Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: go binary not specifying min macOS SDK version (needs 10.9) #35459

Open
andybons opened this issue Nov 8, 2019 · 6 comments
Assignees
Milestone

Comments

@andybons
Copy link
Member

@andybons andybons commented Nov 8, 2019

This is needed to ensure that Apple’s notarization service can check that the go binary is using (at minimum) the 10.9 SDK.

$ codesign -dvv /usr/local/go/bin/go
Executable=/usr/local/go/bin/go
Identifier=go
Format=Mach-O thin (x86_64)
CodeDirectory v=20200 size=116482 flags=0x0(none) hashes=3636+2 location=embedded
Library validation warning=OS X SDK version before 10.9 does not support Library Validation
Signature size=9042
Authority=Developer ID Application: Google, Inc. (EQHXZ8M8AV)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Oct 31, 2019 at 7:23:46 PM
Info.plist=not bound
TeamIdentifier=EQHXZ8M8AV
Sealed Resources=none
Internal requirements count=1 size=164

Notice Library validation warning=OS X SDK version before 10.9 does not support Library Validation

The SDK is not properly specified in the go binary:

$ otool -l /usr/local/go/bin/go | grep -B1 -A3 MIN_MACOS
Load command 5
      cmd LC_VERSION_MIN_MACOSX
  cmdsize 16
  version 10.10
      sdk n/a

All other binaries built with the toolchain have the correct values:

$ otool -l /usr/local/go/pkg/tool/darwin_amd64/vet | grep -B1 -A3 MIN_MACOS
Load command 5
      cmd LC_VERSION_MIN_MACOSX
  cmdsize 16
  version 10.9
      sdk 10.9

The fix for this will likely need to be backported. Hopefully it’s simple. 🤞

Related issues:

@andybons andybons added this to the Go1.14 milestone Nov 8, 2019
@andybons andybons self-assigned this Nov 8, 2019
@andybons

This comment has been minimized.

Copy link
Member Author

@andybons andybons commented Nov 12, 2019

It seems that we want to specify the -mmacosx-version-min when compiling the go binary.

#18400 is related.

@andybons

This comment has been minimized.

Copy link
Member Author

@andybons andybons commented Nov 13, 2019

The fact that the SDK isn’t specified in the Mach-O headers makes me wonder if the xcode toolchain we’re using to compile cgo binaries at release time may need to be updated. When I build the toolchain on a darwin-amd64-10_11 machine, I get the same results, while when I build the toolchain locally, I get:

$ otool -l ../bin/go | grep -B1 -A3 MIN_MAC
Load command 5
      cmd LC_VERSION_MIN_MACOSX
  cmdsize 16
  version 10.10
      sdk 10.15

When running xcode-select -p on the gomote builder I get /Library/Developer/CommandLineTools while when I run it locally, I get /Applications/Xcode.app/Contents/Developer. It may be that without the full Xcode install, we won’t get the SDK version set because we don’t have the SDK installed. Yay.

@cagedmantis @toothrot @dmitshur.

@networkimprov

This comment has been minimized.

Copy link

@networkimprov networkimprov commented Nov 13, 2019

@eliasnaur

This comment has been minimized.

Copy link
Contributor

@eliasnaur eliasnaur commented Nov 13, 2019

If the Go linker detects a load command in an external .o file, it will use that. We can't just pass -mmacosx-version-min to CC, because the load commands for macOS, iOS etc. are mutually exclusive.

In internal linking mode, the Go linker sets a default LC_VERSION_MIN_MACOSX version. The version was bumped to 10.9 in https://go-review.googlesource.com/c/go/+/175918/.

Perhaps it's enough to update/fix the toolchain used to build Go release. However, we could also expand the linker check above ("machoPlatform == 0") to trigger when the version and sdk are less than 10.9 in external linking mode. If you do that, please keep my https://go-review.googlesource.com/c/go/+/206337 in mind to only use the macOS load command for macOS binaries.

@andybons

This comment has been minimized.

Copy link
Member Author

@andybons andybons commented Nov 13, 2019

@ianlancetaylor for cgo.

It may be OK to specify the MACOSX_DEPLOYMENT_TARGET env var when building the toolchain only and not for every cgo binary.

@networkimprov

This comment has been minimized.

Copy link

@networkimprov networkimprov commented Nov 13, 2019

cc @thanm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.