A new release of the Microsoft build of Go is now available for download. For more information about this release and the changes included, see the table below:

As of this release, Go 1.24 is no longer supported, per the Go release policy.

Changes in the Microsoft build of Go 1.26

The 1.26.0-1 release is a major version update, and it includes a few experimental features we are eager to get feedback on. Specifically, if you get a chance, please try to:

• Disable cgo and use the GOEXPERIMENT ms_nocgo_opensslcrypto.
• Use the Microsoft build of Go version rather than the upstream version in your programs. Our version is formatted in a way that we expect to be parsed correctly by existing tools, but let us know if this causes any problems. To do this:
  • Use -ldflags="-ms_upstreamversion=0" in your go build command. When you run go version <your-program>, you should see our toolset’s version.
  • Add ms_version=1 to the GODEBUG environment variable at runtime or configure this setting in your go.mod for compile time. This configures runtime.Version() to return the Microsoft build of Go version string.

As always, please let us know if you encounter a problem or have a question by filing an issue. If you have access to Microsoft internal sites, you can alternatively use one of the channels listed in our internal support documentation such as the Golang Friends group in Teams.

The following is a summary of the Microsoft build of Go 1.26 release notes, emphasizing important changes. To see the canonical release notes doc, visit the full go1.26 release notes Markdown file.

Toolchain

The GOCACHE environment variable now defaults to os.UserCacheDir()/ms-go-build instead of os.UserCacheDir()/go-build. This change removes the possibility of encountering cache conflicts between the Microsoft build of Go and other Go toolchains installed on the same machine.

The buildinfo embedded at build time now includes Microsoft-specific version information in a new microsoft_toolset_version setting. This allows all binaries built by the Microsoft build of Go to be easily identified, including the toolset’s binaries themselves. Along the same lines, we introduced a new GODEBUG runtime setting called ms_version and build-time linker flag -ms_upstreamversion that allow you to use the Microsoft-specific version string in your programs. For more information, see the Additional Features document.

Systemcrypto

Configuration

You can disable systemcrypto at build time by setting the environment variable MS_GO_NOSYSTEMCRYPTO to 1. It’s now the recommended method for disabling systemcrypto when necessary. This feature was backported to 1.25.2-1, so it’s now available in all supported versions of the Microsoft build of Go.

Backends

Windows

Setting the FIPS preference to enabled will no longer cause a panic when the Windows FIPS policy is disabled. The underlying crypto primitives on Windows are always FIPS compliant regardless of FIPS policy, so the panic is unnecessary and has been removed for compatibility with more scenarios.

OpenSSL

Linux binaries compliant with Microsoft internal cryptography policies can now be built without using cgo by setting GOEXPERIMENT=ms_nocgo_opensslcrypto. 🎉 This much-anticipated feature removes a significant limitation the Microsoft internal cryptography policies have historically placed on compliant Go programs. For more information, see No-cgo OpenSSL Backend.

Improved support for the Fedora OpenSSL FIPS provider. See golang-fips/openssl#266.

Darwin

The macOS crypto backend is no longer in preview and is now fully supported. It is enabled by default for builds targeting macOS.

Unlike preview versions of macOS backend support, using this backend doesn’t require cgo.

Supported algorithms

The systemcrypto backends now support many new cryptographic algorithms, curves, key sizes, and TLS groups and suites. See the full go1.26 release notes Markdown file for the list.

TLS settings

The TLS curves X25519 and X25519MLKEM768 can be disabled using the GODEBUG setting ms_tlsx25519=0. This setting may help comply with certain cryptographic policies.

The TLS default settings are now aligned with Microsoft TLS internal policies. This behavior can be disabled using the GODEBUG setting ms_tlsprofile=off. The changes from standard Go TLS default settings are:

• TLS cipher suites using AES-256 are now preferred over those using AES-128.
• TLS cipher suites using CHACHA20_POLY1305 are no longer preferred over AES-GCM cipher suites when the client or server supports hardware acceleration for AES.
• TLS groups supported by the systemcrypto backends are now preferred over those that are not.