Let's assume you are using Go Modules and have a go.mod file that contains multiple private repos each with a different ssh key. How can you get go mod download to do the right thing -- i.e. use ssh key A with private repo A and ssh key B with private repo B?
Ok, here we go!
Let's assume you have some github.com user with multiple private repos:
https://github.com/someuser/private-repo-1
https://github.com/someuser/private-repo-2
and a go.mod file that looks something like this:
module github.com/alice/repo
go 1.11
require (
github.com/someuser/private-repo-1 v0.0.0
github.com/someuser/private-repo-2 v0.0.0
github.com/bob/public-repo v0.0.0
)
As part of an automated process (e.g. running go mod download in a Docker container) you need to clone these private repos without using a password and make sure that you use the right key with its corresponding repo.
(I'm skipping over all the ways to try and get this to work that don't)
In order to access the repos we are going to use Github deploy keys. Because a given deploy key can only be added to one specific repo, you'll need to generate a keypair for each:
$ ssh-keygen -t ecdsa -C "[email protected]"
...
> private1_id_ecdsa, private1_id_ecdsa.pub # keys for private-repo-1
$ ssh-keygen -t ecdsa -C "[email protected]"
...
> private2_id_ecdsa, private2_id_ecdsa.pub # keys for private-repo-2Next you'll add each key to its corresponding repo via Settings > Deploy keys in Github:
private1_id_ecdsa.pub => github.com/someuser/private-repo-1
private2_id_ecdsa.pub => github.com/someuser/private-repo-2
Now you'll need to tell your ssh client what private key to use for which repo. Open up ~/.ssh/config and add:
Host private1.github.com
HostName github.com
IdentityFile ~/.ssh/private1_id_ecdsa
IdentitiesOnly yes
Host private2.github.com
HostName github.com
IdentityFile ~/.ssh/private2_id_ecdsa
IdentitiesOnly yes
This tells ssh when it sees a repo at private1.github.com/foo to use the private1_id_ecdsa deploy key, and likewise a repo at private2.github.com/bar should use the private2_id_ecdsa deploy key.
Ok great, but your repos are github.com/someuser/private-repo-1 and github.com/someuser/private-repo-1, so how can we make this work correctly with go mod download?
Bring the Magic
Edit your ~/.gitconfig file and add:
[url "[email protected]:someuser/private-repo-1"]
insteadOf = https://github.com/someuser/private-repo-1
[url "[email protected]:someuser/private-repo-2"]
insteadOf = https://github.com/someuser/private-repo-2Now when go mod download encounters a url in your mod file like https://github.com/someuser/private-repo-1 it will automagicallly rewrite the host so your ~/.ssh/config picks it up correctly and uses the right key. \:D/ Yay!
p.s.
You won't need to use GOPRIVATE when calling go mod -- it will just work -- but you might want to anyway if you're concerned about info leakage.
@Ivasan7 ,
Thank you for explaining...
I get the security implications. But I want to try it out for something. There is another disadvantage of adding key per repo. You have to add it for every user that is going to have access to that repo. If one key is compromised for that repo, you have to ask all the users to change the keys. And furthermore, in order to be able to add/update the keys you need to have admin access to the repo(which is very dangerous in my opinion that every user has admin access) or admin has to manage the keys all the time.
Can you also explain how you did it, or what steps I have to take, on my side to enable it?