X509 certificate validation more strict in golang 1.25.2

To: Debian Go Packaging Team <debian-go@lists.debian.org>

Subject: X509 certificate validation more strict in golang 1.25.2

From: Reinhard Tartler <siretart@gmail.com>

Date: Sun, 12 Oct 2025 09:31:42 -0400

Message-id: <[🔎] CAJ0ccearyPBvJVGyqJjqiqrrWDfX+w-bDvSNS4P+w0+QbeCEuA@mail.gmail.com>

Dear fellow Debian Golang Packagers,

I am writing to give you a heads-up about a subtle change in Golang 1.25.2 that makes X.509 certificate verification more strict in the `crypto/x509` package, which is part of the standard library. The change in question is https://github.com/golang/go/commit/3fc4c79fdbb17b9b29ea9f8c29dd780df075d4c4 and I expect it to break rebuilds of several golang packages in Debian.

Specifically, the DNS in the X.509v3 Subject Alternative Name can no longer be empty (cf. https://github.com/etcd-io/etcd/pull/20775#issuecomment-3385325872). This change caused #1117747. I have also seen a similar issue when rebuilding `sigstore-go`, and I plan to file a proper bug report later.

I hope this heads-up saves valuable time for others who are surprised by test failures containing the error: "x509: SAN rfc822Name is malformed".

Best regards,

Reinhard

regards,
Reinhard

Reply to: