Add the "Go BoringCrypto" toolchain for CI and releases.

This commit adds a second Go toolchain to the GitHub Actions
environments used for builds, tests, and releases, as well as the
related changes to GoReleaser's configuration.

This "BoringCrypto" fork of Go's toolchain [0] is maintained by the Go
team, and has become the de-facto way to provide FIPS-validated crypto
for software written in Go. Binary releases are only available for
Linux, so that is the only platform we can support ourselves for now.

With this change, releases will have a new "rskey-fips" archive for the
linux_amd64 target. This version of rskey will refuse to use
cryptographic algorithms that are not FIPS approved, and may be broken
in unexpected ways -- some caution is warranted. However, for customers
that are in theory bound by FIPS-140, this may be a very appealing
distribution of the tool.

This commit does not include documentation for these new release
binaries because no release yet includes them.

[0]: https://go.googlesource.com/go/+/dev.boringcrypto/README.boringcrypto.md

Signed-off-by: Aaron Jacobs <[email protected]>

.github/workflows/ci.yml

@@ -30,3 +30,26 @@ jobs:
       run: make check
     - name: Check Licenses
       run: make check-license
+    - uses: actions/cache@v3
+      id: goboring-cache
+      with:
+        path: /opt/goboring/
+        key: ${{ runner.os }}-goboring-${{ hashFiles('/opt/goboring/go/VERSION') }}
+        restore-keys: |
+          ${{ runner.os }}-goboring-
+    - name: Set up GoBoring
+      if: steps.goboring-cache.outputs.cache-hit != 'true'
+      run: |
+        mkdir -p /opt/goboring
+        cd /opt/goboring
+        wget --no-verbose https://go-boringcrypto.storage.googleapis.com/go1.18b7.linux-amd64.tar.gz
+        tar -xzvf go1.18b7.linux-amd64.tar.gz
+        /opt/goboring/go/bin/go version
+    - name: Build
+      run: make GOBIN=/opt/goboring/go/bin/go CGO_ENABLED=1 GO_BUILD_ARGS='-v -tags "netgo fips" -trimpath' GO_LDFLAGS='-s -w -linkmode=external -extldflags=-static' static-build
+      env:
+        GOROOT: /opt/goboring/go
+    - name: Test
+      run: make GOBIN=/opt/goboring/go/bin/go CGO_ENABLED=1 GO_BUILD_ARGS='-v -tags "netgo fips" -trimpath' GO_LDFLAGS='-s -w -linkmode=external -extldflags=-static' test
+      env:
+        GOROOT: /opt/goboring/go

.github/workflows/release.yml

@@ -24,6 +24,21 @@ jobs:
       uses: sigstore/cosign-installer@main
       with:
         cosign-release: 'v1.6.0'
+    - uses: actions/cache@v3
+      id: goboring-cache
+      with:
+        path: /opt/goboring/
+        key: ${{ runner.os }}-goboring-${{ hashFiles('/opt/goboring/go/VERSION') }}
+        restore-keys: |
+          ${{ runner.os }}-goboring-
+    - name: Set up GoBoring
+      if: steps.goboring-cache.outputs.cache-hit != 'true'
+      run: |
+        mkdir -p /opt/goboring
+        cd /opt/goboring
+        wget --no-verbose https://go-boringcrypto.storage.googleapis.com/go1.18b7.linux-amd64.tar.gz
+        tar -xzvf go1.18b7.linux-amd64.tar.gz
+        /opt/goboring/go/bin/go version
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:

.goreleaser.yaml

@@ -16,11 +16,37 @@ builds:
   mod_timestamp: '{{ .CommitTimestamp }}'
   tags:
   - netgo
+- id: fips
+  binary: rskey-fips
+  env:
+  - CGO_ENABLED=1
+  - GOROOT=/opt/goboring/go
+  flags:
+  - -trimpath
+  gobinary: /opt/goboring/go/bin/go
+  ldflags:
+  - -s -w -linkmode=external -extldflags=-static
+  mod_timestamp: "{{ .CommitTimestamp }}"
+  tags:
+  - fips
+  - netgo
+  targets:
+  - linux_amd64
 archives:
-- files:
+- builds:
+  - rskey
+  files:
+  - LICENSE
+  - README.md
+  - NOTICE.md
+- id: fips
+  builds:
+  - fips
+  files:
   - LICENSE
   - README.md
   - NOTICE.md
+  name_template: "{{ .ProjectName }}-fips_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 release:
   draft: true
 signs: