Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: MacOS binaries invalid for eventual Apple Notary #30488

Open
macetw opened this Issue Feb 28, 2019 · 30 comments

Comments

Projects
None yet
7 participants
@macetw
Copy link

macetw commented Feb 28, 2019

What version of Go are you using (go version)?

1.12

Does this issue reproduce with the latest release?

Yes. (1.12)

What operating system and processor architecture are you using (go env)?

go env Output
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/macet/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/macet/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/9v/6zqn9ncn39x63s0j25sqh7z00000gn/T/go-build033883546=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

I applied my executable for an Apple Notary, required for release with the App Store on MacOS 10.14. Apple Notary gives users the assurance that their application is safe, but binaries must have the notary approval "stapled" to their .app. Apple Notary requirements include "runtime" option with a code signature and the MacOS SDK be "10.9" or newer. This is seen with "otool -l." With go, binaries are "10.7" based.

Here is the result of submission to Apple, presented in JSON format:
{"severity": "error", "code": null, "path": "mygobasedapplication.dmg/my/go/based/application", "message": "The binary uses an SDK older than the 10.9 SDK.", "docUrl": null}

What did you expect to see?

  version 10.9
      sdk 10.9

What did you see instead?

% otool -l main | tail -n4
      cmd LC_VERSION_MIN_MACOSX
  cmdsize 16
  version 10.7
      sdk 10.7
@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 1, 2019

This is an update on top of issue #12941

For Apple documentation of this, see:
Url: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues
Section: "Use the macOS 10.9 SDK or Later"

@randall77

This comment has been minimized.

Copy link
Contributor

randall77 commented Mar 1, 2019

Is there anything we need to do other than change the constant?

@bradfitz bradfitz added this to the Go1.13 milestone Mar 1, 2019

@cherrymui

This comment has been minimized.

Copy link
Contributor

cherrymui commented Mar 1, 2019

This is set in the linker
https://go.googlesource.com/go/+/refs/heads/master/src/cmd/link/internal/ld/macho.go#665

It seems this is set to the minimum version Go required at the time this code was written.

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 1, 2019

At this time, I don't have full proof that this is the only change, but based on other evidence we have from a suite of binaries submitted, this is the only change: to change that constant in macho.go.

There are other requirements for Apple Notary, but those requirements fall outside of the scope of the compiler. They are more around the codesign step. Go binaries can be signed like any other binary.

@networkimprov

This comment has been minimized.

Copy link

networkimprov commented Mar 1, 2019

Seems like a back-port candidate?

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 1, 2019

@networkimprov yes, this is viable for back-port also. I'm so far unfamiliar with how I would approach that.

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

ianlancetaylor commented Mar 1, 2019

@gopherbot please open backport issues

@gopherbot

This comment has been minimized.

Copy link

gopherbot commented Mar 1, 2019

Backport issue(s) opened: #30525 (for 1.11), #30526 (for 1.12).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 12, 2019

I plan to submit code changes for this, including the backports.

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 12, 2019

How can I be recognized as the "assignee?"

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 12, 2019

Also, how can we recognize this no longer as "Needs Investigation?"

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 12, 2019

Haha. I just get @randall77 to do all my work. Thank you, Keith!

@networkimprov

This comment has been minimized.

Copy link

networkimprov commented Mar 12, 2019

Gopherbot listens for commands re label manipulation, e.g.

@gopherbot add NeedsFix

Someone pls refresh my memory re the delete/drop command...

@networkimprov

This comment has been minimized.

Copy link

networkimprov commented Mar 12, 2019

Can this patch provide a script to pull the version string from a canonical source, if networking is available?

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 12, 2019

@networkimprov help me understand your question.
That "10.7" or "10.9" (or whatever) version numbers (not strings) are in linked binaries. They do not appear in source.

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 12, 2019

At this time, I have a "No Contributor Agreement on file for user Tyler Mace" error, but I just got one completed this morning (via Autodesk). How long is the lag time for this to take effect? Is there a better forum for this question, other than my issue ticket?

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

ianlancetaylor commented Mar 12, 2019

@macetw If you configure GitHub such that your e-mail address is @autodesk.com then I think the CLA robot will recognize that you are approved. If you don't want to do that then, if you are willing, I recommend that you sign the personal CLA as well, using the same e-mail address as your GitHub account.

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 12, 2019

@ianlancetaylor the google-group had both my private email and my corporate email, but in the contrib guide, it was said to use consistent email addresses. (I had already done work as macetw@gmail.com). You're suggesting that I not be consistent, but if that's okay, my employer would actually prefer it I use my corporate email.

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

ianlancetaylor commented Mar 12, 2019

@macetw Are you using Gerrit or GitHub (go-review.googlesource.com or github.com)? I believe that Gerrit lets you have multiple e-mail addresses.

If you've already contributed under the e-mail address macetw@gmail.com then I don't know why that would not still work today.

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 12, 2019

@ianlancetaylor I haven't contributed lines of code yet. I've merely contributed via github issue conversations, like here. I'm new today on the CLA.

@networkimprov

This comment has been minimized.

Copy link

networkimprov commented Mar 12, 2019

@macetw I should have written "hex constant".

Seems like its value should be pulled from an online source or config file via //go: generate

@randall77

This comment has been minimized.

Copy link
Contributor

randall77 commented Mar 12, 2019

@networkimprov That seems overkill. Just a comment with a web link to where to find a recent number would be fine.

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

ianlancetaylor commented Mar 12, 2019

@macetw Ah, OK, I got confused when you said you had already done work as macetw@gmail.com. The Google Group is irrelevant here. All that matters is your Gerrit or GitHub identity. It doesn't matter whether that identity is consistent with the Google Group. We just suggest that you use a single Gerrit or GitHub identity for all your contributions. For Gerrit that means a single main e-mail address although I believe that you can add secondary e-mail addresses. So go ahead and use your corporate e-mail address in Gerrit if that is OK with you. Thanks.

@networkimprov

This comment has been minimized.

Copy link

networkimprov commented Mar 12, 2019

@randall77 then this issue should be a permanent release-blocker, so it's checked for every release.

@randall77

This comment has been minimized.

Copy link
Contributor

randall77 commented Mar 12, 2019

@networkimprov That would be fine. We have a few such issues already, e.g. #12042.

(A //go:generate comment would not run every release anyway, for what it is worth.)

@macetw

This comment has been minimized.

@macetw

This comment has been minimized.

Copy link
Author

macetw commented Mar 12, 2019

I still have a CLA problem on my corporate email, with git codereview....
% git codereview mail
fatal: remote error: No Contributor Agreement on file for user Tyler Mace tyler.mace@autodesk.com (id=31443)

@networkimprov

This comment has been minimized.

Copy link

networkimprov commented Mar 12, 2019

@gopherbot add release-blocker

@cherrymui

This comment has been minimized.

Copy link
Contributor

cherrymui commented Mar 13, 2019

From the document @macetw linked, macOS 10.9 or later is required "because of significant differences in the way code signing works prior to macOS 10.9". So it seems this doesn't need to change very frequently, therefore not necessarily release-blocker on every release.

@networkimprov

This comment has been minimized.

Copy link

networkimprov commented Mar 13, 2019

The point is that it should be checked for every release, not that it will change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.