Tool for validating that a binary, an RPM package, or an OCI container image has been built so it can run on a FIPS-verified system.
fips-validator validates that all binaries in the input that use cryptographic algorithms are dynamically linked against an OpenSSL library built with FIPS support. This also applies to Golang binaries, as the upstream Go crypto libraries have not yet been FIPS-verified. For container images, the tool further checks that OpenSSL's libcrypto.so is present in the image.
To build a Golang binary with FIPS-verified crypto
- use a Golang toolchain >=1.23 that has been patched to use OpenSSL for crypto operations, e.g. using the toolchain provided by the
registry.access.redhat.com/ubi9/go-toolset:latestimage - provide the
CGO_ENABLED=1andGOEXPERIMENT=strictfipsruntimeenvironment variables when building - avoid using the
no_opensslbuild tag
This is the recommended method if you have the Go toolchain version >=1.23 installed. It will download, compile, and install the tool in your Go binary path:
go install github.com/flightctl/fips-validator@latestPrerequisites:
- Go 1.23+
- Git
Steps:
git clone https://github.com/flightctl/fips-validator.git
cd fips-validator
go buildTo validate a binary, run:
fips-validator binary /path/to/binaryTo validate an RPM package, you need to have the rpm2cpio and cpio tools installed on the system. Then run:
fips-validator rpm /path/to/package.rpmTo validate an OCI container image, you need to have podman installed on the system. You can then run the FIPS validator rootless in a podman unshare context:
podman unshare -- fips-validator image registry.example.com/repo/image:tag