cmd/go: enable fips test and fix caching bug

Enable the cmd/go fips test now that v1.0.0.zip has been checked in. Will still need to enable the alias half when the alias is checked in. Also fix a problem that was causing spurious failures, by fixing repeated unpackings and also disabling modindex reads of the virtual fips140 snapshot directories. Fixes #71491. Change-Id: I7fa21e9bde07ff4eb6c3483e99d49316ee0ea7f0 Reviewed-on: https://go-review.googlesource.com/c/go/+/645835 Reviewed-by: Michael Matloob <matloob@golang.org> Reviewed-by: Sam Thanawalla <samthanawalla@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2025-05-05 23:53:05 +00:00 · 2024-11-17 17:17:50 -05:00 · 2024-11-17 17:17:50 -05:00 · 37f27fbecd
commit 37f27fbecd
parent 77d20838e9
3 changed files with 17 additions and 10 deletions
--- a/src/cmd/go/internal/modfetch/cache.go
+++ b/src/cmd/go/internal/modfetch/cache.go
@ -113,6 +113,13 @@ func DownloadDir(ctx context.Context, m module.Version) (string, error) {
 		return dir, err
 	}

+	// Special case: ziphash is not required for the golang.org/fips140 module,
+	// because it is unpacked from a file in GOROOT, not downloaded.
+	// We've already checked that it's not a partial unpacking, so we're happy.
+	if m.Path == "golang.org/fips140" {
+		return dir, nil
+	}
+
 	// Check if a .ziphash file exists. It should be created before the
 	// zip is extracted, but if it was deleted (by another program?), we need
 	// to re-calculate it. Note that checkMod will repopulate the ziphash
--- a/src/cmd/go/internal/modindex/read.go
+++ b/src/cmd/go/internal/modindex/read.go
@ -33,10 +33,7 @@ import (
 	"cmd/internal/par"
 )

-// enabled is used to flag off the behavior of the module index on tip.
-// It will be removed before the release.
-// TODO(matloob): Remove enabled once we have more confidence on the
-// module index.
+// enabled is used to flag off the behavior of the module index on tip, for debugging.
 var enabled = godebug.New("#goindex").Value() != "0"

 // Module represents and encoded module index file. It is used to
@ -126,6 +123,7 @@ var ErrNotIndexed = errors.New("not in module index")
 var (
 	errDisabled           = fmt.Errorf("%w: module indexing disabled", ErrNotIndexed)
 	errNotFromModuleCache = fmt.Errorf("%w: not from module cache", ErrNotIndexed)
+	errFIPS140            = fmt.Errorf("%w: fips140 snapshots not indexed", ErrNotIndexed)
 )

 // GetPackage returns the IndexPackage for the directory at the given path.
@ -143,6 +141,11 @@ func GetPackage(modroot, pkgdir string) (*IndexPackage, error) {
 	if cfg.BuildContext.Compiler == "gccgo" && str.HasPathPrefix(modroot, cfg.GOROOTsrc) {
 		return nil, err // gccgo has no sources for GOROOT packages.
 	}
+	// The pkgdir for fips140 has been replaced in the fsys overlay,
+	// but the module index does not see that. Do not try to use the module index.
+	if strings.Contains(filepath.ToSlash(pkgdir), "internal/fips140/v") {
+		return nil, errFIPS140
+	}
 	return openIndexPackage(modroot, pkgdir)
 }

--- a/src/cmd/go/testdata/script/fipssnap.txt
+++ b/src/cmd/go/testdata/script/fipssnap.txt
@ -1,10 +1,6 @@
-## Note: Need a snapshot in lib/fips140 to run this test.
-## For local testing, can run 'cd lib/fips140; make v0.0.1.test'
-## and then remove the skip.
-env snap=v0.0.1
+env snap=v1.0.0
 env alias=inprocess

-skip 'no snapshots yet'
 env GOFIPS140=$snap

 # Go+BoringCrypto conflicts with GOFIPS140.
@ -27,7 +23,8 @@ stdout crypto/internal/fips140/$snap/sha256
 ! stdout crypto/internal/fips140/check

 # again with GOFIPS140=$alias
-env GOFIPS140=$alias
+# TODO: enable when we add inprocess.txt
+# env GOFIPS140=$alias

 # default GODEBUG includes fips140=on
 go list -f '{{.DefaultGODEBUG}}'