{Name: "x509negativeserial", Package: "crypto/x509", Changed: 23, Old: "1"},
	{Name: "x509seriallength", Package: "crypto/x509", Changed: 23, Old: "1"},
	{Name: "x509sha1", Package: "crypto/x509"},
	{Name: "x509usefallbackroots", Package: "crypto/x509"},
	{Name: "x509usepolicies", Package: "crypto/x509"},
	{Name: "zipinsecurepath", Package: "archive/zip"},
}

//     which indicates an error caused by an insecure SHA1 signature
//  2. the server certificate in response contains a SHA1WithRSA or ECDSAWithSHA1 signature.
//     This indicates that this binary run with the GODEBUG=x509sha1=1 in env
func NewDeprecatedCertificateRoundTripperWrapperConstructor(missingSAN, sha1 *metrics.Counter) func(rt http.RoundTripper) http.RoundTripper {
	return func(rt http.RoundTripper) http.RoundTripper {

	return fmt.Errorf("x509: signature algorithm specifies an %s public key, but have public key of type %T", expectedPubKeyAlgo.String(), pubKey)
}

var x509sha1 = godebug.New("x509sha1")

// checkSignature verifies that signature is a valid signature over signed from
// a crypto.PublicKey.

		package due to a non-default GODEBUG=x509seriallength=...
		setting.

	/godebug/non-default-behavior/x509sha1:events
		The number of non-default behaviors executed by the crypto/x509
		package due to a non-default GODEBUG=x509sha1=... setting.

	/godebug/non-default-behavior/x509usefallbackroots:events
		The number of non-default behaviors executed by the crypto/x509

			serverCert: append(append(sha1ServerCertInter, byte('\n')), caCertInter...), serverKey: serverKey,
			errRegex:                         "x509: cannot verify signature: insecure algorithm SHA1-RSA \\(temporarily override with GODEBUG=x509sha1=1\\)",
			increaseSHA1SignatureWarnCounter: true,
		},
		{
			test:       "server cert signed by an intermediate CA with SHA1 signature",
			clientCA:   caCert,

There is no plan to remove this setting.

### Go 1.18

Go 1.18 removed support for SHA1 in most X.509 certificates,
controlled by the [`x509sha1` setting](/pkg/crypto/x509#InsecureAlgorithmError).
This setting will be removed in a future release, Go 1.22 at the earliest.

### Go 1.10

Go 1.10 changed how build caching worked and added test caching, along

		{SHA1WithRSA, "x509: cannot verify signature: insecure algorithm SHA1-RSA (temporarily override with GODEBUG=x509sha1=1)"},
		{ECDSAWithSHA1, "x509: cannot verify signature: insecure algorithm ECDSA-SHA1 (temporarily override with GODEBUG=x509sha1=1)"},
		{MD2WithRSA, "x509: cannot verify signature: insecure algorithm 1"},
		{-1, "x509: cannot verify signature: insecure algorithm -1"},

			}
		}
	}
}

func TestGoVerify(t *testing.T) {
	// Temporarily enable SHA-1 verification since a number of test chains
	// require it. TODO(filippo): regenerate test chains.
	t.Setenv("GODEBUG", "x509sha1=1")

	for _, test := range verifyTests {
		t.Run(test.name, func(t *testing.T) {
			testVerify(t, test, false)
		})
	}
}

func TestSystemVerify(t *testing.T) {
	if runtime.GOOS != "windows" {

  - `kube-apiserver` defaults the GOGC setting to 63, to approximate go1.17 garbage collection memory performance in heavily loaded API servers