Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509/internal/macos: link errors on ios/arm64 due to missing symbols _SecItemExport and _SecTrustEvaluateWithError #49616

Open
bcmills opened this issue Nov 16, 2021 · 17 comments

Comments

@bcmills
Copy link
Member

@bcmills bcmills commented Nov 16, 2021

ios-arm64-corellium at f041c7e3028545ba39c60d6e20ab9b74c01bbf33

:: Running /bin/bash with args ["bash" "/tmp/workdir-host-ios-arm64-corellium-ios/go/src/make.bash"] and env ["SHELL=/bin/sh" "XPC_FLAGS=0x0" "DYLD_INSERT_LIBRARIES=/usr/lib/pspawn_payload.dylib:/usr/lib/TweakInject.dylib" "TMUX=/tmp//tmux-0/default,132,0" "HOME=/var/root" "GO_BUILDER_ENV=host-ios-arm64-corellium-ios" "SANDBOX_TOKENS=c1bd94996a72965db5823ac10e7459ccbbce059e20ee4152d9bdb34ddecabc09;00;00000000;00000000;00000000;000000000000001c;com.apple.sandbox.executable;01;01000002;0fffffff000054ee;01;/Library:a248e92ac291deec804d9e560eaef74783cf366457936fc3e6130d34d96a62cf;00;00000000;00000000;00000000;000000000000001c;com.apple.sandbox.executable;01;01000002;0fffffff000618a2;01;/Library/MobileSubstrate/DynamicLibraries:3e8bbc2027b091b3cafd0a9984d8638a18b3e629c8e74742aef25894d9c8b54f;00;00000000;00000000;00000000;000000000000001c;com.apple.sandbox.executable;01;01000002;0fffffff00006626;01;/System:fcb11e3fbd53a5a56715b3d49a2803c7f25685efec12787b048c8455ae7c40e4;00;00000000;00000000;00000000;000000000000001c;com.apple.sandbox.executable;00;01000003;0000000000000002;01;/private/var/mnt:e7234a7dd77bbb3ebfbf3cb09706481a1126720066bff5f7ed41a0311ebf1030;00;00000000;00000000;00000000;000000000000001c;com.apple.sandbox.executable;01;01000003;000000000000002e;01;/private/var/mobile/Library:98e3a25a1a068ca7adbfd9c379772de487265a01ace7cfdb48d5f458ffdcf3af;00;00000000;00000000;00000000;0000000000000020;com.apple.app-sandbox.read-write;01;01000003;0000000000000036;01;/private/var/mobile/Library/Preferences" "TERM=screen" "TMUX_PANE=%0" "SHLVL=1" "XPC_SERVICE_NAME=org.golang.builder" "PATH=/var/root/bin:/usr/bin:/bin:/usr/sbin:/sbin" "CC=/var/root/bin/clangwrap" "_=/var/root/go/bin/buildlet" "WORKDIR=/tmp/workdir-host-ios-arm64-corellium-ios" "GO_BUILDER_NAME=ios-arm64-corellium" "GOROOT_BOOTSTRAP=/var/root/go-ios-arm64-bootstrap" "GOBIN=" "TMPDIR=/tmp/workdir-host-ios-arm64-corellium-ios/tmp" "GOCACHE=/tmp/workdir-host-ios-arm64-corellium-ios/gocache" "PWD=/tmp/workdir-host-ios-arm64-corellium-ios/go/src"] in dir /tmp/workdir-host-ios-arm64-corellium-ios/go/src

Building Go cmd/dist using /var/root/go-ios-arm64-bootstrap. (devel +694025e74f Tue Oct 6 01:14:39 2020 +0000 ios/arm64)
Building Go toolchain1 using /var/root/go-ios-arm64-bootstrap.
Building Go bootstrap cmd/go (go_bootstrap) using Go toolchain1.
warning: unable to find runtime/cgo.a
Building Go toolchain2 using go_bootstrap and Go toolchain1.
Building Go toolchain3 using go_bootstrap and Go toolchain2.
Building packages and commands for ios/arm64.
# cmd/go
/tmp/workdir-host-ios-arm64-corellium-ios/go/pkg/tool/ios_arm64/link: running /var/root/bin/clangwrap failed: exit status 1
Undefined symbols for architecture arm64:
  "_SecItemExport", referenced from:
      _crypto/x509/internal/macos.x509_SecItemExport_trampoline.abi0 in go.o
  "_SecTrustEvaluateWithError", referenced from:
      _crypto/x509/internal/macos.x509_SecTrustEvaluateWithError_trampoline.abi0 in go.o
ld: symbol(s) not found for architecture arm64
Not signing file
clang-5.0: error: linker command failed with exit code 1 (use -v to see invocation)

# cmd/pprof
/tmp/workdir-host-ios-arm64-corellium-ios/go/pkg/tool/ios_arm64/link: running /var/root/bin/clangwrap failed: exit status 1
Undefined symbols for architecture arm64:
  "_SecItemExport", referenced from:
      _crypto/x509/internal/macos.x509_SecItemExport_trampoline.abi0 in go.o
  "_SecTrustEvaluateWithError", referenced from:
      _crypto/x509/internal/macos.x509_SecTrustEvaluateWithError_trampoline.abi0 in go.o
ld: symbol(s) not found for architecture arm64
Not signing file
clang-5.0: error: linker command failed with exit code 1 (use -v to see invocation)

# cmd/trace
/tmp/workdir-host-ios-arm64-corellium-ios/go/pkg/tool/ios_arm64/link: running /var/root/bin/clangwrap failed: exit status 1
Undefined symbols for architecture arm64:
  "_SecItemExport", referenced from:
      _crypto/x509/internal/macos.x509_SecItemExport_trampoline.abi0 in go.o
  "_SecTrustEvaluateWithError", referenced from:
      _crypto/x509/internal/macos.x509_SecTrustEvaluateWithError_trampoline.abi0 in go.o
ld: symbol(s) not found for architecture arm64
Not signing file
clang-5.0: error: linker command failed with exit code 1 (use -v to see invocation)

go tool dist: FAILED: /tmp/workdir-host-ios-arm64-corellium-ios/go/pkg/tool/ios_arm64/go_bootstrap install -gcflags=all= -ldflags=all= std cmd: exit status 2

greplogs --dashboard -md -l -e '(?m)Undefined symbols for architecture arm64:\n\s*"_SecItemExport"'

2021-11-16T15:16:54-f041c7e/ios-arm64-corellium
2021-11-16T15:16:41-46e98d4/ios-arm64-corellium
2021-11-16T14:33:48-50dac3b/ios-arm64-corellium
2021-11-16T14:33:39-67c1556/ios-arm64-corellium
2021-11-16T14:02:36-bddb79f/ios-arm64-corellium
2021-11-16T13:48:46-9efb649/ios-arm64-corellium
2021-11-16T08:58:05-6e481c0/ios-arm64-corellium
2021-11-16T07:47:15-6b3f4d3/ios-arm64-corellium
2021-11-16T07:47:08-313cae3/ios-arm64-corellium
2021-11-16T06:36:08-a52e4b9/ios-arm64-corellium
2021-11-16T06:31:54-febbef5/ios-arm64-corellium
2021-11-16T05:58:03-fdd6793/ios-arm64-corellium
2021-11-16T05:36:07-8656895/ios-arm64-corellium
2021-11-15T23:55:09-9e13a88/ios-arm64-corellium
2021-11-15T23:01:05-d156101/ios-arm64-corellium
2021-11-15T21:22:19-95e85e3/ios-arm64-corellium
2021-11-15T21:22:18-c8d7c5f/ios-arm64-corellium
2021-11-15T21:22:17-e08aae2/ios-arm64-corellium
2021-11-15T21:22:15-fda9261/ios-arm64-corellium
2021-11-15T21:22:14-42fa03a/ios-arm64-corellium
2021-11-15T21:22:13-0a54a68/ios-arm64-corellium
2021-11-15T21:22:12-cfcd717/ios-arm64-corellium
2021-11-15T21:22:11-0a39e4a/ios-arm64-corellium
2021-11-15T21:22:09-184ca3c/ios-arm64-corellium
2021-11-15T21:21:51-560dc97/ios-arm64-corellium
2021-11-15T19:24:28-9265558/ios-arm64-corellium
2021-11-15T18:43:13-b6342a0/ios-arm64-corellium
2021-11-15T18:43:07-0e65410/ios-arm64-corellium
2021-11-15T18:02:28-1dc9af5/ios-arm64-corellium
2021-11-15T17:10:25-f986191/ios-arm64-corellium
2021-11-15T15:42:24-ce4a275/ios-arm64-corellium
2021-11-14T17:38:42-5337e53/ios-arm64-corellium
2021-11-14T16:54:11-dfa62c7/ios-arm64-corellium
2021-11-13T03:33:55-c239790/ios-arm64-corellium
2021-11-13T02:30:25-c546052/ios-arm64-corellium
2021-11-13T01:39:23-c78a267/ios-arm64-corellium
2021-11-13T01:39:09-e658c42/ios-arm64-corellium
2021-11-13T01:37:51-2fd720b/ios-arm64-corellium
2021-11-13T00:50:04-c893a85/ios-arm64-corellium
2021-11-13T00:49:51-530e320/ios-arm64-corellium
2021-11-13T00:37:53-958f405/ios-arm64-corellium
2021-11-13T00:36:41-c97d681/ios-arm64-corellium
2021-11-13T00:34:41-bfbe5ac/ios-arm64-corellium
2021-11-13T00:26:24-787708a/ios-arm64-corellium
2021-11-13T00:26:23-bc0b98e/ios-arm64-corellium
2021-11-13T00:26:21-56e55a3/ios-arm64-corellium
2021-11-13T00:26:20-c09d854/ios-arm64-corellium
2021-11-13T00:23:16-39bc666/ios-arm64-corellium
2021-11-12T23:35:31-b69b2f6/ios-arm64-corellium
2021-11-12T23:34:09-fdee1b2/ios-arm64-corellium
2021-11-12T23:26:33-3a4b950/ios-arm64-corellium
2021-11-12T23:07:14-429d1e0/ios-arm64-corellium
2021-11-12T23:07:01-c8d6ee1/ios-arm64-corellium
2021-11-12T22:50:32-1cd6003/ios-arm64-corellium
2021-11-12T22:20:51-f9dcda3/ios-arm64-corellium
2021-11-12T22:20:50-9150c16/ios-arm64-corellium
2021-11-12T21:06:35-3634594/ios-arm64-corellium
2021-11-12T20:20:57-76fbd61/ios-arm64-corellium
2021-11-12T20:02:21-9519651/ios-arm64-corellium
2021-11-12T19:45:58-ecd2e14/ios-arm64-corellium
2021-11-12T18:57:22-b1b6d92/ios-arm64-corellium
2021-11-12T18:48:59-5d24203/ios-arm64-corellium
2021-11-12T18:14:22-8b66b3d/ios-arm64-corellium

@bcmills
Copy link
Member Author

@bcmills bcmills commented Nov 16, 2021

@rolandshoemaker, @FiloSottile: I suspect that this is closely related to CL 362294 / CL 353403.

Loading

@bcmills
Copy link
Member Author

@bcmills bcmills commented Nov 16, 2021

(This is a release-blocker for Go 1.18 via #11811.)

Loading

@bcmills bcmills added this to the Go1.18 milestone Nov 16, 2021
@bcmills
Copy link
Member Author

@bcmills bcmills commented Nov 16, 2021

(See previously #42459, which also reported a link error for _SecItemExport; CC @cherrymui.)

Loading

@bcmills bcmills changed the title crypto/x509/internal/macos: link errors on iOS due to missing symbols _SecItemExport and _SecTrustEvaluateWithError crypto/x509/internal/macos: link errors on ios/arm64 due to missing symbols _SecItemExport and _SecTrustEvaluateWithError Nov 16, 2021
@gopherbot
Copy link

@gopherbot gopherbot commented Nov 16, 2021

Change https://golang.org/cl/363985 mentions this issue: dashboard: remove known issue for iOS and Android builders

Loading

gopherbot pushed a commit to golang/build that referenced this issue Nov 16, 2021
The old known issue has been resolved: the builders have
been restarted and are back. That uncovered what appears
to be a recent regression, reported as golang/go#49616.

Also add a new builder owner based on conversation at
https://groups.google.com/g/golang-dev/c/oiuIE7qrWp0.

Updates golang/go#48772.
Updates golang/go#49048.
Updates golang/go#49616.

