Skip to content

encoding/pem: breaking change upgrading to Go 1.25.3 from 1.25.1 #76124

Closed as duplicate of#75950
Closed as duplicate of#75950
encoding/pem: breaking change upgrading to Go 1.25.3 from 1.25.1#76124
Labels
BugReportIssues describing a possible bug in the Go implementation.NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog
@Skarlso

Description

@Skarlso
Skarlso
opened on Oct 31, 2025

Go version

go 1.25.3

Output of go env in your module/workspace:

AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE=''
GOARCH='arm64'
GOARM64='v8.0'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/skarlso/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/skarlso/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/ql/h53l60311zdfx8xy38kwzgh00000gn/T/go-build4089838201=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD='/Users/skarlso/goprojects/kubernetes/external-secrets/go.mod'
GOMODCACHE='/Users/skarlso/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/skarlso/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/skarlso/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.25.3'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you do?

There was a commit on pem package here: https://cs.opensource.google/go/go/+/90f72bd5001d0278949fab0b7a40f7d8c712979b

I couldn't find this patch in this repository but this patch broke the way pem encoding works and is not backwards compatible.

Previously this pem:

			name: "begin/end with junk",
			args: args{
				// pem.Decode trims junk from the beginning of the input
				// so we are able to decode both cert & key
				input:   "some junk" + certData + keyData + "some ---junk---",
				pemType: filterPrivateKey,
			},
			want: keyData,

Worked. After upgrading from go 1.25.1 to 1.25.3 this test suddenly broke with left over:

some junk-----BEGIN CERTIFICATE-----
MIIDHTCCAgWgAwIBAgIRAKC4yxy9QGocND+6avTf7BgwDQYJKoZIhvcNAQELBQAw
....

Basically it failed to parse it.

What did you see happen?

The test broke.

What did you expect to see?

I don't care if the attached patch is supposed to fix this behavior ( I don't think so? ) this was supposed to be a patch version. :) But apparently, it broke this contract.

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugReportIssues describing a possible bug in the Go implementation.NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions