Skip to content

[ci] Run Go unit tests with GODEBUG=fips140=only #13926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

[ci] Run Go unit tests with GODEBUG=fips140=only #13926

wants to merge 9 commits into from

Conversation

@ycombinator
Copy link
Contributor

@ycombinator ycombinator commented Oct 3, 2025
edited
Loading

Description

This PR runs all Golang unit tests in this repository with the GODEBUG=fips140=only environment set. This is useful to detect any FIPS-140 violations of code covered by these unit tests.

To achieve the above, this PR introduces a new gotest-fips140-only target in Makefile and a corresponding test-fips140-only target in Makefile.Common.

Link to tracking issue

Relates to #13925

Testing

Documentation

@codecov
Copy link

codecov bot commented Oct 3, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.16%. Comparing base (a0cbea7) to head (39a20b3).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #13926      +/-   ##
==========================================
- Coverage   92.17%   92.16%   -0.02%     
==========================================
  Files         668      668              
  Lines       41467    41467              
==========================================
- Hits        38221    38216       -5     
- Misses       2213     2216       +3     
- Partials     1033     1035       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ycombinator ycombinator changed the title Add Makefile targets for running unit tests with GODEBUG=fips140=only [chore] Add Makefile targets for running unit tests with GODEBUG=fips140=only Oct 3, 2025
@ycombinator
Copy link
Contributor Author

ycombinator commented Oct 3, 2025
edited
Loading

Running make gotest-fips140-only fails fast, so instead I'm running make test-fips140-only in each module, with Golang 1.25.0, like so:

$ go version
go version go1.25.0 linux/arm64

$ for m in $(find . -iname go.mod); do d=$(dirname $m); cd $d; make test-fips140-only; cd -; done

Ignoring passing and skipped tests, here are the failures:

=== Failed
=== FAIL: internal/builder TestVersioning/defaults (0.16s)
2025-10-09T23:03:01.172-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/otelcol-distribution2818115018"}
    main_test.go:220:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:220
        	Error:      	Target error should be in err chain:
        	            	expected: ""
        	            	in chain: "failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"exit status 1"
        	Test:       	TestVersioning/defaults

=== FAIL: internal/builder TestVersioning/old_component_version (0.16s)
2025-10-09T23:03:01.341-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/otelcol-distribution2842198807"}
    main_test.go:220:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:220
        	Error:      	Target error should be in err chain:
        	            	expected: ""
        	            	in chain: "failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"exit status 1"
        	Test:       	TestVersioning/old_component_version

=== FAIL: internal/builder TestVersioning/old_component_version_without_strict_mode (0.17s)
2025-10-09T23:03:01.503-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/otelcol-distribution1917550671"}
    main_test.go:220:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:220
        	Error:      	Target error should be in err chain:
        	            	expected: ""
        	            	in chain: "failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get \"https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod\": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode\n"
        	            		"exit status 1"
        	Test:       	TestVersioning/old_component_version_without_strict_mode

=== FAIL: internal/builder TestVersioning (0.50s)

=== FAIL: internal/builder TestGenerateAndCompile/Default_Configuration_Compilation (0.19s)
2025-10-09T23:03:01.676-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:01.679-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileDefault_Configuration_Compilation252918051/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/Default_Configuration_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/LDFlags_Compilation (0.18s)
2025-10-09T23:03:01.863-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:01.867-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileLDFlags_Compilation3165267322/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/LDFlags_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/GCFlags_Compilation (0.18s)
2025-10-09T23:03:02.048-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.050-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileGCFlags_Compilation937123693/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/GCFlags_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/Build_Tags_Compilation (0.19s)
2025-10-09T23:03:02.226-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.230-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileBuild_Tags_Compilation452952742/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/Build_Tags_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/Debug_Compilation (0.19s)
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/Debug_Compilation

=== FAIL: internal/builder TestGenerateAndCompile/No_providers (0.18s)
2025-10-09T23:03:02.604-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.607-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileNo_providers3344910177/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/No_providers

=== FAIL: internal/builder TestGenerateAndCompile/With_confmap_factories (0.18s)
2025-10-09T23:03:02.783-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.785-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileWith_confmap_factories465256339/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/With_confmap_factories

=== FAIL: internal/builder TestGenerateAndCompile/ConfResolverDefaultURIScheme_set (0.19s)
2025-10-09T23:03:02.967-0700	INFO	builder/config.go:160	Using go	{"go-executable": "/usr/local/go/bin/go"}
2025-10-09T23:03:02.971-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestGenerateAndCompileConfResolverDefaultURIScheme_set2737885439/001"}
    main_test.go:338:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:338
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestGenerateAndCompile/ConfResolverDefaultURIScheme_set

=== FAIL: internal/builder TestGenerateAndCompile (1.48s)

=== FAIL: internal/builder TestReplaceStatementsAreComplete (0.29s)
2025-10-09T23:03:03.275-0700	INFO	builder/main.go:99	Sources created	{"path": "/tmp/TestReplaceStatementsAreComplete182791686/001"}
    main_test.go:420:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/cmd/builder/internal/builder/main_test.go:420
        	Error:      	Received unexpected error:
        	            	failed to update go.mod: go subcommand failed with args '[mod tidy -compat=1.24]': exit status 1, error message: go: github.com/knadh/koanf/[email protected]: Get "https://proxy.golang.org/github.com/knadh/koanf/maps/@v/v0.1.2.mod": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestReplaceStatementsAreComplete

DONE 39 tests, 14 failures in 2.484s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestHttpReception/TLS (2.01s)
    configgrpc_test.go:754:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/configgrpc/configgrpc_test.go:754
        	Error:      	Received unexpected error:
        	            	rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: authentication handshake failed: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"
        	Test:       	TestHttpReception/TLS

=== FAIL: . TestHttpReception/mTLS (2.03s)
    configgrpc_test.go:754:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/configgrpc/configgrpc_test.go:754
        	Error:      	Received unexpected error:
        	            	rpc error: code = DeadlineExceeded desc = latest balancer error: connection error: desc = "transport: authentication handshake failed: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode"
        	Test:       	TestHttpReception/mTLS

=== FAIL: . TestHttpReception (10.08s)

DONE 73 tests, 3 failures in 10.121s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestHttpReception/TLS (0.00s)
    server_test.go:267:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:39113": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS

=== FAIL: . TestHttpReception/TLS_(HTTP/1.1) (0.00s)
    server_test.go:267:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:34695": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/TLS_(HTTP/1.1)

=== FAIL: . TestHttpReception/mTLS (0.01s)
    server_test.go:267:
        	Error Trace:	/home/shaunak/development/github/opentelemetry-collector/config/confighttp/server_test.go:267
        	Error:      	Received unexpected error:
        	            	Get "https://127.0.0.1:42475": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
        	Test:       	TestHttpReception/mTLS

=== FAIL: . TestHttpReception (0.02s)

DONE 159 tests, 4 failures in 0.160s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== Failed
=== FAIL: . TestTPM_loadCertificate (0.00s)
panic: crypto/cipher: use of CFB is not allowed in FIPS 140-only mode [recovered, repanicked]

goroutine 173 [running]:
testing.tRunner.func1.2({0x813860, 0x91ee50})
	/usr/local/go/src/testing/testing.go:1872 +0x2b4
testing.tRunner.func1()
	/usr/local/go/src/testing/testing.go:1875 +0x460
panic({0x813860?, 0x91ee50?})
	/usr/local/go/src/runtime/panic.go:783 +0x120
crypto/cipher.NewCFBEncrypter(...)
	/usr/local/go/src/crypto/cipher/cfb.go:65
github.com/google/go-tpm/tpm2.(*hmacSession).Encrypt(0xc000170300, {0xc00001a982, 0x4, 0x3e})
	/home/shaunak/go/pkg/mod/github.com/google/[email protected]/tpm2/sessions.go:634 +0x36c
github.com/google/go-tpm/tpm2.cmdParameters[...]({0x922b28, 0xc0001b8380}, {0xc0002261a0, 0x2, 0x10})
	/home/shaunak/go/pkg/mod/github.com/google/[email protected]/tpm2/reflect.go:882 +0x288
github.com/google/go-tpm/tpm2.execute[...]({0xffff95968420, 0xc00022c540}, {0x922b28, 0xc0001b8380}, 0xc0002f4120, {0xc00039eb38, 0x1, 0xc00039e801})
	/home/shaunak/go/pkg/mod/github.com/google/[email protected]/tpm2/reflect.go:49 +0x318
github.com/google/go-tpm/tpm2.Create.Execute({{0x922790, 0xc00038a930}, {0x0}, {0xc000590fc0, {0x0, 0x0, 0x0}}, {{}, {0x0, 0x0, ...}}, ...}, ...)
	/home/shaunak/go/pkg/mod/github.com/google/[email protected]/tpm2/tpm2.go:193 +0xd0
github.com/foxboron/go-tpm-keyfiles.createKeyWithHandle(0xc00039ec40, {0x80000000, {{}, {0xc00051e7e0, 0x22, 0x22}}, {0x925a58, 0xc0000d73c8}}, 0x23, 0x100, ...)
	/home/shaunak/go/pkg/mod/github.com/foxboron/[email protected]/tpm.go:575 +0xa3c
github.com/foxboron/go-tpm-keyfiles.NewLoadableKeyWithResponse({0x922ba0, 0xc00022c540}, 0x23, 0x100, {0x1b55ea0, 0x0, 0x0}, {0x0, 0x0, 0x0})
	/home/shaunak/go/pkg/mod/github.com/foxboron/[email protected]/loadablekey.go:31 +0x19c
github.com/foxboron/go-tpm-keyfiles.NewLoadableKey(...)
	/home/shaunak/go/pkg/mod/github.com/foxboron/[email protected]/loadablekey.go:15
go.opentelemetry.io/collector/config/configtls.createTPMKeyCert(0xc0002fb880, {0x922ba0, 0xc00022c540})
	/home/shaunak/development/github/opentelemetry-collector/config/configtls/tpm_test.go:191 +0x68
go.opentelemetry.io/collector/config/configtls.TestTPM_loadCertificate(0xc0002fb880)
	/home/shaunak/development/github/opentelemetry-collector/config/configtls/tpm_test.go:41 +0xf4
testing.tRunner(0xc0002fb880, 0x8ae980)
	/usr/local/go/src/testing/testing.go:1934 +0x168
created by testing.(*T).Run in goroutine 1
	/usr/local/go/src/testing/testing.go:1997 +0x6e4

DONE 119 tests, 1 failure in 0.135s
make: *** [../../Makefile.Common:33: test-fips140-only] Error 1
...
=== FAIL: provider/internal/configurablehttpprovider TestFunctionalityDownloadFileHTTPS (0.02s)
panic: crypto/sha1: use of SHA-1 is not allowed in FIPS 140-only mode [recovered, repanicked]

goroutine 4 [running]:
testing.tRunner.func1.2({0x1048c0a20, 0x1049564c0})
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1872 +0x2b4
testing.tRunner.func1()
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1875 +0x460
panic({0x1048c0a20?, 0x1049564c0?})
	/Users/shaunak/.gvm/gos/go1.25.1/src/runtime/panic.go:783 +0x120
crypto/sha1.Sum({0xc0002d0240, 0x10e, 0x10e})
	/Users/shaunak/.gvm/gos/go1.25.1/src/crypto/sha1/sha1.go:278 +0x154
crypto/x509.CreateCertificate({0x104958b20, 0xc00011c250}, 0xc0002c2e58, 0xc0002c2e58, {0x1048e2160, 0xc000280230}, {0x104925f00, 0xc000280230})
	/Users/shaunak/.gvm/gos/go1.25.1/src/crypto/x509/x509.go:1738 +0x5a4
go.opentelemetry.io/collector/confmap/provider/internal/configurablehttpprovider.generateCertificate(0xc000005180, {0x1047c868d, 0x9})
	/Users/shaunak/development/github/opentelemetry-collector/confmap/provider/internal/configurablehttpprovider/provider_test.go:81 +0x510
go.opentelemetry.io/collector/confmap/provider/internal/configurablehttpprovider.TestFunctionalityDownloadFileHTTPS(0xc000005180)
	/Users/shaunak/development/github/opentelemetry-collector/confmap/provider/internal/configurablehttpprovider/provider_test.go:126 +0x40
testing.tRunner(0xc000005180, 0x1049535d0)
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1934 +0x168
created by testing.(*T).Run in goroutine 1
	/Users/shaunak/.gvm/gos/go1.25.1/src/testing/testing.go:1997 +0x6e4

DONE 243 tests, 1 skipped, 1 failure in 3.058s
...
=== Failed
=== FAIL: . TestSendTracesWhenEndpointHasHttpScheme/Use_https_scheme (10.01s)
    otlp_test.go:461:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/exporter/otlpexporter/otlp_test.go:461
        	Error:      	Condition never satisfied
        	Test:       	TestSendTracesWhenEndpointHasHttpScheme/Use_https_scheme

