packages: build Go binaries for FIPS and non-FIPS

packages/amazon-ssm-agent/amazon-ssm-agent.spec

@@ -1,8 +1,3 @@
-# Don't generate debug packages because we are compiling without CGO,
-# and the `gc` compiler doesn't append the  the ".note.gnu.build-id" section
-# https://fedoraproject.org/wiki/PackagingDrafts/Go#Build_ID
-%global debug_package %{nil}
-
 %global goproject github.com/aws
 %global gorepo amazon-ssm-agent
 %global goimport %{goproject}/%{gorepo}
@@ -17,10 +12,29 @@ Source0: %{gorepo}-%{version}.tar.gz
 Source1000: clarify.toml
 
 BuildRequires: %{_cross_os}glibc-devel
+Requires: %{name}(binaries)
 
 %description
 %{summary}.
 
+%package bin
+Summary: Remote management agent binaries
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(no-fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(fips) or %{name}-fips-bin)
+
+%description bin
+%{summary}.
+
+%package fips-bin
+Summary: Remote management agent binaries, FIPS edition
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin)
+
+%description fips-bin
+%{summary}.
+
 %prep
 %setup -n %{gorepo}-%{version}
 
@@ -30,25 +44,44 @@ BuildRequires: %{_cross_os}glibc-devel
 go build -ldflags "${GOLDFLAGS}" -o amazon-ssm-agent \
   ./core/agent.go ./core/agent_unix.go ./core/agent_parser.go
 
+gofips build -ldflags "${GOLDFLAGS}" -o fips/amazon-ssm-agent \
+  ./core/agent.go ./core/agent_unix.go ./core/agent_parser.go
+
 go build -ldflags "${GOLDFLAGS}" -o ssm-agent-worker \
   ./agent/agent.go ./agent/agent_unix.go ./agent/agent_parser.go
 
+gofips build -ldflags "${GOLDFLAGS}" -o fips/ssm-agent-worker \
+  ./agent/agent.go ./agent/agent_unix.go ./agent/agent_parser.go
+
 go build -ldflags "${GOLDFLAGS}" -o ssm-session-worker \
   ./agent/framework/processor/executer/outofproc/sessionworker/main.go
 
+gofips build -ldflags "${GOLDFLAGS}" -o fips/ssm-session-worker \
+  ./agent/framework/processor/executer/outofproc/sessionworker/main.go
+
 %install
 # Install the SSM agent under 'libexecdir', since it is meant to be used by other programs
-install -d %{buildroot}%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version}
+install -d %{buildroot}{%{_cross_libexecdir},%{_cross_fips_libexecdir}}/amazon-ssm-agent/bin/%{version}
 for b in amazon-ssm-agent ssm-agent-worker ssm-session-worker; do
-  install -D -p -m 0755 ${b} %{buildroot}%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version}
+  install -p -m 0755 ${b} %{buildroot}%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version}
+  install -p -m 0755 fips/${b} %{buildroot}%{_cross_fips_libexecdir}/amazon-ssm-agent/bin/%{version}
 done
 
-
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files
 %license LICENSE
 %{_cross_attribution_file}
 %{_cross_attribution_vendor_dir}
+
+%files bin
 %dir %{_cross_libexecdir}/amazon-ssm-agent
-%{_cross_libexecdir}/amazon-ssm-agent
+%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version}/amazon-ssm-agent
+%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version}/ssm-agent-worker
+%{_cross_libexecdir}/amazon-ssm-agent/bin/%{version}/ssm-session-worker
+
+%files fips-bin
+%dir %{_cross_fips_libexecdir}/amazon-ssm-agent
+%{_cross_fips_libexecdir}/amazon-ssm-agent/bin/%{version}/amazon-ssm-agent
+%{_cross_fips_libexecdir}/amazon-ssm-agent/bin/%{version}/ssm-agent-worker
+%{_cross_fips_libexecdir}/amazon-ssm-agent/bin/%{version}/ssm-session-worker

packages/aws-iam-authenticator/aws-iam-authenticator.spec

@@ -19,28 +19,56 @@ Source1000: clarify.toml
 
 BuildRequires: git
 BuildRequires: %{_cross_os}glibc-devel
+Requires: %{name}(binaries)
 
 %description
 %{summary}.
 
+%package bin
+Summary: AWS IAM authenticator binaries
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(no-fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(fips) or %{name}-fips-bin)
+
+%description bin
+%{summary}.
+
+%package fips-bin
+Summary: AWS IAM authenticator binaries, FIPS edition
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin)
+
+%description fips-bin
+%{summary}.
+
 %prep
 %setup -n %{gorepo}-%{gover} -q
 %setup -T -D -n %{gorepo}-%{version} -b 1
 
 %build
 %set_cross_go_flags
-go build -buildmode=pie -ldflags="${GOLDFLAGS}" -o aws-iam-authenticator ./cmd/aws-iam-authenticator
+go build -ldflags="${GOLDFLAGS}" -o aws-iam-authenticator ./cmd/aws-iam-authenticator
+gofips build -ldflags="${GOLDFLAGS}" -o fips/aws-iam-authenticator ./cmd/aws-iam-authenticator
 
 %install
 install -d %{buildroot}%{_cross_bindir}
 install -p -m 0755 aws-iam-authenticator %{buildroot}%{_cross_bindir}
 
+install -d %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 fips/aws-iam-authenticator %{buildroot}%{_cross_fips_bindir}
+
 %cross_scan_attribution --clarify %{S:1000} go-vendor vendor
 
 %files
 %license LICENSE
 %{_cross_attribution_file}
 %{_cross_attribution_vendor_dir}
+
+%files bin
 %{_cross_bindir}/aws-iam-authenticator
 
+%files fips-bin
+%{_cross_fips_bindir}/aws-iam-authenticator
+
 %changelog

packages/aws-signing-helper/aws-signing-helper.spec

@@ -18,29 +18,59 @@ Source: rolesanywhere-credential-helper-v%{gover}.tar.gz
 Source1: bundled-rolesanywhere-credential-helper-v%{gover}.tar.gz
 
 BuildRequires: %{_cross_os}glibc-devel
+Requires: %{name}(binaries)
 
 %description
 %{summary}.
 
+%package bin
+Summary: AWS signing helper binaries
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(no-fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(fips) or %{name}-fips-bin)
+
+%description bin
+%{summary}.
+
+%package fips-bin
+Summary: AWS signing helper binaries, FIPS edition
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin)
+
+%description fips-bin
+%{summary}.
+
 %prep
 %setup -n %{gorepo}-%{gover} -q
 %setup -T -D -n %{gorepo}-%{gover} -b 1 -q
 
 %build
 %set_cross_go_flags
 
-go build ${GOFLAGS} -buildmode=pie -ldflags "-X 'main.Version=${gover}' ${GOLDFLAGS}" -o aws-signing-helper main.go
+go build -ldflags "-X 'main.Version=${gover}' ${GOLDFLAGS}" -o aws-signing-helper main.go
+gofips build -ldflags "-X 'main.Version=${gover}' ${GOLDFLAGS}" -o fips/aws-signing-helper main.go
 
 %install
 install -d %{buildroot}%{_cross_bindir}
 install -p -m 0755 aws-signing-helper %{buildroot}%{_cross_bindir}/aws_signing_helper
 ln -sf aws_signing_helper %{buildroot}%{_cross_bindir}/aws-signing-helper
 
+install -d %{buildroot}%{_cross_fips_bindir}
+install -p -m 0755 fips/aws-signing-helper %{buildroot}%{_cross_fips_bindir}/aws_signing_helper
+ln -sf aws_signing_helper %{buildroot}%{_cross_fips_bindir}/aws-signing-helper
+
 %cross_scan_attribution go-vendor vendor
 
 %files
 %license LICENSE
 %{_cross_attribution_file}
 %{_cross_attribution_vendor_dir}
+
+%files bin
 %{_cross_bindir}/aws_signing_helper
 %{_cross_bindir}/aws-signing-helper
+
+%files fips-bin
+%{_cross_fips_bindir}/aws_signing_helper
+%{_cross_fips_bindir}/aws-signing-helper

packages/cni-plugins/cni-plugins.spec

@@ -18,24 +18,47 @@ Source1: cni-plugins-tmpfiles.conf
 BuildRequires: git
 BuildRequires: %{_cross_os}glibc-devel
 Requires: %{_cross_os}iptables
+Requires: %{name}(binaries)
 
 %description
 %{summary}.
 
