diff options
author | Stan Hu <stanhu@gmail.com> | 2023-03-02 22:48:04 -0800 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2023-03-06 21:18:11 -0800 |
commit | 4f5f99875860fcc591a48647a8d5f2b15fb96c60 (patch) | |
tree | 83989d87e6671e18c1a708b01f4f367fca755a70 | |
parent | d893886d53c3038af84414589459d273609b2243 (diff) | |
download | gitlab-shell-4f5f99875860fcc591a48647a8d5f2b15fb96c60.tar.gz |
Prepare for Go 1.19 FIPS support
https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/718 will
make Go 1.19 the default for gitlab-shell. Per
https://github.com/golang/go/issues/51940, the dev.boringcrypto branch
no longer exists, and to support FIPS we need to pass along
`GOEXPERIMENT=boringcrypto`.
To do this, we just see if this `GOEXPERIMENT` is available with `go
version` rather than do some more complicated version-specific
comparison.
-rw-r--r-- | Makefile | 12 |
1 files changed, 9 insertions, 3 deletions
@@ -8,7 +8,13 @@ BUILD_TIME := $(shell date -u +%Y%m%d.%H%M%S) BUILD_TAGS := tracer_static tracer_static_jaeger continuous_profiler_stackdriver ifeq (${FIPS_MODE}, 1) - # boringcrypto tag is added automatically by golang-fips compiler + # Go 1.19 now requires GOEXPERIMENT=boringcrypto for FIPS compilation. + # See https://github.com/golang/go/issues/51940 for more details. + BORINGCRYPTO_SUPPORT := $(shell GOEXPERIMENT=boringcrypto go version &> /dev/null; echo $$?) + ifeq ($(BORINGCRYPTO_SUPPORT), 0) + GOBUILD_ENV=GOEXPERIMENT=boringcrypto + endif + BUILD_TAGS += fips # If the golang-fips compiler is built with CGO_ENABLED=0, this needs to be # explicitly switched on. @@ -60,10 +66,10 @@ _script_install: compile: bin/gitlab-shell bin/gitlab-sshd bin/gitlab-shell: $(GO_SOURCES) - GOBIN="$(CURDIR)/bin" go install $(GOBUILD_FLAGS) ./cmd/... + GOBIN="$(CURDIR)/bin" $(GOBUILD_ENV) go install $(GOBUILD_FLAGS) ./cmd/... bin/gitlab-sshd: $(GO_SOURCES) - GOBIN="$(CURDIR)/bin" go install $(GOBUILD_FLAGS) ./cmd/gitlab-sshd + GOBIN="$(CURDIR)/bin" $(GOBUILD_ENV) go install $(GOBUILD_FLAGS) ./cmd/gitlab-sshd check: bin/check |