Need some help to understand how to build with option to switch on and off FIPS mode.
And how can I validate that the binaries are working in this mode?

Need some help to understand how to build with option to switch on and off FIPS mode.

We have our build docs at https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips#configuration-overview. As long as you don't use requirefips when you build with one of the GOEXPERIMENTs, FIPS mode can be either on or off, and this is determined when the app starts (https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips#usage-runtime).

And how can I validate that the binaries are working in this mode?

If you're asking for an API that determines whether FIPS mode is active, we discussed this in:

• #999

We don't currently plan to add a ready-to-use API (reasons in the last comment), but there is a workaround in the issue body.

If you're asking how to validate that the binaries work while in FIPS mode: for OpenSSL, you can use the GOFIPS variable to enable it and run your program's tests. With CNG/Windows, you would need to change the registry. There's some more info about this at https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips#usage-runtime.

I should mention the disclaimer, though--even if your program tests/runs successfully under FIPS mode, it might not be FIPS compliant: https://github.com/microsoft/go/tree/microsoft/main/eng/doc/fips#disclaimer.

Does that help?

That's really helpful.

Thank you very much for your detailed response.

Glad to hear it! No problem. 🙂