Shouldn't this PCT failure result in a panic (at least in scope of key generation) to enter FIPS error state? https://github.com/golang/go/blame/dcc77f9e3c7097b497e99800a7a4ed80c7a430d8/src/crypto/internal/fips140/rsa/rsa.go#L329
Comment From: Jorropo
cc @FiloSottile
Comment From: gopherbot
Change https://go.dev/cl/701517 mentions this issue: crypto/internal/fips140: remove key import PCTs, make keygen PCTs fatal
Comment From: gopherbot
Change https://go.dev/cl/701438 mentions this issue: [release-branch.go1.24] crypto/internal/fips140: remove key import PCTs, make keygen PCTs fatal
Comment From: tigrand
Thank you, the changes look good
Comment From: FiloSottile
@gopherbot please open backport issues for Go 1.24 and Go 1.25.
Backporting a change to the FIPS 140-3 module is an exception we discussed with the lab.
It will involve:
- landing the change on master
- preparing release-branch.go1.24 by reverting a small post-module seal change
- preparing release-branch.go1.24 by backporting a couple internal fips140 tooling changes
- backporting to release-branch.go1.24
- re-sealing the fips140 zip file on master based on the new release-branch.go1.24
- backporting the zip file to Go 1.24 and Go 1.25
Note that we'll have some builders failures in the middle of the process, because the tests will fail with the non-backported v1.0.0 zip'd module. They will resolve at the end of the process.
Comment From: gopherbot
Backport issue(s) opened: #75523 (for 1.24), #75524 (for 1.25).
Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.