Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: TestSystemRoots failing when keychain contains expired or untrusted certificates #29497
What version of Go are you using (
Thanks for reporting this.
The problem here is a compound issue: the no-cgo path lets in certificates that are in the root store, not marked as roots themselves, and signed by a root (because the hack we use to validate roots does not allow us to distinguish them from real roots); the cgo path correctly excludes them. The test which compares cgo and no-cgo results tries to ignore them by ignoring certificates which pass validation, but being expired breaks that.
I will try again to think about how to fix the underlying issue, and otherwise add hacks to the test.