=== FAIL: . TestSendTracesWhenEndpointHasHttpScheme (10.02s)

=== FAIL: . TestSendProfilesWhenEndpointHasHttpScheme/Use_https_scheme (10.01s)
    otlp_test.go:1034:
        	Error Trace:	/Users/shaunak/development/github/opentelemetry-collector/exporter/otlpexporter/otlp_test.go:1034
        	Error:      	Condition never satisfied
        	Test:       	TestSendProfilesWhenEndpointHasHttpScheme/Use_https_scheme

=== FAIL: . TestSendProfilesWhenEndpointHasHttpScheme (10.03s)

DONE 62 tests, 4 failures in 28.041s
...

@atoulme
Copy link
Contributor

atoulme commented Oct 3, 2025

I think you can just set GODEBUG as an env var before running make.

GODEBUG=fips140=only make test

Please feel free to open issues for each test occurrence failing, and request fips140-3 be considered for support.

@ycombinator
Copy link
Contributor Author

ycombinator commented Oct 4, 2025
edited
Loading

Thanks @atoulme, I'll run the Go unit tests as you suggested.

The goal would be to eventually run these unit tests with GODEBUG=fips140=only in CI so we can detect any regressions once all the test failures are addressed. I'll amend this PR accordingly and file separate issues for each failing test. Once those issues are resolved, we can return to this PR, rebasing it on main, and making sure it passes CI.

@ycombinator ycombinator changed the title [chore] Add Makefile targets for running unit tests with GODEBUG=fips140=only [chore] Run Go unit tests with GODEBUG=fips140=only Oct 4, 2025
@ycombinator ycombinator changed the title [chore] Run Go unit tests with GODEBUG=fips140=only [ci] Run Go unit tests with GODEBUG=fips140=only Oct 4, 2025
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch 2 times, most recently from d9eb679 to b269e9d Compare October 10, 2025 05:57
This was referenced Oct 10, 2025
Open
Closed
Closed
Closed
Closed
Closed
@ycombinator
Copy link
Contributor Author

ycombinator commented Oct 10, 2025

Please feel free to open issues for each test occurrence failing, and request fips140-3 be considered for support.

This was referenced Oct 20, 2025
Merged
Merged
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from b269e9d to 063717e Compare October 24, 2025 18:24
@ycombinator ycombinator mentioned this pull request Oct 24, 2025
Merged
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from 4fbf367 to c4a20ca Compare October 24, 2025 23:08
github-merge-queue bot pushed a commit that referenced this pull request Nov 3, 2025
@ycombinator
[fips140][cmd/builder] Unit tests: Add GODEBUG=tlsmklem=0 if `GOD…
82f2534 
…EBUG=fips140=only` is set (#14068)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

When
#13926 is
merged, all unit tests in this repository will be run with
`GODEBUG=fips140=only` to help surface any FIPS-140 violations in all
the Go modules in this repository.

The `cmd/builder` module is not used when _running_ the OpenTelemetry
Collector. It is a tool used to _build_ OpenTelemetry Collector
distributions. As such, strictly speaking, we do not need to worry about
FIPS-140 violations in this module.

However, since unit tests for _all_ modules will be run with
`GODEBUG=fips140=only`, it is convenient to address any FIPS-140
violations in this module as well.

The module is responsible for building OpenTelemetry Collector
distributions from a configuration file. The configuration file lists Go
modules which are then downloaded in order to compile the distribution.
During the download, if `GODEBUG=fips140=only` is set, the following
error will be thrown:

```
crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
```

To suppress this error, we append `tlsmklem=0` to the `GODEBUG`
environment variable. This is OK to do because a) we are only doing this
from unit test code, not the module's code itself and b) as mentioned
above, this particular module is not involved in the running of the
OpenTelemetry Collector itself, i.e. we are not suppressing a legitimate
FIPS violation in OpenTelemetry Collector code.

<!-- Issue number if applicable -->
#### Link to tracking issue
Fixes #13997

<!--Describe what testing was performed and which tests were added.-->
#### Testing

Run the existing unit tests in the `cmd/builder` module with Go >=
1.24.6 and `GODEBUG=fips140=only`.

```
cd cmd/builder
GODEBUG=fips140=only go test -v ./... -count 1
```
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from c4a20ca to fd1a96e Compare November 3, 2025 22:41
github-merge-queue bot pushed a commit that referenced this pull request Nov 10, 2025
@ycombinator
[fips140][`configurablehttpprovider.TestFunctionalityDownloadFileHTTP…
c08dbf5 
…S`] Skip test if `GODEBUG=fips140=only` is set (#14076)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

When
#13926 is
merged, all unit tests in this repository will be run with
`GODEBUG=fips140=only` to help surface any FIPS-140 violations in all
the Go modules in this repository.

One such unit test that fails in these circumstances is
`confmap/provider/internal/configurablehttpprovider.TestFunctionalityDownloadFileHTTPS`.
However, the FIPS violation surfaced by this test is from the test code
itself (as opposed to from OpenTelemetry Collector core code that the
test is exercising), specifically when this call is made:
https://github.com/open-telemetry/opentelemetry-collector/blob/0f3b0c974e235da85282c6d6ff5734e55e8f4fbc/confmap/provider/internal/configurablehttpprovider/provider_test.go#L81

As such, this is not a FIPS violation we need to worry about when
running the OpenTelemetry Collector. To prevent the unit test from
failing when it's run with `GODEBUG=fips140=only`, we skip it.

<!-- Issue number if applicable -->
#### Link to tracking issue
Fixes #13998

<!--Describe what testing was performed and which tests were added.-->
#### Testing

Run the `configurablehttpprovider.TestFunctionalityDownloadFileHTTPS`
unit test with `GODEBUG=fips140=only`.
   ```
   $ cd confmap/
$ GODEBUG=fips140=only go test
./provider/internal/configurablehttpprovider/... -test.v -test.run
TestFunctionalityDownloadFileHTTPS -count 1
   ```
@github-actions
Copy link
Contributor

github-actions bot commented Nov 18, 2025

This PR was marked stale due to lack of activity. It will be closed in 14 days.

@github-actions github-actions bot added Stale and removed Stale labels Nov 18, 2025
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from fd1a96e to 68db426 Compare November 25, 2025 22:30
@codspeed-hq
Copy link

codspeed-hq bot commented Nov 25, 2025
edited
Loading

CodSpeed Performance Report

Merging #13926 will degrade performances by 76.23%

Comparing ycombinator:unit-tests-fips140-only (39a20b3) with main (a0cbea7)

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

Summary

❌ 1 regression
✅ 72 untouched

⚠️ Please fix the performance issues or acknowledge them on CodSpeed.

Benchmarks breakdown

Benchmark BASE HEAD Change
zstdWithConcurrency 6.9 µs 29 µs -76.23%

@ycombinator ycombinator mentioned this pull request Nov 26, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Nov 27, 2025
@ycombinator
[fips140][configtls.TestTPM_loadCertificate] Skip test if `GODEBUG=…
a9f386e 
…fips140=only` is set (#14225)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

When
#13926 is
merged, all unit tests in this repository will be run with
`GODEBUG=fips140=only` to help surface any FIPS-140 violations in all
the Go modules in this repository.

One such unit test that fails in these circumstances is
`config/configtls.TestTPM_loadCertificate`. However, the FIPS violation
surfaced by this test is from the test code itself (as opposed to from
OpenTelemetry Collector core code that the test is exercising),
specifically when this call is made:
https://github.com/open-telemetry/opentelemetry-collector/blob/974da01f71487422c02fadadb8f66147162fcb14/config/configtls/tpm_test.go#L191

As such, this is not a FIPS violation we need to worry about when
running the OpenTelemetry Collector. To prevent the unit test from
failing when it's run with `GODEBUG=fips140=only`, we skip it.

<!-- Issue number if applicable -->
#### Link to tracking issue
Fixes #13989

<!--Describe what testing was performed and which tests were added.-->
#### Testing

Run the `configtls.TestTPM_loadCertificate` unit test with
`GODEBUG=fips140=only`. Make sure OS is Linux and Go version is >=
1.24.6.
   ```
   $ cd config/configtls/
$ GODEBUG=fips140=only go test ./... -test.run TestTPM_loadCertificate
   ```
@ycombinator ycombinator force-pushed the unit-tests-fips140-only branch from e41d32d to 39a20b3 Compare December 3, 2025 19:53
@ycombinator
Copy link
Contributor Author

ycombinator commented Dec 3, 2025

CI failures will be addressed once #14255 is reviewed and merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ycombinator @atoulme