Skip to content

crypto/x509: trust setting not inherited on Darwin #32891

Closed
@tommyknows

Description

@tommyknows

What version of Go are you using (go version)?

$ go version
go version go1.12.5 darwin/amd64

But I'm trying to build it from source

Does this issue reproduce with the latest release?

Trying to build it from Master leads to same results

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/ramon/Library/Caches/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/ramon/Documents/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/ramon/Documents/go/go-src/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/fm/tzdsx49104v20lr4m55_g43w0000gn/T/go-build735870497=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Trying to build Go from source (tried different versions, official releases).
For that, I cloned the git repository and run the all.bash script in the src folder.

What did you expect to see?

The build succeeding

What did you see instead?

./all.bash Output

Building Go cmd/dist using /usr/local/go.
Building Go toolchain1 using /usr/local/go.
Building Go bootstrap cmd/go (go_bootstrap) using Go toolchain1.
Building Go toolchain2 using go_bootstrap and Go toolchain1.
Building Go toolchain3 using go_bootstrap and Go toolchain2.
Building packages and commands for darwin/amd64.

Testing packages.

ok archive/tar 0.093s
ok archive/zip 0.088s
ok bufio 0.113s
ok bytes 0.690s
ok compress/bzip2 0.128s
ok compress/flate 0.956s
ok compress/gzip 0.034s
ok compress/lzw 0.026s
ok compress/zlib 0.037s
ok container/heap 0.029s
ok container/list 0.024s
ok container/ring 0.028s
ok context 1.027s
ok crypto 0.017s
ok crypto/aes 0.074s
ok crypto/cipher 0.046s
ok crypto/des 0.042s
ok crypto/dsa 0.019s
ok crypto/ecdsa 0.443s
ok crypto/ed25519 0.565s
ok crypto/elliptic 0.082s
ok crypto/hmac 0.017s
ok crypto/internal/subtle 0.016s
ok crypto/md5 0.020s
ok crypto/rand 0.056s
ok crypto/rc4 0.094s
ok crypto/rsa 0.160s
ok crypto/sha1 0.060s
ok crypto/sha256 0.020s
ok crypto/sha512 0.019s
ok crypto/subtle 0.028s
ok crypto/tls 1.153s
--- FAIL: TestSystemRoots (0.79s)
root_darwin_test.go:35: cgo sys roots: 413.977623ms
root_darwin_test.go:36: non-cgo sys roots: 314.683156ms
root_darwin_test.go:77: certificate only present in non-cgo pool: CN=[redacted cert info] (verify error: x509: certificate signed by unknown authority)
root_darwin_test.go:79: signed certificate only present in non-cgo pool (acceptable): [redacted cert info]
root_darwin_test.go:77: certificate only present in non-cgo pool: CN=[redacted cert info] (verify error: x509: certificate signed by unknown authority)
root_darwin_test.go:79: signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
FAIL
FAIL crypto/x509 1.394s
ok database/sql 0.587s
ok database/sql/driver 0.015s
ok debug/dwarf 0.036s
ok debug/elf 0.043s
ok debug/gosym 0.017s
ok debug/macho 0.022s
ok debug/pe 0.022s
ok debug/plan9obj 0.017s
ok encoding/ascii85 0.023s
ok encoding/asn1 0.019s
ok encoding/base32 0.031s
ok encoding/base64 0.028s
ok encoding/binary 0.016s
ok encoding/csv 0.017s
ok encoding/gob 0.039s
ok encoding/hex 0.015s
ok encoding/json 0.153s
ok encoding/pem 0.036s
ok encoding/xml 0.034s
ok errors 0.013s
ok expvar 0.028s
ok flag 0.012s
ok fmt 0.151s
ok go/ast 0.015s
ok go/build 0.419s
ok go/constant 0.013s
ok go/doc 0.070s
ok go/format 0.015s
ok go/importer 0.137s
ok go/internal/gccgoimporter 0.028s
ok go/internal/gcimporter 0.532s
ok go/internal/srcimporter 1.370s
ok go/parser 0.042s
ok go/printer 0.315s
ok go/scanner 0.013s
ok go/token 0.028s
ok go/types 1.390s
ok hash 0.013s
ok hash/adler32 0.015s
ok hash/crc32 0.022s
