elastic
Bump Go version to 1.25.4
This PR bumps up the Golang version to 1.25.4. It also:
- removes the
ms_tls13kdfGolang build tag when building in FIPS mode because this tag was only needed with Golang versions1.24.x. - sets ths
GODEBUG=tlsmlkem=0environment variable when running FIPS140-only unit tests. This prevents errors like so:Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode. - replaces any
fmt.Sprintf("%s:%d", ip, port)code fragments withnet.JoinHostPort(ip, strconv.Itoa(int(port)))to work with the newhostportgo vetanalyzer.
:robot: GitHub comments
Expand to view the GitHub comments
Just comment with:
rundocs-build: Re-trigger the docs validation. (use unformatted text in the comment!)
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This pull request does not have a backport label. If this is a bug or security fix, could you label this PR @ycombinator? 🙏. For such, you'll need to label your PR with:
- The upcoming major version of the Elastic Stack
- The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)
To fixup this pull request, you need to add the backport labels for the needed branches, such as:
backport-8./dis the label to automatically backport to the8./dbranch./dis the digitbackport-active-allis the label that automatically backports to all active branches.backport-active-8is the label that automatically backports to all active minor branches for the 8 major.backport-active-9is the label that automatically backports to all active minor branches for the 9 major.
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)
There is a new Go Vet rule: https://go.dev/doc/go1.25#vet
So many builds are breaking with:
helper/server/udp/udp_test.go:81:26: address format "%s:%d" does not work with IPv6 (passed to net.Dial at L82)
https://buildkite.com/elastic/beats-metricbeat/builds/24655/steps/canvas?jid=01998236-e28d-40a4-a759-d06b75055f5a#01998236-e28d-40a4-a759-d06b75055f5a/132-385
The fips140=only unit tests are failing like so:
crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
These appear to be https://github.com/golang/go/issues/75148, which should be fixable when https://github.com/golang/go/issues/74630 is implemented. However, in order to upgrade to Go 1.25.1 now, we'll need to find a workaround.
The
fips140=onlyunit tests are failing like so:crypto/ecdh: use of X25519 is not allowed in FIPS 140-only modeThese appear to be golang/go#75148, which should be fixable when golang/go#74630 is implemented. However, in order to upgrade to Go 1.25.1 now, we'll need to find a workaround.
These errors are coming from Go downloading dependencies before executing the tests. The errors can be simulated like so:
GODEBUG=fips140=only go mod download -x
# get https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.1.1.info
# get https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.1.1.info: Get "https://proxy.golang.org/github.com/opencontainers/image-spec/@v/v1.1.1.info": crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
...
I ran into the same problem in https://github.com/elastic/elastic-agent/pull/10156 and I had success with explicitly downloading the dependencies before executing the tests. I'm running into a different problem on that PR now; once it's sorted out, I will apply the same approach on this PR here. Moving this PR into draft until then.
MacOS packaging steps are failing in CI like so (this example is from trying to package Agentbeat):
/usr/local/go/pkg/tool/linux_amd64/link: running o64-clang failed: exit status 1
--
| /usr/local/osxcross/bin/o64-clang -arch x86_64 -m64 -Wl,-flat_namespace -Wl,-bind_at_load -Wl,-S -Wl,-x -o $WORK/b001/exe/a.out -Qunused-arguments /tmp/go-link-387501915/go.o /tmp/go-link-387501915/000000.o /tmp/go-link-387501915/000001.o /tmp/go-link-387501915/000002.o /tmp/go-link-387501915/000003.o /tmp/go-link-387501915/000004.o /tmp/go-link-387501915/000005.o /tmp/go-link-387501915/000006.o /tmp/go-link-387501915/000007.o /tmp/go-link-387501915/000008.o /tmp/go-link-387501915/000009.o /tmp/go-link-387501915/000010.o /tmp/go-link-387501915/000011.o /tmp/go-link-387501915/000012.o /tmp/go-link-387501915/000013.o /tmp/go-link-387501915/000014.o /tmp/go-link-387501915/000015.o /tmp/go-link-387501915/000016.o /tmp/go-link-387501915/000017.o /tmp/go-link-387501915/000018.o /tmp/go-link-387501915/000019.o /tmp/go-link-387501915/000020.o /tmp/go-link-387501915/000021.o /tmp/go-link-387501915/000022.o /tmp/go-link-387501915/000023.o /tmp/go-link-387501915/000024.o /tmp/go-link-387501915/000025.o /tmp/go-link-387501915/000026.o /tmp/go-link-387501915/000027.o /tmp/go-link-387501915/000028.o /tmp/go-link-387501915/000029.o /tmp/go-link-387501915/000030.o /tmp/go-link-387501915/000031.o /tmp/go-link-387501915/000032.o /tmp/go-link-387501915/000033.o /tmp/go-link-387501915/000034.o /tmp/go-link-387501915/000035.o /tmp/go-link-387501915/000036.o /tmp/go-link-387501915/000037.o /tmp/go-link-387501915/000038.o /tmp/go-link-387501915/000039.o /tmp/go-link-387501915/000040.o /tmp/go-link-387501915/000041.o /tmp/go-link-387501915/000042.o /tmp/go-link-387501915/000043.o /tmp/go-link-387501915/000044.o /tmp/go-link-387501915/000045.o /tmp/go-link-387501915/000046.o -lresolv -lpcap -lpcap -lpcap -lpcap -lproc -framework CoreFoundation -framework Security -lpcap -framework CoreServices -lpcap -lpthread -lpcap -lpcap -lpcap -lpcap -lpcap -lpcap
| Undefined symbols for architecture x86_64:
| "_SecTrustCopyCertificateChain", referenced from:
| _crypto/x509/internal/macos.x509_SecTrustCopyCertificateChain_trampoline.abi0 in go.o
| ld: symbol(s) not found for architecture x86_64
| clang: error: linker command failed with exit code 1 (use -v to see invocation)
|
| Error: running "go build -o build/golang-crossbuild/agentbeat-darwin-amd64 -buildmode pie -trimpath -tags=agentbeat -ldflags -s -X github.com/elastic/beats/v7/libbeat/version.buildTime=2025-09-26T23:08:11Z -X github.com/elastic/beats/v7/libbeat/version.commit=cf79447dfa4d2753c13a26766f8b25995a2062fe" failed with exit code 1
| Error: failed building for darwin/amd64: exit status 1
| failed building for darwin/amd64: exit status 1
From https://go.dev/doc/go1.25#darwin:
As announced in the Go 1.24 release notes, Go 1.25 requires macOS 12 Monterey or later. Support for previous versions has been discontinued.
And it looks like we're still using either the 10.11 or 11.3 MacOS SDK in golang-crossbuild images.
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b bump-golang-1.25.1 upstream/bump-golang-1.25.1
git merge upstream/main
git push upstream bump-golang-1.25.1
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b bump-golang-1.25.1 upstream/bump-golang-1.25.1
git merge upstream/main
git push upstream bump-golang-1.25.1
Hi @khushijain21, one of the test failures in this PR is TestProxyHTTP/when_http/s_proxy_url_is_set. It is failing like so:
=== NAME TestProxyHTTP/when_http/s_proxy_url_is_set
logger.go:146: 2025-10-31T17:04:25.725-0700 DEBUG Request failed. {"reason": "tls: first record does not look like a TLS handshake"}
logger.go:146: 2025-10-31T17:04:30.098-0700 ERROR bulk indexer flush error {"error": "failed to execute the request: tls: first record does not look like a TLS handshake"}
logger.go:146: 2025-10-31T17:04:30.098-0700 ERROR Exporting failed. Dropping data. {"error": "failed to execute the request: tls: first record does not look like a TLS handshake", "dropped_items": 1}
logger.go:146: 2025-10-31T17:04:30.098-0700 ERROR Exporting failed. Rejecting data. {"error": "failed to execute the request: tls: first record does not look like a TLS handshake", "rejected_items": 1}
beatsauth_test.go:642:
Error Trace: /Users/shaunak/development/github/beats/libbeat/otelbeat/oteltest/beatsauth_test.go:642
Error: Received unexpected error:
failed to execute the request: tls: first record does not look like a TLS handshake
Test: TestProxyHTTP/when_http/s_proxy_url_is_set
Messages: error sending logs
--- FAIL: TestProxyHTTP (10.22s)
Could you help me figure out where this error is coming from, please? You can reproduce this test failure in isolation by checking out this PR, and running:
GODEBUG=fips140=only go test ./libbeat/otelbeat/oteltest/... -test.run "TestProxyHTTP/when_http/s_proxy_url_is_set" -test.v
I think what is curious here is the failing auditbeat test is exactly the case the RemoveAll bug fix in Go 1.25.4 should correct - it explicitly creates a read only file and then automatically deleted it in the test Cleanup call fails.
https://github.com/elastic/beats/blob/474109e34c65b86be1b77d1adb4e13c1dc71d4de/auditbeat/module/file_integrity/fileinfo_windows_test.go#L35-L55
This test case is pretty simple as a reproducer if we wanted to ask upstream about it.
The other option is we aren't actually building with Go 1.25.4 even though it looks like we should be.
The other option is we aren't actually building with Go 1.25.4 even though it looks like we should be.
The auditbeat\build\TEST-go-unit.out.json artifact in Buildkite claims it's using 1.25.4.
This pull request is now in conflicts. Could you fix it? 🙏 To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/
git fetch upstream
git checkout -b bump-golang-1.25.1 upstream/bump-golang-1.25.1
git merge upstream/main
git push upstream bump-golang-1.25.1