Tool for validating that a binary, an RPM package, or an OCI container image has been built so it can run on a FIPS-verified system.
fips-validator
validates that all binaries in the input that use cryptographic algorithms are dynamically linked against an OpenSSL library built with FIPS support. This also applies to Golang binaries, as the upstream Go crypto libraries have not yet been FIPS-verified. For container images, the tool further checks that OpenSSL's libcrypto.so
is present in the image.
To build a Golang binary with FIPS-verified crypto
- use a Golang toolchain >=1.23 that has been patched to use OpenSSL for crypto operations, e.g. using the toolchain provided by the
registry.access.redhat.com/ubi9/go-toolset:latest
image - provide the
CGO_ENABLED=1
andGOEXPERIMENT=strictfipsruntime
environment variables when building - avoid using the
no_openssl
build tag
This is the recommended method if you have the Go toolchain version >=1.23 installed. It will download, compile, and install the tool in your Go binary path:
go install github.com/flightctl/fips-validator@latest
Prerequisites:
- Go 1.23+
- Git
Steps:
git clone https://github.com/flightctl/fips-validator.git
cd fips-validator
go build
To validate a binary, run:
fips-validator binary /path/to/binary
To validate an RPM package, you need to have the rpm2cpio
and cpio
tools installed on the system. Then run:
fips-validator rpm /path/to/package.rpm
To validate an OCI container image, you need to have podman
installed on the system. You can then run the FIPS validator rootless in a podman unshare
context:
podman unshare -- fips-validator image registry.example.com/repo/image:tag