+%package bin
+Summary: Plugins for container networking binaries
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(no-fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(fips) or %{name}-fips-bin)
+
+%description bin
+%{summary}.
+
+%package fips-bin
+Summary: Plugins for container networking binaries, FIPS edition
+Provides: %{name}(binaries)
+Requires: (%{_cross_os}image-feature(fips) and %{name})
+Conflicts: (%{_cross_os}image-feature(no-fips) or %{name}-bin)
+
+%description fips-bin
+%{summary}.
+
 %prep
 %autosetup -Sgit -n %{gorepo}-%{gover} -p1
 %cross_go_setup %{gorepo}-%{gover} %{goproject} %{goimport}
 
 %build
 %cross_go_configure %{goimport}
 for d in $(find plugins -mindepth 2 -maxdepth 2 -type d ! -name windows) ; do
-  go build -buildmode=pie -ldflags="${GOLDFLAGS}" -o "bin/${d##*/}" %{goimport}/${d}
+  go build -ldflags="${GOLDFLAGS}" -o "bin/${d##*/}" %{goimport}/${d}
+  gofips build -ldflags="${GOLDFLAGS}" -o "fips/bin/${d##*/}" %{goimport}/${d}
 done
 
 %install
 install -d %{buildroot}%{_cross_libexecdir}/cni/bin
 install -p -m 0755 bin/* %{buildroot}%{_cross_libexecdir}/cni/bin
 
+install -d %{buildroot}%{_cross_fips_libexecdir}/cni/bin
+install -p -m 0755 fips/bin/* %{buildroot}%{_cross_fips_libexecdir}/cni/bin
+
 install -d %{buildroot}%{_cross_tmpfilesdir}
 install -p -m 0644 %{S:1} %{buildroot}%{_cross_tmpfilesdir}/cni-plugins.conf
 
@@ -45,6 +68,9 @@ install -p -m 0644 %{S:1} %{buildroot}%{_cross_tmpfilesdir}/cni-plugins.conf
 %license LICENSE
 %{_cross_attribution_file}
 %{_cross_attribution_vendor_dir}
+%{_cross_tmpfilesdir}/cni-plugins.conf
+
+%files bin
 %{_cross_libexecdir}/cni/bin/loopback
 %{_cross_libexecdir}/cni/bin/bandwidth
 %{_cross_libexecdir}/cni/bin/bridge
@@ -63,6 +89,25 @@ install -p -m 0644 %{S:1} %{buildroot}%{_cross_tmpfilesdir}/cni-plugins.conf
 %{_cross_libexecdir}/cni/bin/tuning
 %{_cross_libexecdir}/cni/bin/vlan
 %{_cross_libexecdir}/cni/bin/vrf
-%{_cross_tmpfilesdir}/cni-plugins.conf
+
+%files fips-bin
+%{_cross_fips_libexecdir}/cni/bin/loopback
+%{_cross_fips_libexecdir}/cni/bin/bandwidth
+%{_cross_fips_libexecdir}/cni/bin/bridge
+%{_cross_fips_libexecdir}/cni/bin/dhcp
+%{_cross_fips_libexecdir}/cni/bin/dummy
+%{_cross_fips_libexecdir}/cni/bin/firewall
+%{_cross_fips_libexecdir}/cni/bin/host-device
+%{_cross_fips_libexecdir}/cni/bin/host-local
+%{_cross_fips_libexecdir}/cni/bin/ipvlan
+%{_cross_fips_libexecdir}/cni/bin/macvlan
+%{_cross_fips_libexecdir}/cni/bin/portmap
+%{_cross_fips_libexecdir}/cni/bin/ptp
+%{_cross_fips_libexecdir}/cni/bin/sbr
+%{_cross_fips_libexecdir}/cni/bin/static
+%{_cross_fips_libexecdir}/cni/bin/tap
+%{_cross_fips_libexecdir}/cni/bin/tuning
+%{_cross_fips_libexecdir}/cni/bin/vlan
+%{_cross_fips_libexecdir}/cni/bin/vrf
 
 %changelog

packages/cni/cni.spec

@@ -29,7 +29,7 @@ Requires: %{_cross_os}iptables
 %build
 %set_cross_go_flags
 
-go build -buildmode=pie -ldflags="${GOLDFLAGS}" -o "bin/cnitool" %{goimport}/cnitool
+go build -ldflags="${GOLDFLAGS}" -o "bin/cnitool" %{goimport}/cnitool
 
 %install
 install -d %{buildroot}%{_cross_libexecdir}/cni/bin