Skip to content

Native Go FIPS binaries (GOFIPS140 + no_openssl) still flagged after #335 #342

Description

@hbelmiro

Summary

Binaries built with Go native FIPS (GOFIPS140=v1.0.0 -tags no_openssl) are still flagged by check-payload at latest commit (4dda1bf, post-#335 merge).

Reproduction

Build and push this image:

FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3 AS builder
USER root
WORKDIR /workspace
RUN echo 'package main; import "fmt"; func main() { fmt.Println("hello") }' > main.go
RUN go mod init test
RUN GOTOOLCHAIN=local CGO_ENABLED=0 GOFIPS140=v1.0.0 \
    go build -tags netgo,no_openssl -o /bin/test-binary .

FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5
ENV GODEBUG=fips140=on
COPY --from=builder /bin/test-binary /usr/bin/test-binary
ENTRYPOINT ["/usr/bin/test-binary"]

Then scan:

check-payload scan operator --spec <image>

Results

CGO_ENABLED=0 (native FIPS target):

go binary is not CGO_ENABLED

CGO_ENABLED=1 -tags no_openssl (attempted workaround):

go binary does not contain required symbol(s)

Both fail because check-payload looks for OpenSSL symbols/linkage, which don't exist in native Go FIPS binaries.

Context

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions