Prepare for Go 1.19 FIPS support

https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/718 will make Go 1.19 the default for gitlab-shell. Per golang/go#51940, the dev.boringcrypto branch no longer exists, and to support FIPS we need to pass along `GOEXPERIMENT=boringcrypto`. To do this, we just see if this `GOEXPERIMENT` is available with `go version` rather than do some more complicated version-specific comparison.
gitlabhq · Mar 7, 2023 · 4f5f998 · 4f5f998
1 parent d893886
commit 4f5f998
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -8,7 +8,13 @@ BUILD_TIME := $(shell date -u +%Y%m%d.%H%M%S)
 BUILD_TAGS := tracer_static tracer_static_jaeger continuous_profiler_stackdriver
 
 ifeq (${FIPS_MODE}, 1)
-    # boringcrypto tag is added automatically by golang-fips compiler
+    # Go 1.19 now requires GOEXPERIMENT=boringcrypto for FIPS compilation.
+    # See https://github.com/golang/go/issues/51940 for more details.
+    BORINGCRYPTO_SUPPORT := $(shell GOEXPERIMENT=boringcrypto go version &> /dev/null; echo $$?)
+    ifeq ($(BORINGCRYPTO_SUPPORT), 0)
+        GOBUILD_ENV=GOEXPERIMENT=boringcrypto
+    endif
+
     BUILD_TAGS += fips
     # If the golang-fips compiler is built with CGO_ENABLED=0, this needs to be
     # explicitly switched on.
@@ -60,10 +66,10 @@ _script_install:
 
 compile: bin/gitlab-shell bin/gitlab-sshd
 bin/gitlab-shell: $(GO_SOURCES)
-	GOBIN="$(CURDIR)/bin" go install $(GOBUILD_FLAGS) ./cmd/...
+	GOBIN="$(CURDIR)/bin" $(GOBUILD_ENV) go install $(GOBUILD_FLAGS) ./cmd/...
 
 bin/gitlab-sshd: $(GO_SOURCES)
-	GOBIN="$(CURDIR)/bin" go install $(GOBUILD_FLAGS) ./cmd/gitlab-sshd
+	GOBIN="$(CURDIR)/bin" $(GOBUILD_ENV) go install $(GOBUILD_FLAGS) ./cmd/gitlab-sshd
 
 check:
 	bin/check