Skip to content

x509.SystemCertPool() return empty pool on macOS #53498

New issue
New issue
Not planned
Not planned
x509.SystemCertPool() return empty pool on macOS#53498
Labels
FrozenDueToAge
@haoel

Description

@haoel
haoel
opened on Jun 22, 2022

What version of Go are you using (go version)?

$ go version
go version go1.18.2 darwin/amd64

Does this issue reproduce with the latest release?

I assume the latest release is 1.18.2

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/chenhao/Library/Caches/go-build"
GOENV="/Users/chenhao/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/chenhao/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/chenhao/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.18.2/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.18.2/libexec/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.18.2"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/zz/rnjkjl3571d2w2k4vfs8y8cm0000gn/T/go-build2741412823=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

Run the following code on macOS Monterey (12.4)

package main

 import (
     "crypto/x509"
     "fmt"
     "log"
 )

 func main() {
     certs, err := x509.SystemCertPool()
     if err != nil {
         log.Fatal(err)
     }
     fmt.Printf("Num System Certs: %d\n", len(certs.Subjects()))
 }

What did you expect to see?

the Num System Certs should not be 0.

What did you see instead?

the output is

$ go run main.go                                                                                                                                                                 ─╯
Num System Certs: 0

other information

$ uname -a
Darwin MacBookPro 21.5.0 Darwin Kernel Version 21.5.0: Tue Apr 26 21:08:22 PDT 2022; root:xnu-8020.121.3~4/RELEASE_X86_64 x86_64

$ security find-certificate -a  /Library/Keychains/System.keychain /System/Library/Keychains/SystemRootCertificates.keychain  ~/Library/Keychains/login.keychain | grep alis | wc
     228     904   11963

Activity

seankhliao

seankhliao commented on Jun 22, 2022

@seankhliao
seankhliao
on Jun 22, 2022
Member

from CertPool.Subjects:

Deprecated: if s was returned by SystemCertPool, Subjects will not include the system roots.

seankhliao
closed this as not plannedon Jun 22, 2022
haoel

haoel commented on Jun 22, 2022

@haoel
haoel
on Jun 22, 2022
Author

@seankhliao but why does it work on the Linux platform? and what is the best way to let the TLS use the system CA pool?

mengzhuo

mengzhuo commented on Jun 24, 2022

@mengzhuo
mengzhuo
on Jun 24, 2022
Contributor

@seankhliao but why does it work on the Linux platform? and what is the best way to let the TLS use the system CA pool?

For your reference: #46287

golang
locked and limited conversation to collaborators on Jun 24, 2023
gopherbot
added
FrozenDueToAge
on Jun 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAge

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @mengzhuo@haoel@gopherbot@seankhliao

        Issue actions
          x509.SystemCertPool() return empty pool on macOS · Issue #53498 · golang/go