cmd/go: GOFIPS140=v1.0.0 makes tests flaky

[ianlancetaylor]

Go version

HEAD

Output of go env in your module/workspace:

AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE=''
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/home/iant/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/home/iant/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1440155093=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/home/iant/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/iant/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org'
GOROOT='/home/iant/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='on'
GOTELEMETRYDIR='/home/iant/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/home/iant/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='devel go1.24-e81f715515 Wed Jan 29 07:10:35 2025 -0800'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

GOFIPS140=v1.0.0 go test -test.count=10 crypto/x509 crypto/internal/fips140/...

What did you see happen?

--- FAIL: TestInverse (0.00s)
    nat_test.go:701: open testdata/mod_inv_tests.txt: no such file or directory
--- FAIL: TestInverse (0.00s)
    nat_test.go:701: open testdata/mod_inv_tests.txt: no such file or directory
FAIL

What did you expect to see?

A series of lines starting with ok, indicating that all the tests passed.

The problem is that setting GOFIPS140 to a specific version causes the zip file in $GOROOT/lib/fips140 to be unpacked into the module cache each time that the go command is run. The crypto/x509 package has a test that runs the go command (TestImports). Running that test in parallel with tests of other packages means that the contents of the module cache are being removed and recreated as tests are running. That causes failures like the one above, in which a file is missing just as a test is looking for it.

Fixing this is a release blocker for 1.24.

[gabyhelp]

Related Issues

• cmd/go: add fips140 module selection mechanism #70200
• cmd/go: `go test` doesn't work with `GODEBUG=fips140=only` #70878 (closed)
• crypto: can't be used with `crypto/sha3` when `GODEBUG=fips140=only` is set #70879 (closed)

Related Code Changes

• cmd/go: drop fips140 build ID hacks
• [release-branch.go1.24] all: merge master (e81f715) into release-branch.go1.24
• [release-branch.go1.24] all: merge master (e81f715) into release-branch.go1.24
• crypto/internal/fips140test: add functional tests
• cmd/go: add GOFIPS140 snapshot support
• crypto/tls: test with FIPS 140-3 TLS mode
• cmd/dist: skip fips140=on testing for ASAN

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[gopherbot]

Change https://go.dev/cl/645835 mentions this issue: cmd/go: enable fips test and fix caching bug