Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: contradictory Mac OS X version requirements #17732

Closed
AxbB36 opened this issue Nov 1, 2016 · 5 comments
Closed

crypto/x509: contradictory Mac OS X version requirements #17732

AxbB36 opened this issue Nov 1, 2016 · 5 comments

Comments

@AxbB36
Copy link

@AxbB36 AxbB36 commented Nov 1, 2016

What version of Go are you using (go version)?

Trying to compile go1.7.3 using go1.4.3 as bootstrap.

What operating system and processor architecture are you using (go env)?

Running on linux/386 but compiling for darwin/386.

What did you do?

export GOROOT_BOOTSTRAP=~/build/go1.4
# Go's CC_FOR_TARGET only allows a command name, not a command with arguments.
# https://github.com/golang/go/issues/15457
CC_FOR_TARGET="$(pwd)/cc-for-target"
echo "#!/bin/sh" > "$CC_FOR_TARGET"
echo "exec $CC -isysroot $HOME/build/MacOSX10.7.sdk -std=gnu99 \"\$@\"" >> "$CC_FOR_TARGET"
chmod +x "$CC_FOR_TARGET"
export GOPATH="$HOME/go"
export GOOS=darwin
export GOARCH=386
cd go/src
CGO_ENABLED=1 CC_FOR_TARGET="$CC_FOR_TARGET" CC= CFLAGS= LDFLAGS= ./make.bash

What did you expect to see?

Installed Go for darwin/386 in /home/debian/build/go
Installed commands in /home/debian/build/go/bin

What did you see instead?

# crypto/x509
crypto/x509/root_cgo_darwin.go: In function 'FetchPEMRoots':
crypto/x509/root_cgo_darwin.go:114: error: 'SecCertificateCopyNormalizedSubjectContent' is unavailable (declared at /home/debian/build/MacOSX10.7.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h:460)
crypto/x509/root_cgo_darwin.go:119: error: 'SecCertificateCopyNormalizedIssuerContent' is unavailable (declared at /home/debian/build/MacOSX10.7.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h:443)

A little background: this came up while trying to cross-compile Go 1.7.3 from Debian wheezy to Mac, as part of the deterministic build process of Tor Browser: https://bugs.torproject.org/20023#comment:8. We previously were using Go 1.6.3, built against the Mac OS X 10.6 SDK. Because Go 1.7.3 now uses some SDK 10.7+ functions, we started building against this copy of the 10.7 SDK. We need the Go upgrade because Go 1.7 has some fixes for macOS Sierra that aren't in Go 1.6.3.

I'm aware that Mac OS X 10.7 isn't a supported platform (per #16625 (comment), which has the same error message as this ticket). But a tiny change to the source code makes this build work for me. root_cgo_darwin.go has the CFLAGS build constraint:

#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060

If I just delete the -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 part, then the build succeeds for me.

As written, the build constraint doesn't seem to make sense. -mmacosx-version-min=10.6 means "≥10.6", and -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 means "≤10.6", the intersection of which is just "10.6". That can't be what's intended. Maybe the author meant -D__MAC_OS_X_VERSION_MIN_REQUIRED=1060 instead? But even that can't be right, because the functions used in root_cgo_darwin.go, SecCertificateCopyNormalizedIssuerContent and SecCertificateCopyNormalizedSubjectContent, are documented to be "macOS 10.7+".

The root_cgo_darwin.go code that uses these functions first appeared in Go 1.7: #14514, https://golang.org/cl/20351.

The error message error: '<identifier>' is unavailable comes from macro annotations that interact with MAC_OS_X_VERSION_MIN_REQUIRED and MAC_OS_X_VERSION_MAX_ALLOWED. For example, SecCertificateCopyNormalizedIssuerContent is annotated __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA). I don't know why the build doesn't fail when building natively with an 10.7+ SDK; maybe the the __MAC_OS_X_VERSION_MAX_ALLOWED gets overridden somehow.

A MacPorts ticket ran into the same issue:

This issue seems to be caused by line 10 of src/crypto/x509/root_cgo_darwin.go file, which appears as:
#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060

The value of 1060 for __MAC_OS_X_VERSION_MAX_ALLOWED represents OSX 10.6, which conflicts with compiling it on lion. Removing this restriction allows successful compilation.

I didn't research beyond just getting it to build on my box -- but from the look of it, I don't understand how it could be compiled anywhere.

