Bump Go version to 1.25.1 (#5562)

ycombinator · ycombinator · commit a2f1a51100c3 · 2025-10-01T09:50:45.000-07:00
* Bump Go version to 1.25.1 * Update CHANGELOG entry * Bump the version of golangci-lint * Remove references to the ms_tls13kdf build tag * Download go module dependencies before GODEBUG=fips140=only is set * Exclude X25519 curve types when testing in FIPS-140 mode * Stricter check * Add missing license header * Exclude X25519 curve types when testing in FIPS-140-only mode * Use stricter check * Update NOTICE files * Remove IsFIPS140Only helper function * Set GODEBUG=tlsmlkem=0 for FIPS140-only unit tests * Remove replace directive from go.mod * Try not pre-downloading dependencies (cherry picked from commit 15b8c8a)
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.24.7
+1.25.1
diff --git a/.golangci.yml b/.golangci.yml
@@ -4,7 +4,7 @@ run:
   timeout: 1m
   build-tags:
     - integration
-  go: "1.24.7"
+  go: "1.25.1"
 
 issues:
   # Maximum count of issues with the same text.
diff --git a/changelog/fragments/1758819869-bump-golang-1.25.1.yaml b/changelog/fragments/1758819869-bump-golang-1.25.1.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Update Go to v1.25.1
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/fleet-server/pull/5562
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234
diff --git a/dev-tools/go.mod b/dev-tools/go.mod
@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/dev-tools
 
-go 1.24.7
+go 1.25.1
 
 tool (
 	github.com/elastic/go-json-schema-generate/cmd/schema-generate
diff --git a/docs/fips.md b/docs/fips.md
@@ -0,0 +1,97 @@
+# FIPS support
+
+**NOTE: FIPS Support is in-progress**
+
+The fleet-server can be built in a FIPS capable mode.
+This forces the use of a FIPS provider to handle any cryptographic calls.
+
+Currently FIPS is provided by compiling with the [microsoft/go](https://github.com/microsoft/go) distribution.
+This toolchain must be present for local compilation.
+
+## Build changes
+
+As we are using micrsoft/go as a base we follow their conventions.
+
+Our FIPS changes require the `requirefips` build tag.
+When compiling `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` must be set.
+Additionally the `MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0` env var is set to disable telemetry for [microsoft/go](https://github.com/microsoft/go).
+
+The `FIPS=true` env var is used by our magefile as the FIPS toggle.
+This env var applies to all targets, at a minimum the `requirefips` tag will be set.
+For targets that compile binaries, the `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` env vars are set.
+
+For developer conveniance, running `FIPS=true mage multipass` will provision a multipass VM with the Microsoft/go toolchain.
+See [Multipass VM Usage](#multipass-vm-usage) for additional details.
+
+### Multipass VM Usage
+
+A Multipass VM created with `FIPS=true mage multipass` is able to compile FIPS enabled golang programs, but is not able to run them.
+When you try to run one the following error occurs:
+```
+GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
+panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider
+
+goroutine 1 [running]:
+crypto/internal/backend.init.1()
+	/usr/local/go/src/crypto/internal/backend/openssl_linux.go:85 +0x210
+```
+
+In order to be  able to run a FIPS enabled binary, openssl must have a fips provider.
+Openssl [provides instructions on how to do this](https://github.com/openssl/openssl/blob/master/README-FIPS.md).
+
+A TLDR for our multipass container is:
+
+1. Download and compile the FIPS provider for openssl in the VM by running:
+```
+wget https://github.com/openssl/openssl/releases/download/openssl-3.0.13/openssl-3.0.13.tar.gz
+tar -xzf openssl-3.0.13.tar.gz
+cd openssl-3.0.13
+./Configure enable-fips
+make test
+sudo make install_fips
+sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so
+```
+
+2. Copy the `fips.so` module to the system library, in order to find the location run:
+```
+openssl version -m
+```
+
+On my VM I would copy the `fips.so` module with:
+```
+sudo cp /usr/local/lib/ossl-modules/fips.so /usr/lib/aarch64-linux-gnu/ossl-modules/fips.so
+```
+
+3. Create an openssl.cnf for the program to use with the contents:
+```
+config_diagnostics = 1
+openssl_conf = openssl_init
+
+.include /usr/local/ssl/fipsmodule.cnf
+
+[openssl_init]
+providers = provider_sect
+alg_section = algorithm_sect
+
+[provider_sect]
+fips = fips_sect
+base = base_sect
+
+[base_sect]
+activate = 1
+
+[algorithm_sect]
+default_properties = fips=yes
+```
+
+4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GODEBUG=fips140=on` env vars, i.e.,
+```
+OPENSSL_CONF=./openssl.cnf GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
+23:48:47.871 INF Boot fleet-server args=["-c","fleet-server.yml"] commit=55104f6f ecs.version=1.6.0 exe=./bin/fleet-server pid=65037 ppid=5642 service.name=fleet-server service.type=fleet-server version=9.0.0
+i...
+```
+
+## Usage
+
+Binaries produced with the `FIPS=true` env var will panic on startup if they cannot find a FIPS provider.
+The system/image is required to have a FIPS provider available.
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/v7
 
-go 1.24.7
+go 1.25.1
 
 require (
 	github.com/Pallinder/go-randomdata v1.2.0
diff --git a/testing/go.mod b/testing/go.mod
@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/testing
 
-go 1.24.7
+go 1.25.1
 
 replace (
 	github.com/elastic/fleet-server/pkg/api => ../pkg/api
