Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Outdated apple SDK Security framework #269646

Closed
cottand opened this issue Nov 24, 2023 · 3 comments
Closed

Outdated apple SDK Security framework #269646

cottand opened this issue Nov 24, 2023 · 3 comments
Labels
0.kind: bug Something is broken

Comments

@cottand
Copy link
Contributor

cottand commented Nov 24, 2023

Describe the bug

The Security framework includes SecTrustCopyCertificateChain as of MacOS 12+, but I can't build packages that require that function via flakes.

I am guessing nixpkgs bundles this somehow (I am not a darwin dev so I am struggling to find where to look)

Steps To Reproduce

You can build this flake. It builds a Go module that tries to make use of this function.

This is not the actual code I am trying to compile (I cannot share it) but this reproduces the same error.

{
  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  inputs.utils.url = "github:numtide/flake-utils";

  outputs = { nixpkgs, utils, ... }: (utils.lib.eachDefaultSystem (system:
    let
      pkgs = import nixpkgs { inherit system; };
      CoreFoundation = pkgs.darwin.apple_sdk.frameworks.CoreFoundation;
      Security = pkgs.darwin.apple_sdk.frameworks.Security;
    in
    rec {
      packages.default = pkgs.buildGoModule {
        pname = "tools";
        version = "tools-2023.11.23.685";

        vendorHash = "sha256-Qd2xSBm67tQzYgC+vS76ewaZYWmbvICDQK2NvxwOPDY=";
        nativeBuildInputs = [ CoreFoundation Security ];
        buildInputs = [ CoreFoundation Security ];

        # not sure if this is needed
        CGO_CFLAGS = "-iframework ${CoreFoundation}/Library/Frameworks -iframework ${Security}/Library/Frameworks";
        CGO_LDFLAGS = "-F${CoreFoundation}/Library/Frameworks -F${Security}/Library/Frameworks";

        src = pkgs.fetchFromGitHub {
          owner = "aws";
          repo = "rolesanywhere-credential-helper";
          rev = "43f2060";
          hash = "sha256-mXLzHPdQLsny2c5dZsL7Y5RRne8taFJt51XwlYmGwf0=";
        };
      };
    }));
}

Run nix build . on a directory with that flake

Actual behaviour

$ nix build .

error: builder for '/nix/store/cpkx1c0r3bhs2hq8cakzb82vis1lrbad-tools-tools-2023.11.23.685.drv' failed with exit code 1;
       last 10 log lines:
       [ ... ]
       > building
       > Building subPackage .
       > # github.com/aws/rolesanywhere-credential-helper/aws_signing_helper
       > aws_signing_helper/darwin_cert_store_signer.go:212:18: could not determine kind of name for C.SecTrustCopyCertificateChain

Expected behavior

Successful build

Additional context

The function is present in my darwin machine:

$ cat /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h | grep 'SecTrustCopyCertificateChain'
    SecTrustCopyCertificateChain provides thread-safe results.
    API_DEPRECATED_WITH_REPLACEMENT("SecTrustCopyCertificateChain", macos(10.7, 12.0), ios(2.0, 15.0), watchos(1.0, 8.0), tvos(9.0, 15.0));
    @function SecTrustCopyCertificateChain
CFArrayRef SecTrustCopyCertificateChain(SecTrustRef trust)

Although I am not sure if that is the right place to look.

I cannot see it in nixpkgs, when I try to make a derivation that has
pkgs.darwin.apple_sdk.frameworks.Security as a buildInput

cat /nix/store/psigbvki880kklmj933dkx6f3f2z5m4q-apple-framework-Security-11.0.0/Library/Frameworks/Security.framework/Headers/SecTrust.h | grep 'SecTrustCopyCertificateChain'
# no results!!!

Notify maintainers

@wegank or @0xnetfox or @reckenrode ? Based on git blame of what I think might be relevant files. Sorry for pinging you if that's wrong!

Priorities

Add a 👍 reaction to issues you find important.

@cottand cottand added the 0.kind: bug Something is broken label Nov 24, 2023
@reckenrode
Copy link
Contributor

The newest available SDK in nixpkgs is 11.1. #229210 will add several of the missing SDKs (newer and older, hopefully). Until that PR is ready and merged, it won’t be possible to build packages that require newer APIs.

@cottand
Copy link
Contributor Author

cottand commented Nov 24, 2023

Thank you! That explains everything. Keen to see that merged, then. In the meantime, do you have any workarounds/hacks to make nix build use the systems' present SDK? I realise this would break purity but that is a sacrifice I am willing to make until #229210 is merged

@aviallon
Copy link
Contributor

Closed by #346043

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0.kind: bug Something is broken
Projects
None yet
Development

No branches or pull requests

3 participants