Go version
go version go1.24.3 darwin/arm64
Output of go env in your module/workspace:
AR='ar'
CC='cc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='c++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/b.aranovich/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/b.aranovich/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='v1.0.0'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/9k/1mhg428s7gq_bl9shx46rsz40000gp/T/go-build1732741947=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/b.aranovich/tmp/test-fips/go.mod'
GOMODCACHE='/Users/b.aranovich/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/b.aranovich/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.24.3/libexec'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/b.aranovich/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.24.3/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.24.3'
GOWORK=''
PKG_CONFIG='pkg-config'
What did you do?
In any existing project (or a blank project), using go1.24 with FIPS-140-3 mode enabled using GOFIPS140='v1.0.0' environment, attempted to update github.com/open-policy-agent/opa library, or tried getting the fieldalignment tool (using -tool directive).
Running the following commands easily demonstrates the problem.
$ mkdir test-fips; cd test-fips
$ go mod init example.com/testfips
$ go version
go version go1.24.3 darwin/arm64
$ export GOFIPS140='v1.0.0'
$ go get -tool golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
golang.org/x/tools/go/analysis/singlechecker imports
golang.org/x/tools/go/analysis/internal/analysisflags imports
crypto/sha256 imports
crypto/internal/fips140/v1.0.0/sha256: package crypto/internal/fips140/v1.0.0/sha256 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha256)
(...more errors truncated...)
$ go get github.com/open-policy-agent/opa
go: github.com/open-policy-agent/opa imports
github.com/open-policy-agent/opa/cmd imports
crypto/rand imports
crypto/internal/fips140/v1.0.0: package crypto/internal/fips140/v1.0.0 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0)
(...more errors truncated...)
This doesn't happen when GOFIPS140 env var remains unset, without it go get successfully adds the dependencies to go.mod.
This doesn't seem to be happening with go install:
$ go install golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment@latest
works as expected, no errors; fieldalignment binary is correctly installed into ~/go/bin.
What did you see happen?
Full output for go get -tool command:
$ go get -tool golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
golang.org/x/tools/go/analysis/singlechecker imports
golang.org/x/tools/go/analysis/internal/analysisflags imports
crypto/sha256 imports
crypto/internal/fips140/v1.0.0/sha256: package crypto/internal/fips140/v1.0.0/sha256 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha256)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
golang.org/x/tools/go/analysis/singlechecker imports
golang.org/x/tools/go/analysis/internal/analysisflags imports
crypto/sha256 imports
crypto/internal/boring imports
crypto/cipher imports
crypto/internal/fips140/v1.0.0/aes: package crypto/internal/fips140/v1.0.0/aes is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/aes)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
golang.org/x/tools/go/analysis/singlechecker imports
golang.org/x/tools/go/analysis/internal/analysisflags imports
crypto/sha256 imports
crypto/internal/boring imports
crypto/cipher imports
crypto/internal/fips140/v1.0.0/aes/gcm: package crypto/internal/fips140/v1.0.0/aes/gcm is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/aes/gcm)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
golang.org/x/tools/go/analysis/singlechecker imports
golang.org/x/tools/go/analysis/internal/analysisflags imports
crypto/sha256 imports
crypto/internal/boring imports
crypto/cipher imports
crypto/internal/fips140/v1.0.0/alias: package crypto/internal/fips140/v1.0.0/alias is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/alias)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
golang.org/x/tools/go/analysis/singlechecker imports
golang.org/x/tools/go/analysis/internal/analysisflags imports
crypto/sha256 imports
crypto/internal/boring imports
crypto/cipher imports
crypto/internal/fips140only imports
crypto/internal/fips140/v1.0.0/drbg: package crypto/internal/fips140/v1.0.0/drbg is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/drbg)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
golang.org/x/tools/go/analysis/singlechecker imports
golang.org/x/tools/go/analysis/internal/analysisflags imports
crypto/sha256 imports
crypto/internal/boring imports
crypto/cipher imports
crypto/internal/fips140only imports
crypto/internal/fips140/v1.0.0/sha3: package crypto/internal/fips140/v1.0.0/sha3 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha3)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
golang.org/x/tools/go/analysis/singlechecker imports
golang.org/x/tools/go/analysis/internal/analysisflags imports
crypto/sha256 imports
crypto/internal/boring imports
crypto/cipher imports
crypto/internal/fips140only imports
crypto/internal/fips140/v1.0.0/sha512: package crypto/internal/fips140/v1.0.0/sha512 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha512)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
golang.org/x/tools/go/analysis/singlechecker imports
golang.org/x/tools/go/analysis/internal/analysisflags imports
crypto/sha256 imports
crypto/internal/boring imports
crypto/cipher imports
crypto/subtle imports
crypto/internal/fips140/v1.0.0/subtle: package crypto/internal/fips140/v1.0.0/subtle is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/subtle)
What did you expect to see?
Expectation that dependencies are correctly added to go.mod same as when the FIPS-140-3 mode is not enabled:
$ unset GOFIPS140
$ go get -tool golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
go: added golang.org/x/mod v0.24.0
go: added golang.org/x/sync v0.14.0
go: added golang.org/x/tools v0.33.0
Comment From: gabyhelp
Related Issues
- cmd/go: GOFIPS140=v1.0.0 makes tests flaky #71491 (closed)
- cmd/go: `go test` doesn't work with `GODEBUG=fips140=only` #70878 (closed)
- crypto: can't be used with `crypto/sha3` when `GODEBUG=fips140=only` is set #70879 (closed)
- crypto/internal/fips140: segfault from hmac memmove #70880 (closed)
- cmd/go: identify tool dependencies in go list / go mod why #70582
- cmd/go: randomly broken 'go tool' invocations #73179 (closed)
- cmd/go: add fips140 module selection mechanism #70200
- cmd/dist: building with GOFIPS140=latest fails with unexpected stale targets #70873 (closed)
- cmd/go get doesn't validate module arguments #71437 (closed)
- all.bash build from source failed to import new vendors #56076 (closed)
(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)
Comment From: cherrymui
cc @matloob @samthanawalla
Comment From: seankhliao
cc @FiloSottile
Comment From: FiloSottile
This looks like an unhandled side-effect of the crypto/internal/fips140/... => crypto/internal/fips140/v1.0.0/... renaming.