cmd/go: MacOS binaries invalid for eventual Apple Notary #30488
Comments
|
This is an update on top of issue #12941 For Apple documentation of this, see: |
|
Is there anything we need to do other than change the constant? |
bradfitz
added
OS-Darwin
NeedsInvestigation
|
This is set in the linker It seems this is set to the minimum version Go required at the time this code was written. |
|
At this time, I don't have full proof that this is the only change, but based on other evidence we have from a suite of binaries submitted, this is the only change: to change that constant in macho.go. There are other requirements for Apple Notary, but those requirements fall outside of the scope of the compiler. They are more around the codesign step. Go binaries can be signed like any other binary. |
|
Seems like a back-port candidate? |
|
@networkimprov yes, this is viable for back-port also. I'm so far unfamiliar with how I would approach that. |
|
@gopherbot please open backport issues |
|
Backport issue(s) opened: #30525 (for 1.11), #30526 (for 1.12). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases. |
|
I plan to submit code changes for this, including the backports. |
|
How can I be recognized as the "assignee?" |
|
Also, how can we recognize this no longer as "Needs Investigation?" |
randall77
added
NeedsFix
|
Haha. I just get @randall77 to do all my work. Thank you, Keith! |
|
Gopherbot listens for commands re label manipulation, e.g.
Someone pls refresh my memory re the delete/drop command... |
|
Can this patch provide a script to pull the version string from a canonical source, if networking is available? |
|
@networkimprov help me understand your question. |
|
At this time, I have a "No Contributor Agreement on file for user Tyler Mace" error, but I just got one completed this morning (via Autodesk). How long is the lag time for this to take effect? Is there a better forum for this question, other than my issue ticket? |
|
@macetw If you configure GitHub such that your e-mail address is @autodesk.com then I think the CLA robot will recognize that you are approved. If you don't want to do that then, if you are willing, I recommend that you sign the personal CLA as well, using the same e-mail address as your GitHub account. |
|
@ianlancetaylor the google-group had both my private email and my corporate email, but in the contrib guide, it was said to use consistent email addresses. (I had already done work as [email protected]). You're suggesting that I not be consistent, but if that's okay, my employer would actually prefer it I use my corporate email. |
|
@macetw Are you using Gerrit or GitHub (go-review.googlesource.com or github.com)? I believe that Gerrit lets you have multiple e-mail addresses. If you've already contributed under the e-mail address |
|
@ianlancetaylor I haven't contributed lines of code yet. I've merely contributed via github issue conversations, like here. I'm new today on the CLA. |
|
@macetw I should have written "hex constant". Seems like its value should be pulled from an online source or config file via |
|
@macetw, are you still having CLA trouble? |
|
Any idea when this will be released? We're actually waiting for this fix to be able to notarize our binaries for macOS. Since Apple will be pushing this after WWDC beginning of june, it would be awesome to be ready… |
|
As far as I know this isn't fixed yet. I'm not sure what is happening here. We've currently marked this as a release blocker for Go 1.13, which will be released around August 1. |
|
:-( Is there any way to get this fixed earlier? I presume we're not the only ones running into this, right? |
|
The first step is to get it fixed at all. Once we have a fix we can discuss backporting that fix to a release branch. Right now, as far as I know, it is not fixed. |
|
It's a minor change to a pair of constant expressions, and already marked for backport to 1.11 & 1.12. This issue should perhaps be reassigned? EDIT: mistakenly added "help" and "wanted" whilst trying to add "help wanted" |
|
If anyone has a patch to send that fixes this problem, please go ahead. |
|
FYI as of 277609f the version number is copied from external objects when available, so compiling with |
In which version of Go will that be available? |
|
That CL was part of the work for #22395 and it will be available in the 1.13 release. @eliasnaur @cherrymui Would it be appropriate to backport https://golang.org/cl/168321 to a Go 1.12 release? |
|
CL 168321 is not entirely trivial and I believe it requires CL 168459 to apply. It doesn't even fix the root cause: the 10.7 version is still hardcoded in tip. That the CL enables a workaround as described by @tmm1 is accidental. I propose someone mails the trivial change discussed earlier in this issue that bumps the version to 10.9 in tip, fixing this issue. The scope of the change is much narrower and can be manually backported. Would that be acceptable? |
Yes, I think so. Thanks. |
|
Change https://golang.org/cl/175918 mentions this issue: |
|
Can you make sure this ends up in 1.12 as well? |
|
@pieterclaerhout The 1.12 backport is #30526. |
|
Ian, could you reopen this? It needs to be reviewed before each release, as the value will change again. Also its milestone should be set appropriately. |
|
@networkimprov Would you mind opening a new issue for that? This issue is pretty cluttered, and I wouldn't want people to have to read through all of it for each release. Thanks. |
|
Filed #31918, thanks! |
What version of Go are you using (
go version)?1.12
Does this issue reproduce with the latest release?
Yes. (1.12)
What operating system and processor architecture are you using (
go env)?go envOutputWhat did you do?
I applied my executable for an Apple Notary, required for release with the App Store on MacOS 10.14. Apple Notary gives users the assurance that their application is safe, but binaries must have the notary approval "stapled" to their .app. Apple Notary requirements include "runtime" option with a code signature and the MacOS SDK be "10.9" or newer. This is seen with "otool -l." With go, binaries are "10.7" based.
Here is the result of submission to Apple, presented in JSON format:
{"severity": "error", "code": null, "path": "mygobasedapplication.dmg/my/go/based/application", "message": "The binary uses an SDK older than the 10.9 SDK.", "docUrl": null}
What did you expect to see?
version 10.9 sdk 10.9What did you see instead?
% otool -l main | tail -n4 cmd LC_VERSION_MIN_MACOSX cmdsize 16 version 10.7 sdk 10.7The text was updated successfully, but these errors were encountered: