fix(fips): unified module validation with version-gated artifact checks#335
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: smith-xyz The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@smith-xyz: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
tested on all nightlies - passed: registry.ci.openshift.org/ocp/release:4.12.0-0.nightly-2026-05-06-095208 |
|
/lgtm |
Replace separate artifact and host lib checks with unified per-module
ValidateModule that tries RPM + version range + file gate, then falls
back to host lib FIPS symbols. Adds certified_artifact_max_version to
scope entries to specific release lines (e.g. openssl-libs 1.1.1 for
RHEL 8). Config now declares all CMVP-certified modules explicitly.
Supports Go native FIPS via artifact_source="binary" with config-driven
minimum version for GOFIPS140 build setting.
Fixes: #332