Fix trixie FIPS Go package: correct version and robust changelog update

[sigabrtv1-ui]

Description

The trixie FIPS Go package published to packages.trafficmanager.net is currently the stock Debian golang without sonic-fips patches applied. This PR fixes the build so patches are correctly applied.

Root Cause

GOLANG_VERSOIN in rules/golang.mk was set to 1.24~2, but the golang-debian submodule (82620eaf) has changelog version 1.24.4-1. The sed command in src/golang/Makefile:

sed -i "s/1.24~2/1.24~2+fips/" debian/changelog

silently fails because 1.24~2 does not appear in the changelog. As a result:

• The +fips version suffix is never added
• The produced .deb is version 1.24.4-1 (indistinguishable from stock Debian)

Changes

1. rules/golang.mk: Update GOLANG_VERSOIN from 1.24~2 to 1.24.4-1 to match the actual debian changelog version
2. src/golang/Makefile: Use dpkg-parsechangelog --show-field Version instead of hardcoded $(GOLANG_VERSOIN) for robust version detection, preventing this class of bug when the debian submodule is updated

Impact

Without this fix, all Go binaries in trixie containers are missing:

• sonic_fips=1 detection in /proc/cmdline (Go only checks /proc/sys/crypto/fips_enabled)
• symcryptprovider as the FIPS provider name (Go looks for "fips" instead)
• OPENSSL_init_crypto(INIT_LOAD_CONFIG) call (OpenSSL config not loaded)

This causes fips/test_fips.py failures in sonic-buildimage CI for any trixie container with Go binaries (e.g., gnmi container migration in sonic-net/sonic-buildimage#25957).

Verification

After this fix, the built package should:

• Have version 1.24.4-1+fips (with +fips suffix)
• Contain the patched hostfips.go with sonic_fips=1 detection
• Contain the patched openssl.go with symcryptprovider name

# Verify the built deb
dpkg-deb -x golang-1.24-go_1.24.4-1+fips_amd64.deb /tmp/verify/
grep sonic_fips /tmp/verify/usr/share/go-1.24/src/crypto/internal/backend/hostfips.go
grep symcryptprovider /tmp/verify/usr/share/go-1.24/src/vendor/github.com/golang-fips/openssl/v2/openssl.go

Follow-up needed

After this PR merges and the packages are republished, sonic-buildimage needs a corresponding update in rules/sonic-fips.mk to change the trixie FIPS_GOLANG_VERSION from 1.24.4-1 to 1.24.4-1+fips.

Fixes #83

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[sigabrtv1-ui]

Closing — sonic-net/sonic-buildimage#26431 addresses the FIPS Go issue from the sonic-buildimage side.