized (9.990s)
go: github.com/google/[email protected]: reading https://staging-qual-us-west1-go.pkg.dev/hanzhenyi3/go-remote/github.com/google/go-containerregistry/@v/v0.20.0.info: 401 Unauthorized
What did you expect to see?
More detailed docs on what the output should be in the docs.
I did some digging and I think the problem is at this line:
go/src/cmd/go/internal/auth/auth.go
Line 149 in d7a1261
strings.Cut(currentPrefix, "/") will remove the trailing slash in the URL when Go tries to match URLs in the credential cache by prefix. If I remove the trailing slash in the output of the GOAUTH command, i.e. to the following:
https://us-west1-go.pkg.dev
Authorization: Bearer <token>
It works, but this contradicts the example in the Godoc.
https://example.com/
https://example.net/api/
Authorization: Basic <token>
https://another-example.org/
Example: Data
Looking at the code there seem to be two ways Go matches request URLs to those in the credential cache (by full match or by prefix match), but the documentation does not have clarification on this. I am also not sure how a full match would work given the request URL is different for every Go module proxy API endpoint.
Activity