Skip to content

feat: Add optional FIPS support #466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
seanarnold wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: Add optional FIPS support #466

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d19f95d
feat: Add optional FIPS support
seanarnold Jun 16, 2026
40d9b78
chore: keep otel-export separate from TLS feature selection
seanarnold Jun 23, 2026
90f2949
feat: make SHA-256 build ID opt-in via FIPS build
seanarnold Jun 23, 2026
6f54f52
chore: regenerate protos for sdk-core 0.4.0
seanarnold Jun 23, 2026
d03f772
Add presence check in CI for aws-lc-rs. Add warning if OpenSSL not in…
seanarnold Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,17 @@ jobs:
os: [ubuntu-latest, macos-latest]
# Earliest and latest supported
rubyVersion: ["3.3", "4.0"]

# Opt-in FIPS build (aws-lc-rs); Linux only, the aws-lc-rs FIPS toolchain is not exercised on macOS.
fips: [false, true]

exclude:
- os: macos-latest
fips: true

include:
- os: ubuntu-latest
rubyVersion: "4.0"
fips: false
checkTarget: true
docsTarget: true
runs-on: ${{ matrix.os }}
Expand Down Expand Up @@ -79,12 +86,37 @@ jobs:
run: |
bundle exec rake proto:check_generated

- name: Assert FIPS build links the validated aws-lc-rs module and not ring
if: ${{ matrix.fips }}
working-directory: ./temporalio
run: |
fips_tree() {
cargo tree -p temporalio_bridge --no-default-features --features fips -i "$1" 2>/dev/null
}

# The FIPS 140-3 validated module must actually be linked.
if [ -z "$(fips_tree aws-lc-fips-sys)" ]; then
echo "::error::aws-lc-fips-sys is absent from the FIPS dependency tree — the FIPS-validated module is not linked"
exit 1
fi
echo "aws-lc-fips-sys is present in the FIPS dependency tree"

# ring (non-FIPS) must not be linked.
if [ -n "$(fips_tree ring)" ]; then
echo "::error::ring is present in the FIPS dependency tree — TLS is not fully aws-lc-rs backed"
exit 1
fi
echo "ring is absent from the FIPS dependency tree"

- name: Lint, compile, test Ruby
working-directory: ./temporalio
# Timeout just in case there's a hanging part in rake
timeout-minutes: 20
# Set env vars for cloud tests. If secrets aren't present, tests will be skipped.
env:
# Selects the FIPS-mode aws-lc-rs crypto backend for the `fips: true` matrix legs.
TEMPORALIO_FIPS: ${{ matrix.fips && '1' || '' }}

# For mTLS tests
TEMPORAL_CLOUD_MTLS_TEST_TARGET_HOST: ${{ vars.TEMPORAL_CLIENT_NAMESPACE }}.tmprl.cloud:7233
TEMPORAL_CLOUD_MTLS_TEST_NAMESPACE: ${{ vars.TEMPORAL_CLIENT_NAMESPACE }}
Expand Down
20 changes: 20 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1348,6 +1348,23 @@ section for how to build a the repository.
The SDK works on Ruby 3.2+, but due to [an issue](https://github.com/temporalio/sdk-ruby/issues/162), fibers (and
`async` gem) are only supported on Ruby versions 3.3 and newer.

### FIPS Compliance (Beta)

> **NOTE**: FIPS support is in **Beta**. It is opt-in, source-build only, and currently exercised on Linux only.

FIPS 140-3 compliant cryptography is available as an **opt-in source build**. The published gems are **not** FIPS
compliant — they use the `ring` backend, which is not FIPS-validated. Because the crypto backend is chosen at compile
time, FIPS cannot be enabled on a precompiled platform gem: you must build the native extension yourself with
`TEMPORALIO_FIPS=1`. When set, the build:

* Selects [`aws-lc-rs`](https://github.com/aws/aws-lc-rs) in FIPS mode (AWS-LC's FIPS 140-3 validated module) for the
gRPC client and OTLP metric exporter, in place of `ring`.
* Hashes the default worker build id with `Digest::SHA256` instead of MD5, which FIPS-mode OpenSSL rejects.

To produce an installable FIPS gem for your platform:

TEMPORALIO_FIPS=1 bundle exec rb-sys-dock --platform x86_64-linux --ruby-versions 3.4 --build

### Migration from Coinbase Ruby SDK

The [Coinbase Ruby SDK](https://github.com/coinbase/temporal-ruby) predates this official Temporal SDK and has been a
Expand Down Expand Up @@ -1411,6 +1428,9 @@ not work for other Ruby versions or other OS/arch combinations. For that, see "B
**NOTE**: This is not `compile:dev` because debug-mode in Rust has
[an issue](https://github.com/rust-lang/rust/issues/34283) that causes runtime stack size problems.

**NOTE**: Set `TEMPORALIO_FIPS=1` before compiling to build with the FIPS-mode `aws-lc-rs` crypto backend. See the
[FIPS Compliance](#fips-compliance-beta) section.

To lint, build, and test:

bundle exec rake
Expand Down
Loading