Change-Id: I7a6a89b7fb088373a70bd3496ad2091ec7a3d79f
Reviewed-on: https://go-review.googlesource.com/c/build/+/363985
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Alexander Rakoczy <alex@golang.org>
@gopherbot
Copy link

@gopherbot gopherbot commented Nov 16, 2021

Change https://golang.org/cl/364554 mentions this issue: crypto/x509/internal/macos: use APIs available on ios

Loading

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Nov 16, 2021

This is a two part issue:

(1) we used an API which is only available on macOS, so it's obviously unavailable on iOS. CL364554 switches to an API available on both.
(2) SecTrustEvaluateWithError is available on iOS, as of 12.0. The builders use iOS 14.6, but the clang wrapper sets the minimum version to 6.0, and the SDK in use is for 11.2 (there appears to be no real documentation of this. Bumping the minimum version to 12.0, and updating the SDK to a modern one (14.5) appears to fix these issues.

I've sent a CL for (1), but I'm not sure how best to go about fixing (2). I can send a CL which bumps the min version, but the SDK on the builders needs to be bumped, but that appears to be supplied OOB (and the only instructions appear to be for a new instance, and I can't see any documentation for what to do if we need to make changes? Possibly wipe the instance and re-initialize?)

Loading

@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented Nov 17, 2021

CC @steeve, @changkun Are you able to help with updating the SDK on the ios-arm64-corellium builder? Thanks very much.

Loading

@steeve
Copy link
Contributor

@steeve steeve commented Nov 17, 2021

I am not sure how to bump the SDK on the builders, @eliasnaur do you recall where this is kept?
Also, bumping ios-version-min=12 might require some discussion (but I think it's okay) as some folks might still be distributing on ios 11 (we do, but we could bump I guess).

Loading

@bcmills
Copy link
Member Author

@bcmills bcmills commented Nov 17, 2021

bumping ios-version-min=12 might require some discussion

That seems to be #48076?

Loading

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Nov 17, 2021

The SDK lives at /var/root/iPhoneOS.sdk and the clang wrapper lives at /var/root/bin/clangwrap on the builders.

Loading

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Nov 17, 2021

Loading

@bcmills
Copy link
Member Author

@bcmills bcmills commented Nov 17, 2021

Would it make sense to add a build constraint (maybe ios-11) that replaces the function that calls SecTrustEvaluateWithError with one that fails unconditionally? That might allow users who really want to support older iOS to do so at the expense of not being able to verify certificates (which I'm guessing may not have up-to-date revocations on older iOS anyway).

Loading

@rolandshoemaker
Copy link
Member

@rolandshoemaker rolandshoemaker commented Nov 17, 2021

That is a viable approach if we want to continue to support older iOS versions. Another option is that we could implement a special pre-iOS version which uses the older APIs for certificate verification which have been deprecated, but that is a significant amount of work, since a lot of the old APIs don't interoperate well with the new ones.

Loading

@FiloSottile
Copy link
Contributor

@FiloSottile FiloSottile commented Nov 18, 2021

Looking at #48076, it feels like raising the minimum version to iOS 12 is the right choice for Go 1.18, regardless of the complete policy. This fortunately solves our problem here, too.

Loading

gopherbot pushed a commit that referenced this issue Nov 19, 2021
Use SecCertificateCopyData instead of SecItemExport, which is only
available on macOS.

Updates #49616

Change-Id: Ieda33894930d23c6dab6112ee18120f8a440083b
Reviewed-on: https://go-review.googlesource.com/c/go/+/364554
Trust: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
@changkun
Copy link
Contributor

@changkun changkun commented Nov 24, 2021

If iOS 12 is decided (as in #48076) to be the minimum targeting version for 1.18, I can help with updating the SDKs inside the builders.

Loading

@gopherbot
Copy link

@gopherbot gopherbot commented Nov 24, 2021

Change https://golang.org/cl/366914 mentions this issue: doc/go1.18: document that iOS 12 or newer is required

Loading

@dmitshur
Copy link
Contributor

@dmitshur dmitshur commented Nov 24, 2021

@changkun Yes, I think we'll go with iOS 12 for Go 1.18. I've mailed CL 366914 to document it in the release notes. Thank you for your help with with updating the builders accordingly, and in turn resolving this release-blocking issue.

Loading

gopherbot pushed a commit that referenced this issue Nov 24, 2021
For #47694.
Updates #49616.
Updates #48076.

Change-Id: I570564c3a54d3cd9cfc9b8267df9fbee3363b650
Reviewed-on: https://go-review.googlesource.com/c/go/+/366914
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
8 participants