Tails and unrecognized path errors

[tokzo]

Tails 1.3RC, go 1.3.3. Installation as in the readme give the following error messages

... amnesia@amnesia:~$ export GOPATH=/home/amnesia/Persistent/go/ amnesia@amnesia:~$ go get github.com/agl/xmpp-client package github.com/agl/xmpp-client imports github.com/agl/xmpp imports golang.org/x/crypto/otr: unrecognized import path "golang.org/x/crypto/otr" package github.com/agl/xmpp-client imports github.com/agl/xmpp imports golang.org/x/crypto/ssh/terminal: unrecognized import path "golang.org/x/crypto/ssh/terminal" package github.com/agl/xmpp-client imports github.com/agl/xmpp imports golang.org/x/net/html: unrecognized import path "golang.org/x/net/html" package github.com/agl/xmpp-client imports github.com/agl/xmpp imports golang.org/x/net/proxy: unrecognized import path "golang.org/x/net/proxy"

[sycamoreone]

The "custom" import path like golang.org/x/... used by xmpp-client where only introduced in Go 1.4. (https://golang.org/doc/go1.4#canonicalimports), so ideally you could use a go version 1.4 (e.g. from Debian experimental or from http://golang.org/doc/install). The installation instructions need to be updated here.

Otherwise it might work to change all occurrences of "golang.org/x/crypto*" in xmpp-client to "github.com/golang/crypto/*", but that is a workaround hack at best and will break if the imported packages use a custom import path internally.

[sycamoreone]

I will try to produce new working instructions for Tails, but won't have a chance to test anything using Tails today.

What should work even on Tails is to build your own Go from the github.com sources (given that you already have to trust https://github.com for the xmpp-client sources.)

$ cd ~/Persistent
$ sudo apt-get install gcc libc6-dev libc6-dev-i386
$ git clone https://github.com/golang/go.git
$ cd go && git checkout go1.4.1
$ cd src && ./all.bash

$ cd ~/Persistent
$ mkdir g && export GOPATH=~/Persistent/g
$ go get github.com/agl/xmpp-client
$ ~/Persistent/g/bin/xmpp-client

GOPATH isn't needed to start xmpp-client and you don't need to put the go repository into ~/Persistent if you are only interested in installng xmpp-client once. mercurial isn't needed anymore.

[tokzo]

Following the readme instructions but using Go in experimental (1.4.1) still produces the same errors.

[leif]

This is caused by Tails 1.3 not including an HTTP proxy anymore, which is how go get used to be able to get online in Tails.

Apparently "unrecognized import path" is the go get command's helpful way of saying "Connection refused" (in this case).

While investigating this, I noticed that go get actually falls back to HTTP when HTTPS connections fail (!!!) so it appears that go get isn't actually a safe command to run over tor (or any untrusted network).

See also Pond's ticket about this issue: https://github.com/agl/pond/pull/169

[sycamoreone]

This is strange. I completely missed Tails removing a http proxy. This isn't listed in the release notes https://tails.boum.org/news/version_1.3/index.en.html.

Also, can somebody who knows about Go in Debian, explain to me, how Debian's version 1.3 Go knows about the vanity import paths? Was this feature actually added earlier in is present in Go 1.3 already?

torsocks go get should still work though. Shouldn't it? (I one ignores the https vs http problem.)

[leif]

torsocks go get should still work though. Shouldn't it? (I one ignores the https vs http problem.)

I think torsocks doesn't work because go get needs to send an HTTPS(fallback to HTTP) request with ?go-get=1 for any imports from domains without hardcoded behavior (as described in the go get documentation) but then later it runs git which Tails has already configured to use Tor via torsocks. Running git under torsocks under go get under torsocks fails because the outer torsocks doesn't allow the inner torsocks to connect to localhost. Running go get under torsocks would probably work if you removed Tails' git config. The Tails ticket about using git with torsocks might be informative.

I'm currently looking in to ways to run go get "safely" over Tor. I think using Tor's RejectPlaintextPorts option to deny all port 80 connections is probably the easiest way. I'm reluctant to add instructions for adding and removing this option to the documentation for Pond and xmpp-client and any other golang program, but, until https://github.com/golang/go/issues/9637 is fixed and Go 1.5 is released I don't know what else to do :(

[tokzo]

amnesia@amnesia:~$ go version go version go1.3.3 linux/386 amnesia@amnesia:~$ export GOPATH=/home/amnesia/Persistent/go/

amnesia@amnesia:~$ torsocks go get github.com/agl/xmpp-client git clone https://github.com/agl/xmpp-client /home/amnesia/Persistent/go/src/github.com/agl/xmpp-client Cloning into '/home/amnesia/Persistent/go/src/github.com/agl/xmpp-client'... WARNING torsocks[7342]: [connect] Connection to a local address are denied since it might be a TCP DNS query to a local DNS server. Rejecting it for safety reasons. (in tsocks_connect() at connect.c:177) 12:19:17 libtsocks(7342): Error 1 attempting to connect to SOCKS server (Operation not permitted) [Mar 06 12:19:17] WARNING torsocks[7342]: [connect] Connection to a local address are denied since it might be a TCP DNS query to a local DNS server. Rejecting it for safety reasons. (in tsocks_connect() at connect.c:177) 12:19:17 libtsocks(7342): Error 1 attempting to connect to SOCKS server (Operation not permitted) error: Failed to connect to 192.30.252.130: Operation not permitted while accessing https://github.com/agl/xmpp-client/info/refs fatal: HTTP request failed package github.com/agl/xmpp-client: exit status 128

[sycamoreone]

For xmpp-client it isn't too hard to do go gets job by hand:

cd Persistent/
mkdir -p g/src/github.com/agl
mkdir -p g/src/golang.org/x/
export GOPATH=~/Persistent/g
cd $GOPATH/src/golang.org/x/
git clone https://github.com/golang/crypto
git clone https://github.com/golang/net
cd $GOPATH/src/github.com/agl
git clone https://github.com/agl/xmpp
git clone https://github.com/agl/xmpp-client
sudo bash -c "sudo apt-get update && sudo apt-get install -y -t testing golang"
cd xmpp-client && go install

Start xmpp-client with

~/Persistent/g/bin/xmpp-client

Tested in Tails 1.3 (except for typos).

[DrWhax]

These instructions work fine and I have reproduced on a 1.3.x Tails system.

[olabiniV2]

For reference, for anyone that still has this problem in 2019, the other part of the problem seems to be that Go (now at 1.12.something) statically links libraries, which means Torsocks and LD_PRELOAD simply doesn't work.

It also seems this is more of a problem for golang import paths, rather than the github ones. I saw it for example for golang.org/x/text/transform.

The way I solved this on Tails 3.15 is to use a tool cooled graftcp (https://github.com/hmgle/graftcp). Compiling it works out of the box, as long as the basic build essential tools are installed. After that there are a few things necessary:

• Start the server component pointing to socks5: graftcp graftcp-local -socks5 "127.0.0.1:9050"
• Open up 2233 for loopback connections (there is support for fifo, but I couldn't get it working on Tails) sudo iptables -I OUTPUT -o lo -p tcp --dport 2233 -j ACCEPT
• Give the graftcp binary ptrace capabilities: sudo setcap cap_sys_ptrace=eip /path/to/graftcp

Then you just use it as you would use Torsocks: graftcp go get golang.org/x/text/transform or starting a shell for it: graftcp bash