You would be interested in this if you need the 'crypto' library to work in a FIPS 140-2 compliant way. You can switch on / off this mode by setting the runtime variable GOFIPS=1 before running your Go program [1]. Nice.
It looks like the Go community officially has no plans to support FIPS140-2 any time, so I'm glad to see this alternative.
[1] https://github.com/microsoft/go/tree/microsoft/main/eng/doc/...
Does anyone with FIPS experience know what sort of changes are entailed by those requirements?
This repo doesn't seem to list what sort of high-level/conceptual changes are involved. I could look at the diff, but that sounds exhausting :Þ
I'd be happy if just made Defender stop detecting all my go binaries as Malware...
If this doesn't also _add_ some "accidental" backdoor, I'd be surprised.
Microsoft's security reputation is so flawed, that some parts simply must be intentional, or coerced.
Don't use this repo. Very interesting TIL about golang at Microsoft. Thanks for sharing.
There used to be the GO FIPS branch:
https://github.com/golang/go/tree/dev.boringcrypto/misc/bori...
But it looks dead for some time.
However https://github.com/golang-fips/go sprung up to take it's place.
I wonder why microsoft prefers to maintain it's own in entirety rather than share a piece of the burden.