From 06e26ce856f42d0a5b4d9b40e4a9c15b461b75ae Mon Sep 17 00:00:00 2001
From: Aaron Jacobs <aaron.jacobs@rstudio.com>
Date: Mon, 4 Apr 2022 13:52:23 -0400
Subject: [PATCH] Add the "Go BoringCrypto" toolchain for CI and releases.

This commit adds a second Go toolchain to the GitHub Actions
environments used for builds, tests, and releases, as well as the
related changes to GoReleaser's configuration.

This "BoringCrypto" fork of Go's toolchain [0] is maintained by the Go
team, and has become the de-facto way to provide FIPS-validated crypto
for software written in Go. Binary releases are only available for
Linux, so that is the only platform we can support ourselves for now.

With this change, releases will have a new "rskey-fips" archive for the
linux_amd64 target. This version of rskey will refuse to use
cryptographic algorithms that are not FIPS approved, and may be broken
in unexpected ways -- some caution is warranted. However, for customers
that are in theory bound by FIPS-140, this may be a very appealing
distribution of the tool.

This commit does not include documentation for these new release
binaries because no release yet includes them.

[0]: https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md

Signed-off-by: Aaron Jacobs <aaron.jacobs@rstudio.com>
---
 .github/workflows/ci.yml      | 23 +++++++++++++++++++++++
 .github/workflows/release.yml | 15 +++++++++++++++
 .goreleaser.yaml              | 31 ++++++++++++++++++++++++++++++-
 3 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3ddee02..db46c27 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,3 +30,26 @@ jobs:
       run: make check
     - name: Check Licenses
       run: make check-license
+    - uses: actions/cache@v3
+      id: goboring-cache
+      with:
+        path: /opt/goboring/
+        key: ${{ runner.os }}-goboring-${{ hashFiles('/opt/goboring/go/VERSION') }}
+        restore-keys: |
+          ${{ runner.os }}-goboring-
+    - name: Set up GoBoring
+      if: steps.goboring-cache.outputs.cache-hit != 'true'
+      run: |
+        mkdir -p /opt/goboring
+        cd /opt/goboring
+        wget --no-verbose https://go-boringcrypto.storage.googleapis.com/go1.18b7.linux-amd64.tar.gz
+        tar -xzvf go1.18b7.linux-amd64.tar.gz
+        /opt/goboring/go/bin/go version
+    - name: Build
+      run: make GOBIN=/opt/goboring/go/bin/go CGO_ENABLED=1 GO_BUILD_ARGS='-v -tags "netgo fips" -trimpath' GO_LDFLAGS='-s -w -linkmode=external -extldflags=-static' static-build
+      env:
+        GOROOT: /opt/goboring/go
+    - name: Test
+      run: make GOBIN=/opt/goboring/go/bin/go CGO_ENABLED=1 GO_BUILD_ARGS='-v -tags "netgo fips" -trimpath' GO_LDFLAGS='-s -w -linkmode=external -extldflags=-static' test
+      env:
+        GOROOT: /opt/goboring/go
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 40a8156..db7e209 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -24,6 +24,21 @@ jobs:
       uses: sigstore/cosign-installer@main
       with:
         cosign-release: 'v1.6.0'
+    - uses: actions/cache@v3
+      id: goboring-cache
+      with:
+        path: /opt/goboring/
+        key: ${{ runner.os }}-goboring-${{ hashFiles('/opt/goboring/go/VERSION') }}
+        restore-keys: |
+          ${{ runner.os }}-goboring-
+    - name: Set up GoBoring
+      if: steps.goboring-cache.outputs.cache-hit != 'true'
+      run: |
+        mkdir -p /opt/goboring
+        cd /opt/goboring
+        wget --no-verbose https://go-boringcrypto.storage.googleapis.com/go1.18b7.linux-amd64.tar.gz
+        tar -xzvf go1.18b7.linux-amd64.tar.gz
+        /opt/goboring/go/bin/go version
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index e28eca4..c1679ec 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -16,11 +16,40 @@ builds:
   mod_timestamp: '{{ .CommitTimestamp }}'
   tags:
   - netgo
+  # skip: true
+  targets:
+  - linux_amd64
+- id: fips
+  binary: rskey-fips
+  env:
+  - CGO_ENABLED=1
+  - GOROOT=/opt/goboring/go
+  flags:
+  - -trimpath
+  gobinary: /opt/goboring/go/bin/go
+  ldflags:
+  - -s -w -linkmode=external -extldflags=-static
+  mod_timestamp: "{{ .CommitTimestamp }}"
+  tags:
+  - fips
+  - netgo
+  targets:
+  - linux_amd64
 archives:
-- files:
+- builds:
+  - rskey
+  files:
+  - LICENSE
+  - README.md
+  - NOTICE.md
+- id: fips
+  builds:
+  - fips
+  files:
   - LICENSE
   - README.md
   - NOTICE.md
+  name_template: "{{ .ProjectName }}-fips_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 release:
   draft: true
 signs: