temporal icon indicating copy to clipboard operation
temporal copied to clipboard
verified publisher icon temporalio

FIPS mode on for components

Open eleduardo opened this issue 9 months ago • 0 comments

Is your feature request related to a problem? Please describe. Some environments require FIPS compliance (140-3 preferably) and even OWASP 10 recommends using it. Having the binaries built with FIPS modes turned on takes one build param and it would make the default builds pass those compliance requirements (where they exist)

Describe the solution you'd like

  • Have the binaries be built with FIPS mode on, for go 1.24 and on this is already a simple flag to add (https://go.dev/doc/security/fips140) for older versions there is a simple recipe with GOEXPERIMENT and boringcrypto

Describe alternatives you've considered One alternative is to have two sets of binaries one set has regular builds and another set is built with FIPS and of course they produce the equivalent images, just like chaingard does.

Of course we can all fork the repo and add the differences but would be great to have it build from the same base code!

Additional context While FIPS is US thing it compliance requirements seem to force software into building on top of certified libraries.

eleduardo avatar Apr 18 '25 22:04 eleduardo