Chisel is not fips compliant by default #252
Description
Chisel uses already Go > 1.24 which means it could, in theory, run in FIPS compliant mode in Go (ref). However, if we use GODEBUG=fips140=only, chisel cut panics because the signature verification uses openpgp from x/crypto which is does not use FIPS compliant algorithms, namely, it uses sha-1 when validating the public keys which is an algorithm disallowed in FIPS 140-3.
I am not an expert in FIPS but, as far as I know, one can use sha-1 as long as the usage is verified to be FIPS compliant. I can see that pgp has a FIPS compliant mode which means it should also be doable for Chisel. The difficulty comes from the fact that there is no available crypto library in Go for pgp which is FIPS compliant out of the box.
We would need to investigate this issue further if we choose to pursue it.