ok hash/crc64 0.014s
ok hash/fnv 0.011s
ok html 0.028s
ok html/template 0.049s
ok image 0.091s
ok image/color 0.027s
ok image/draw 0.069s
ok image/gif 0.359s
ok image/jpeg 0.305s
ok image/png 0.042s
ok index/suffixarray 0.360s
ok internal/cpu 0.035s
ok internal/fmtsort 0.014s
ok internal/oserror 0.012s
ok internal/poll 0.056s
ok internal/reflectlite 0.011s
ok internal/singleflight 0.020s
ok internal/trace 0.048s
ok internal/xcoff 0.030s
ok io 0.033s
ok io/ioutil 0.016s
ok log 0.013s
ok log/syslog 1.241s
ok math 0.020s
ok math/big 0.362s
ok math/bits 0.087s
ok math/cmplx 0.014s
ok math/rand 0.186s
ok mime 0.014s
ok mime/multipart 0.418s
ok mime/quotedprintable 0.020s
ok net 2.119s
ok net/http 2.904s
ok net/http/cgi 0.825s
ok net/http/cookiejar 0.036s
ok net/http/fcgi 0.028s
ok net/http/httptest 0.050s
ok net/http/httptrace 0.028s
ok net/http/httputil 0.071s
ok net/http/internal 0.012s
ok net/http/pprof 2.037s
ok net/internal/socktest 0.014s
ok net/mail 0.019s
ok net/rpc 0.091s
ok net/rpc/jsonrpc 0.031s
ok net/smtp 0.039s
ok net/textproto 0.016s
ok net/url 0.022s
ok os 0.901s
ok os/exec 1.522s
ok os/signal 2.893s
ok os/user 0.014s
ok path 0.011s
ok path/filepath 0.057s
ok plugin 0.011s
ok reflect 0.134s
ok regexp 0.083s
ok regexp/syntax 1.800s
ok runtime 24.725s
ok runtime/debug 0.079s
ok runtime/internal/atomic 0.017s
ok runtime/internal/math 0.010s
ok runtime/internal/sys 0.014s
ok runtime/pprof 9.488s
ok runtime/pprof/internal/profile 0.012s
ok runtime/trace 0.610s
ok sort 0.155s
ok strconv 1.791s
ok strings 0.236s
ok sync 0.394s
ok sync/atomic 0.032s
ok syscall 0.096s
ok testing 0.049s
ok testing/quick 0.056s
ok text/scanner 0.013s
ok text/tabwriter 0.013s
ok text/template 0.052s
ok text/template/parse 0.019s
ok time 2.648s
ok unicode 0.011s
ok unicode/utf16 0.015s
ok unicode/utf8 0.019s
ok cmd/addr2line 2.288s
ok cmd/api 0.035s
ok cmd/asm/internal/asm 0.968s
ok cmd/asm/internal/lex 0.008s
ok cmd/compile 0.013s
ok cmd/compile/internal/gc 19.163s
ok cmd/compile/internal/ssa 0.327s
ok cmd/compile/internal/syntax 0.020s
ok cmd/compile/internal/test 0.007s [no tests to run]
ok cmd/compile/internal/types 0.007s
ok cmd/cover 2.561s
ok cmd/doc 0.068s
ok cmd/fix 0.039s
ok cmd/go 53.396s
ok cmd/go/internal/auth 0.026s
ok cmd/go/internal/cache 0.822s
ok cmd/go/internal/dirhash 0.015s
ok cmd/go/internal/generate 0.037s
ok cmd/go/internal/get 0.085s
ok cmd/go/internal/imports 0.031s
ok cmd/go/internal/load 0.016s
ok cmd/go/internal/lockedfile 0.026s
ok cmd/go/internal/lockedfile/internal/filelock 0.046s
ok cmd/go/internal/modconv 0.047s
ok cmd/go/internal/modfetch 0.152s
ok cmd/go/internal/modfetch/codehost 0.012s
ok cmd/go/internal/modfile 0.018s
ok cmd/go/internal/modload 0.040s
ok cmd/go/internal/module 0.011s
ok cmd/go/internal/mvs 0.013s
ok cmd/go/internal/note 0.027s
ok cmd/go/internal/par 0.029s
ok cmd/go/internal/renameio 0.876s
ok cmd/go/internal/search 0.031s
ok cmd/go/internal/semver 0.033s
ok cmd/go/internal/sumweb 0.043s
ok cmd/go/internal/tlog 2.020s
ok cmd/go/internal/txtar 0.012s
ok cmd/go/internal/web 0.029s
ok cmd/go/internal/work 0.024s
ok cmd/gofmt 0.074s
ok cmd/internal/buildid 0.251s
ok cmd/internal/dwarf 0.011s
ok cmd/internal/edit 0.010s
ok cmd/internal/goobj 1.351s
ok cmd/internal/obj 0.012s
ok cmd/internal/obj/arm64 0.050s
ok cmd/internal/obj/x86 5.211s
ok cmd/internal/objabi 0.014s
ok cmd/internal/src 0.011s
ok cmd/internal/test2json 0.161s
ok cmd/link 5.084s
ok cmd/link/internal/ld 7.583s
ok cmd/link/internal/sym 0.012s
ok cmd/nm 3.880s
ok cmd/objdump 3.713s
ok cmd/pack 1.528s
ok cmd/trace 0.032s
ok cmd/vet 5.105s
FAIL
2019/07/02 10:43:23 Failed: exit status 1

