Skip to content

cmd/go: "go get" fails when GOFIPS140=v1.0.0 is set #73649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nomaed opened this issue May 9, 2025 · 4 comments
Open

cmd/go: "go get" fails when GOFIPS140=v1.0.0 is set #73649

nomaed opened this issue May 9, 2025 · 4 comments
Labels
BugReport Issues describing a possible bug in the Go implementation. GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Go1.25

Comments

@nomaed
Copy link

nomaed commented May 9, 2025
edited
Loading

Go version

go version go1.24.3 darwin/arm64

Output of go env in your module/workspace:

AR='ar'
CC='cc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='c++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/b.aranovich/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/b.aranovich/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='v1.0.0'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/9k/1mhg428s7gq_bl9shx46rsz40000gp/T/go-build1732741947=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/b.aranovich/tmp/test-fips/go.mod'
GOMODCACHE='/Users/b.aranovich/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/b.aranovich/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.24.3/libexec'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/b.aranovich/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.24.3/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.24.3'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

In any existing project (or a blank project), using go1.24 with FIPS-140-3 mode enabled using GOFIPS140='v1.0.0' environment, attempted to update github.com/open-policy-agent/opa library, or tried getting the fieldalignment tool (using -tool directive).

Running the following commands easily demonstrates the problem.

$ mkdir test-fips; cd test-fips
$ go mod init example.com/testfips
$ go version
go version go1.24.3 darwin/arm64
$ export GOFIPS140='v1.0.0'
$ go get -tool golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/fips140/v1.0.0/sha256: package crypto/internal/fips140/v1.0.0/sha256 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha256)
(...more errors truncated...)
$ go get github.com/open-policy-agent/opa
go: github.com/open-policy-agent/opa imports
	github.com/open-policy-agent/opa/cmd imports
	crypto/rand imports
	crypto/internal/fips140/v1.0.0: package crypto/internal/fips140/v1.0.0 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0)
(...more errors truncated...)

This doesn't happen when GOFIPS140 env var remains unset, without it go get successfully adds the dependencies to go.mod.

This doesn't seem to be happening with go install:

$ go install golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment@latest

works as expected, no errors; fieldalignment binary is correctly installed into ~/go/bin.

What did you see happen?

Full output for go get -tool command:

$ go get -tool golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/fips140/v1.0.0/sha256: package crypto/internal/fips140/v1.0.0/sha256 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha256)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140/v1.0.0/aes: package crypto/internal/fips140/v1.0.0/aes is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/aes)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140/v1.0.0/aes/gcm: package crypto/internal/fips140/v1.0.0/aes/gcm is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/aes/gcm)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140/v1.0.0/alias: package crypto/internal/fips140/v1.0.0/alias is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/alias)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140only imports
	crypto/internal/fips140/v1.0.0/drbg: package crypto/internal/fips140/v1.0.0/drbg is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/drbg)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140only imports
	crypto/internal/fips140/v1.0.0/sha3: package crypto/internal/fips140/v1.0.0/sha3 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha3)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140only imports
	crypto/internal/fips140/v1.0.0/sha512: package crypto/internal/fips140/v1.0.0/sha512 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha512)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/subtle imports
	crypto/internal/fips140/v1.0.0/subtle: package crypto/internal/fips140/v1.0.0/subtle is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/subtle)

What did you expect to see?

Expectation that dependencies are correctly added to go.mod same as when the FIPS-140-3 mode is not enabled:

$ unset GOFIPS140
$ go get -tool golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
go: added golang.org/x/mod v0.24.0
go: added golang.org/x/sync v0.14.0
go: added golang.org/x/tools v0.33.0
@nomaed nomaed mentioned this issue May 9, 2025
Closed
@gabyhelp
Copy link

gabyhelp commented May 9, 2025

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@gabyhelp gabyhelp added the BugReport Issues describing a possible bug in the Go implementation. label May 9, 2025
@seankhliao seankhliao added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. GoCommand cmd/go labels May 9, 2025
@cherrymui cherrymui added this to the Go1.25 milestone May 9, 2025
@cherrymui
Copy link
Member

cc @matloob @samthanawalla

@seankhliao
Copy link
Member

cc @FiloSottile

@FiloSottile
Copy link
Contributor

This looks like an unhandled side-effect of the crypto/internal/fips140/... => crypto/internal/fips140/v1.0.0/... renaming.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BugReport Issues describing a possible bug in the Go implementation. GoCommand cmd/go NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Go1.25
Development

No branches or pull requests
5 participants
@FiloSottile @nomaed @seankhliao @cherrymui @gabyhelp