crypto/internal/fips140: go install stdlib with GOFIPS140=v1.0.0 does not install all .a archives #76225
Description
Go version
1.25.3
Output of go env in your module/workspace:
AR='ar'
CC='cc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='c++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/ricky/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/ricky/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/5p/jcz11_ln3tdbsrtmdy41861w0000gp/T/go-build2660027447=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/dev/null'
GOMODCACHE='/Users/ricky/go/pkg/mod'
GONOPROXY='github.com/cockroachlabs/*'
GONOSUMDB='github.com/cockroachlabs/*'
GOOS='darwin'
GOPATH='/Users/ricky/go'
GOPRIVATE='github.com/cockroachlabs/*'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/opt/homebrew/Cellar/go/1.25.3/libexec'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/ricky/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/opt/homebrew/Cellar/go/1.25.3/libexec/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.25.3'
GOWORK=''
PKG_CONFIG='pkg-config'What did you do?
In the go repo:
cd src
./make.bash
cd ..
# `go install` with GOFIPS140=latest
GOROOT=$(pwd) GOCACHE=~/.tmp-gocache GOMODCACHE=~/.tmp-gomodcache GO111MODULE=off GODEBUG=installgoroot=all GOFIPS140=latest bin/go install std runtime/cgo
ls pkg/darwin_arm64/crypto/internal
# clear the
rm -rf pkg/darwin_arm64/crypto/internal
# `go install` with GOFIPS140=v1.0.0
GOROOT=$(pwd) GOCACHE=~/.tmp-gocache GOMODCACHE=~/.tmp-gomodcache GO111MODULE=off GODEBUG=installgoroot=all GOFIPS140=v1.0.0 bin/go install std runtime/cgo
ls pkg/darwin_arm64/crypto/internal
What did you see happen?
Comparing the contents of pkg/darwin_amd64 with GOFIPS140=latest:
go$ ls pkg/darwin_arm64/crypto/internal
boring entropy.a fips140cache.a fips140hash.a impl.a sysrand.a
boring.a fips140 fips140deps fips140only.a randutil.a
cryptotest.a fips140.a fips140deps.a hpke.a sysrand
vs. GOFIPS140=v1.0.0:
go$ ls pkg/darwin_arm64/crypto/internal
boring cryptotest.a fips140cache.a fips140deps.a fips140only.a impl.a sysrand
boring.a entropy.a fips140deps fips140hash.a hpke.a randutil.a sysrand.a
You can see that pkg/darwin_arm64/crypto/internal library is missing .a archives (both the fips140.a archive and the entire directory crypto/internal/fips140) if you set GOFIPS140=v1.0.0. This limits the usability of the built stdlib, as the crypto/internal/fips140 package and all its subpackages are missing. They don't appear to be anywhere else in the tree:
go$ find pkg/darwin_arm64 -type f | grep fips
pkg/darwin_arm64/crypto/internal/fips140hash.a
pkg/darwin_arm64/crypto/internal/fips140only.a
pkg/darwin_arm64/crypto/internal/fips140deps/byteorder.a
pkg/darwin_arm64/crypto/internal/fips140deps/cpu.a
pkg/darwin_arm64/crypto/internal/fips140deps/godebug.a
pkg/darwin_arm64/crypto/internal/fips140deps.a
pkg/darwin_arm64/crypto/internal/fips140cache.a
pkg/darwin_arm64/crypto/fips140.a
pkg/darwin_arm64/crypto/tls/internal/fips140tls.a
This is probably due to the in-place replacement of the crypto/internal/fips140 package with golang.org/fips140@v1.0.0-c2097c7c when you build in this configuration. It's unclear where the built archives end up in this case. Since the package paths differ, GOFIPS140=v1.0.0 go install may put them in a different location (for example, crypto/internal/fips140/v1.0.0-c2097c7c), but I would expect them to be somewhere such that you can later perform a build with this pre-built stdlib.
What did you expect to see?
I would expect that no matter how you set GOFIPS140, go install GODEBUG=installgoroot=all produces a usable stdlib with all necessary subpackages available.