I can successfully build it if I run the command as sudo, but this makes sense as root should not have the certificates 🙂

What I am wondering however, do I need a patched version of the go binary to be able to build the patched version?

@FiloSottile requested to be tagged.

Activity

bcmills

bcmills commented on Jul 2, 2019

@bcmills
Contributor

CC @agl

added
NeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.
on Jul 2, 2019
added this to the Go1.13 milestone on Jul 2, 2019
tommyknows

tommyknows commented on Jul 8, 2019

@tommyknows
Author

Ping @agl / @FiloSottile
I'd be happy to help if you could point me into the right direction.

changed the title [-]crypto/x509 trust setting not inherited on Darwin[/-] [+]crypto/x509: trust setting not inherited on Darwin[/+] on Jul 8, 2019
FiloSottile

FiloSottile commented on Jul 8, 2019

@FiloSottile
Contributor

Please provide the full debug output. Instead of ./all.bash use ./make.bash, and then GODEBUG=x509roots=1 ../bin/go test -v -run TestSystemRoots crypto/x509.

tommyknows

tommyknows commented on Jul 8, 2019

@tommyknows
Author

Seems like I can't even run the tests like this:

bash-3.2$ ./make.bash
Building Go cmd/dist using /usr/local/go.
Building Go toolchain1 using /usr/local/go.
Building Go bootstrap cmd/go (go_bootstrap) using Go toolchain1.
Building Go toolchain2 using go_bootstrap and Go toolchain1.
Building Go toolchain3 using go_bootstrap and Go toolchain2.
Building packages and commands for darwin/amd64.
---
Installed Go for darwin/amd64 in /Users/ramon/Documents/go/go-src
Installed commands in /Users/ramon/Documents/go/go-src/bin
bash-3.2$ GODEBUG=x509roots=1 ../bin/go test -v -run TestSystemRoots crypto/x509
# crypto/x509 [crypto/x509.test]
/var/folders/fm/tzdsx49104v20lr4m55_g43w0000gn/T/go-build347514254/b050/_testinginit.go:8:2: undefined: testing.Init
FAIL    crypto/x509 [build failed]
FAIL

While ./all.bash works "fine" (in the sense of at least building)

modified the milestones: Go1.13, Go1.14 on Jul 8, 2019
FiloSottile

FiloSottile commented on Jul 9, 2019

@FiloSottile
Contributor

That's a really weird failure and seems unrelated. Do you have GOROOT set, maybe?

tommyknows

tommyknows commented on Jul 9, 2019

@tommyknows
Author

yes, that was the case.

Sadly, I cleaned up my certificates and removed the ones that were signed by an unknown CA 🤦‍♂

I tried adding a certificate back in, but I couldn't get the cert to show up in the log output.
I don't exactly know what is needed for the certificate to show up in the SystemRoots, and if I can just create such a certificate with openssl.

Now, if you know how I can get a new certificate into that list, I'm willing to add some untrusted certificates to my System Keychain 🙂

If not, then this issue can be closed.

Sorry for the noise, stupid me deleting those certificates 😅

FiloSottile

FiloSottile commented on Jul 10, 2019

@FiloSottile
Contributor

I'm afraid we don't have enough information to debug this, and I can't provide you instructions because at this point mismatches would be due to unexpected states of the keychain, which I wouldn't know how to reproduce.

No worries about it, and thanks for reporting it in the first place.

gopherbot

gopherbot commented on Apr 14, 2020

@gopherbot
Contributor

Change https://golang.org/cl/227037 mentions this issue: crypto/x509: use Security.framework without cgo for roots on macOS

locked and limited conversation to collaborators on Apr 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsInvestigationSomeone must examine and confirm this is a valid issue and not a duplicate of an existing one.OS-Darwin

    Type

    No type

    Projects

    No projects

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @andybons@FiloSottile@bcmills@gopherbot@tommyknows

        Issue actions

          crypto/x509: trust setting not inherited on Darwin · Issue #32891 · golang/go