Support user trust anchors on OS X

[cyli]

Since the user can no longer add certificates to the system root certificates without disabling software integrity protection as of El Capitan.

One way is to use CGO and the API suggested by #204 (comment), which would get the system CA certificates, system CA certificates configured in /Library, and CA certificates trusted in ~/Library/Keychains/login.keychain.

Alternately, we can use the method used by https://golang.org/src/crypto/x509/root_darwin.go and just shell out to call security find-certificate -a -p ~/Library/Keychains/login.keychain, and this would get you ONLY the certificates in the local keychain.

Caling SecTrustCopyCustomAnchorCertificates seems somewhat more correct, since it will get us not only which certificate the user trusts in the user login keychain, as well as all the system roots that the user trusts (the user can set per-user trust of system certificates).

Both probably mean setting a darwin build flag though.

[cyli]

CircleCI also currently seems to allow building either on Mac OS or Linux, but not both, unless we split up the repo. https://twitter.com/levlaz/status/658704319215202304

Or we can switch to travis-ci: http://docs.travis-ci.com/user/multi-os/

[cyli]

Nm, I'm just stupid: https://golang.org/src/crypto/x509/root_cgo_darwin.go does what we need, you just have to both import and specify that you trust the CA.