From 4f5f99875860fcc591a48647a8d5f2b15fb96c60 Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Thu, 2 Mar 2023 22:48:04 -0800 Subject: Prepare for Go 1.19 FIPS support https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/718 will make Go 1.19 the default for gitlab-shell. Per https://github.com/golang/go/issues/51940, the dev.boringcrypto branch no longer exists, and to support FIPS we need to pass along `GOEXPERIMENT=boringcrypto`. To do this, we just see if this `GOEXPERIMENT` is available with `go version` rather than do some more complicated version-specific comparison. --- Makefile | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 51db004..cfe9f11 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,13 @@ BUILD_TIME := $(shell date -u +%Y%m%d.%H%M%S) BUILD_TAGS := tracer_static tracer_static_jaeger continuous_profiler_stackdriver ifeq (${FIPS_MODE}, 1) - # boringcrypto tag is added automatically by golang-fips compiler + # Go 1.19 now requires GOEXPERIMENT=boringcrypto for FIPS compilation. + # See https://github.com/golang/go/issues/51940 for more details. + BORINGCRYPTO_SUPPORT := $(shell GOEXPERIMENT=boringcrypto go version &> /dev/null; echo $$?) + ifeq ($(BORINGCRYPTO_SUPPORT), 0) + GOBUILD_ENV=GOEXPERIMENT=boringcrypto + endif + BUILD_TAGS += fips # If the golang-fips compiler is built with CGO_ENABLED=0, this needs to be # explicitly switched on. @@ -60,10 +66,10 @@ _script_install: compile: bin/gitlab-shell bin/gitlab-sshd bin/gitlab-shell: $(GO_SOURCES) - GOBIN="$(CURDIR)/bin" go install $(GOBUILD_FLAGS) ./cmd/... + GOBIN="$(CURDIR)/bin" $(GOBUILD_ENV) go install $(GOBUILD_FLAGS) ./cmd/... bin/gitlab-sshd: $(GO_SOURCES) - GOBIN="$(CURDIR)/bin" go install $(GOBUILD_FLAGS) ./cmd/gitlab-sshd + GOBIN="$(CURDIR)/bin" $(GOBUILD_ENV) go install $(GOBUILD_FLAGS) ./cmd/gitlab-sshd check: bin/check -- cgit v1.2.1