Skip to content

cmd/go: "go get" fails when GOFIPS140=v1.0.0 is set #73649

New issue
New issue
Open
Open
cmd/go: "go get" fails when GOFIPS140=v1.0.0 is set#73649
Assignees
matloob
Labels
BugReportIssues describing a possible bug in the Go implementation.GoCommandcmd/goNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Go1.26
@nomaed

Description

@nomaed
nomaed
opened on May 9, 2025

Go version

go version go1.24.3 darwin/arm64

Output of go env in your module/workspace:

AR='ar'
CC='cc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='c++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/b.aranovich/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/b.aranovich/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='v1.0.0'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/9k/1mhg428s7gq_bl9shx46rsz40000gp/T/go-build1732741947=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/b.aranovich/tmp/test-fips/go.mod'
GOMODCACHE='/Users/b.aranovich/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/b.aranovich/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.24.3/libexec'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/b.aranovich/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.24.3/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.24.3'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

In any existing project (or a blank project), using go1.24 with FIPS-140-3 mode enabled using GOFIPS140='v1.0.0' environment, attempted to update github.com/open-policy-agent/opa library, or tried getting the fieldalignment tool (using -tool directive).

Running the following commands easily demonstrates the problem.

$ mkdir test-fips; cd test-fips
$ go mod init example.com/testfips
$ go version
go version go1.24.3 darwin/arm64
$ export GOFIPS140='v1.0.0'
$ go get -tool golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/fips140/v1.0.0/sha256: package crypto/internal/fips140/v1.0.0/sha256 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha256)
(...more errors truncated...)
$ go get github.com/open-policy-agent/opa
go: github.com/open-policy-agent/opa imports
	github.com/open-policy-agent/opa/cmd imports
	crypto/rand imports
	crypto/internal/fips140/v1.0.0: package crypto/internal/fips140/v1.0.0 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0)
(...more errors truncated...)

This doesn't happen when GOFIPS140 env var remains unset, without it go get successfully adds the dependencies to go.mod.

This doesn't seem to be happening with go install:

$ go install golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment@latest

works as expected, no errors; fieldalignment binary is correctly installed into ~/go/bin.

What did you see happen?

Full output for go get -tool command:

$ go get -tool golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/fips140/v1.0.0/sha256: package crypto/internal/fips140/v1.0.0/sha256 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha256)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140/v1.0.0/aes: package crypto/internal/fips140/v1.0.0/aes is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/aes)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140/v1.0.0/aes/gcm: package crypto/internal/fips140/v1.0.0/aes/gcm is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/aes/gcm)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140/v1.0.0/alias: package crypto/internal/fips140/v1.0.0/alias is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/alias)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140only imports
	crypto/internal/fips140/v1.0.0/drbg: package crypto/internal/fips140/v1.0.0/drbg is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/drbg)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140only imports
	crypto/internal/fips140/v1.0.0/sha3: package crypto/internal/fips140/v1.0.0/sha3 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha3)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/internal/fips140only imports
	crypto/internal/fips140/v1.0.0/sha512: package crypto/internal/fips140/v1.0.0/sha512 is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/sha512)
go: golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment imports
	golang.org/x/tools/go/analysis/singlechecker imports
	golang.org/x/tools/go/analysis/internal/analysisflags imports
	crypto/sha256 imports
	crypto/internal/boring imports
	crypto/cipher imports
	crypto/subtle imports
	crypto/internal/fips140/v1.0.0/subtle: package crypto/internal/fips140/v1.0.0/subtle is not in std (/opt/homebrew/Cellar/go/1.24.3/libexec/src/crypto/internal/fips140/v1.0.0/subtle)

What did you expect to see?

Expectation that dependencies are correctly added to go.mod same as when the FIPS-140-3 mode is not enabled:

$ unset GOFIPS140
$ go get -tool golang.org/x/tools/go/analysis/passes/fieldalignment/cmd/fieldalignment
go: added golang.org/x/mod v0.24.0
go: added golang.org/x/sync v0.14.0
go: added golang.org/x/tools v0.33.0

Metadata

Metadata

Assignees

Labels

BugReportIssues describing a possible bug in the Go implementation.GoCommandcmd/goNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions