With the stabilization of alternative registries in Rust 1.34, it's now possible to connect to an alternative registry to provide an index. Since the alternative registry is a git repo, authentication can be handled in all the normal ways like SSH keypairs, git credential helpers, etc.
However, there doesn't currently seem to be a way to authenticate the downloads of the .crate files themselves. Once a download location is pulled from the "dl" key in the config.json provided by the index, Cargo makes a request to a URL constructed from that key. But as far as I can tell there is no way to inject any authentication information into that request. This means I need to either keep all my private .crate artifacts on a local LAN or behind some other security like VPN.
I've thought of a few workaround, but all seem hacky or have security concerns:
- Based on authentication with the initial index provider, inject a long random string into the returned
"dl" URL that is time-bound and unique per user. This isn't great because it requires modifying the returned index for every user.
Use git+ssh for all crate downloads and rely on keypair auth This actually wouldn't work because the download step requires https, http, or file URLs.- Require a second command that syncs private registry
.crate files to the local filesystem and then have config.json specify a file:// URL. This isn't good because now syncing dependencies isn't an automatic action on cargo build, etc, it's a manual and forgettable step.
I think an ideal solution would extend the usage of a token obtained through cargo login to also be sent during crate download requests. This would need to be handled carefully so the token is only sent over secure connections and only to download URLs for the specific registry using the token.
With the stabilization of alternative registries in Rust 1.34, it's now possible to connect to an alternative registry to provide an index. Since the alternative registry is a git repo, authentication can be handled in all the normal ways like SSH keypairs, git credential helpers, etc.
However, there doesn't currently seem to be a way to authenticate the downloads of the
.cratefiles themselves. Once a download location is pulled from the"dl"key in theconfig.jsonprovided by the index, Cargo makes a request to a URL constructed from that key. But as far as I can tell there is no way to inject any authentication information into that request. This means I need to either keep all my private.crateartifacts on a local LAN or behind some other security like VPN.I've thought of a few workaround, but all seem hacky or have security concerns:
"dl"URL that is time-bound and unique per user. This isn't great because it requires modifying the returned index for every user.Use git+ssh for all crate downloads and rely on keypair authThis actually wouldn't work because the download step requires https, http, or file URLs..cratefiles to the local filesystem and then haveconfig.jsonspecify afile://URL. This isn't good because now syncing dependencies isn't an automatic action oncargo build, etc, it's a manual and forgettable step.I think an ideal solution would extend the usage of a token obtained through
cargo loginto also be sent during crate download requests. This would need to be handled carefully so the token is only sent over secure connections and only to download URLs for the specific registry using the token.