My main questions on this issue are:

  • Am I right that the root_cgo_darwin.go CFLAGS build constraint is strange, or is there a reason for its being the way it is? Is the workaround of deleting -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 safe?
  • If this is the only impediment, does 10.7 become a supported platform again? Or should we begin migrating to a 10.8 SDK? (Go would be the only component of Tor Browser that requires 10.8+.)
@josharian josharian changed the title Contradictory Mac OS X version requirements in src/crypto/x509/root_cgo_darwin.go crypto/x509: contradictory Mac OS X version requirements Nov 2, 2016
@josharian josharian added this to the Go1.8 milestone Nov 2, 2016
@josharian
Copy link
Contributor

@josharian josharian commented Nov 2, 2016

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Nov 2, 2016

That build constraint may be wrong. I can remove it and see if things pass on the builders.

But we have no intention of making 10.7 supported again. We don't run builders for it. There's even talk of dropping 10.8 support (https://groups.google.com/d/msg/golang-dev/5DMm7lBDAqY/hlTg3cQUBwAJ) and making 10.9 the minimum requirement.

You're of course welcome to carry your own patches, but having a giant testing matrix has a real cost and/or slows down the project, so we have to unsupported platforms over time, especially as Apple drops support as well.

@bradfitz bradfitz added the OS-Darwin label Nov 2, 2016
@gopherbot
Copy link

@gopherbot gopherbot commented Nov 2, 2016

CL https://golang.org/cl/32580 mentions this issue.

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Nov 3, 2016

@AxbB36, does changing -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 to -D__MAC_OS_X_VERSION_MAX_ALLOWED=1080 fix the problem for you? Please confirm, and then we'll submit https://golang.org/cl/32580

@AxbB36
Copy link
Author

@AxbB36 AxbB36 commented Nov 4, 2016

@bradfitz, yes, -D__MAC_OS_X_VERSION_MAX_ALLOWED=1080 works for me.

@gopherbot gopherbot closed this in dd1e7b3 Nov 4, 2016
arlolra pushed a commit to arlolra/tor-browser-bundle that referenced this issue Nov 17, 2016
Go 1.7 has a necessary fix for macOS Sierra that is not in Go 1.6.3 or
earlier:
golang/go@2da5633
meek was unstable on macOS Sierra when compiled with Go 1.4.3 or 1.6.3.
Reported by tordevSZ0: https://bugs.torproject.org/20250.

We need to use the Mac OS X 10.7 SDK (not 10.6) to build Go 1.7 and
later:
https://bugs.torproject.org/20023#comment:6

We add -std=gnu99 to CFLAGS when building Go. A piece of new C code uses
c99 features. Other code uses "asm", which requires gnu99.
https://bugs.torproject.org/20023#comment:6
https://trac.macports.org/ticket/52506

We hack one of the source files with sed to remove -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060,
which otherwise causes the build to fail, thinking a couple of functions
are unavailable.
golang/go#17732
lancerajee pushed a commit to lancerajee/tor-browser-bundle that referenced this issue Mar 9, 2017
Go 1.7 has a necessary fix for macOS Sierra that is not in Go 1.6.3 or
earlier:
golang/go@2da5633
meek was unstable on macOS Sierra when compiled with Go 1.4.3 or 1.6.3.
Reported by tordevSZ0: https://bugs.torproject.org/20250.

We need to use the Mac OS X 10.7 SDK (not 10.6) to build Go 1.7 and
later:
https://bugs.torproject.org/20023#comment:6

We add -std=gnu99 to CFLAGS when building Go. A piece of new C code uses
c99 features. Other code uses "asm", which requires gnu99.
https://bugs.torproject.org/20023#comment:6
https://trac.macports.org/ticket/52506

We hack one of the source files with sed to remove -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060,
which otherwise causes the build to fail, thinking a couple of functions
are unavailable.
golang/go#17732
lancerajee pushed a commit to lancerajee/tor-browser-bundle that referenced this issue Mar 9, 2017
Go 1.7 has a necessary fix for macOS Sierra that is not in Go 1.6.3 or
earlier:
golang/go@2da5633
meek was unstable on macOS Sierra when compiled with Go 1.4.3 or 1.6.3.
Reported by tordevSZ0: https://bugs.torproject.org/20250.

We need to use the Mac OS X 10.7 SDK (not 10.6) to build Go 1.7 and
later:
https://bugs.torproject.org/20023#comment:6

We add -std=gnu99 to CFLAGS when building Go. A piece of new C code uses
c99 features. Other code uses "asm", which requires gnu99.
https://bugs.torproject.org/20023#comment:6
https://trac.macports.org/ticket/52506

We hack one of the source files with sed to remove -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060,
which otherwise causes the build to fail, thinking a couple of functions
are unavailable.
golang/go#17732
@golang golang locked and limited conversation to collaborators Nov 4, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.