Summary
Binaries built with Go native FIPS (GOFIPS140=v1.0.0 -tags no_openssl) are still flagged by check-payload at latest commit (4dda1bf, post-#335 merge).
Reproduction
Build and push this image:
FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3 AS builder
USER root
WORKDIR /workspace
RUN echo 'package main; import "fmt"; func main() { fmt.Println("hello") }' > main.go
RUN go mod init test
RUN GOTOOLCHAIN=local CGO_ENABLED=0 GOFIPS140=v1.0.0 \
go build -tags netgo,no_openssl -o /bin/test-binary .
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5
ENV GODEBUG=fips140=on
COPY --from=builder /bin/test-binary /usr/bin/test-binary
ENTRYPOINT ["/usr/bin/test-binary"]
Then scan:
check-payload scan operator --spec <image>
Results
CGO_ENABLED=0 (native FIPS target):
go binary is not CGO_ENABLED
CGO_ENABLED=1 -tags no_openssl (attempted workaround):
go binary does not contain required symbol(s)
Both fail because check-payload looks for OpenSSL symbols/linkage, which don't exist in native Go FIPS binaries.
Context
Related
Summary
Binaries built with Go native FIPS (
GOFIPS140=v1.0.0 -tags no_openssl) are still flagged by check-payload at latest commit (4dda1bf, post-#335 merge).Reproduction
Build and push this image:
Then scan:
Results
CGO_ENABLED=0 (native FIPS target):
CGO_ENABLED=1 -tags no_openssl (attempted workaround):
Both fail because check-payload looks for OpenSSL symbols/linkage, which don't exist in native Go FIPS binaries.
Context
-tags no_openssland GOFIPS140 are mutually exclusive with the OpenSSL backend — we cannot have bothRelated