crypto/x509: contradictory Mac OS X version requirements

[AxbB36]

What version of Go are you using (go version)?

Trying to compile go1.7.3 using go1.4.3 as bootstrap.

What operating system and processor architecture are you using (go env)?

Running on linux/386 but compiling for darwin/386.

What did you do?

export GOROOT_BOOTSTRAP=~/build/go1.4
# Go's CC_FOR_TARGET only allows a command name, not a command with arguments.
# https://github.com/golang/go/issues/15457
CC_FOR_TARGET="$(pwd)/cc-for-target"
echo "#!/bin/sh" > "$CC_FOR_TARGET"
echo "exec $CC -isysroot $HOME/build/MacOSX10.7.sdk -std=gnu99 \"\$@\"" >> "$CC_FOR_TARGET"
chmod +x "$CC_FOR_TARGET"
export GOPATH="$HOME/go"
export GOOS=darwin
export GOARCH=386
cd go/src
CGO_ENABLED=1 CC_FOR_TARGET="$CC_FOR_TARGET" CC= CFLAGS= LDFLAGS= ./make.bash

What did you expect to see?

Installed Go for darwin/386 in /home/debian/build/go
Installed commands in /home/debian/build/go/bin

What did you see instead?

# crypto/x509
crypto/x509/root_cgo_darwin.go: In function 'FetchPEMRoots':
crypto/x509/root_cgo_darwin.go:114: error: 'SecCertificateCopyNormalizedSubjectContent' is unavailable (declared at /home/debian/build/MacOSX10.7.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h:460)
crypto/x509/root_cgo_darwin.go:119: error: 'SecCertificateCopyNormalizedIssuerContent' is unavailable (declared at /home/debian/build/MacOSX10.7.sdk/System/Library/Frameworks/Security.framework/Headers/SecCertificate.h:443)

---

A little background: this came up while trying to cross-compile Go 1.7.3 from Debian wheezy to Mac, as part of the deterministic build process of Tor Browser: https://bugs.torproject.org/20023#comment:8. We previously were using Go 1.6.3, built against the Mac OS X 10.6 SDK. Because Go 1.7.3 now uses some SDK 10.7+ functions, we started building against this copy of the 10.7 SDK. We need the Go upgrade because Go 1.7 has some fixes for macOS Sierra that aren't in Go 1.6.3.

I'm aware that Mac OS X 10.7 isn't a supported platform (per #16625 (comment), which has the same error message as this ticket). But a tiny change to the source code makes this build work for me. root_cgo_darwin.go has the CFLAGS build constraint:

#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060

If I just delete the -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 part, then the build succeeds for me.

As written, the build constraint doesn't seem to make sense. -mmacosx-version-min=10.6 means "≥10.6", and -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 means "≤10.6", the intersection of which is just "10.6". That can't be what's intended. Maybe the author meant -D__MAC_OS_X_VERSION_MIN_REQUIRED=1060 instead? But even that can't be right, because the functions used in root_cgo_darwin.go, SecCertificateCopyNormalizedIssuerContent and SecCertificateCopyNormalizedSubjectContent, are documented to be "macOS 10.7+".

The root_cgo_darwin.go code that uses these functions first appeared in Go 1.7: #14514, https://golang.org/cl/20351.

The error message error: '<identifier>' is unavailable comes from macro annotations that interact with MAC_OS_X_VERSION_MIN_REQUIRED and MAC_OS_X_VERSION_MAX_ALLOWED. For example, SecCertificateCopyNormalizedIssuerContent is annotated __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA). I don't know why the build doesn't fail when building natively with an 10.7+ SDK; maybe the the __MAC_OS_X_VERSION_MAX_ALLOWED gets overridden somehow.

A MacPorts ticket ran into the same issue:

This issue seems to be caused by line 10 of src/crypto/x509/root_cgo_darwin.go file, which appears as:
#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060

The value of 1060 for __MAC_OS_X_VERSION_MAX_ALLOWED represents OSX 10.6, which conflicts with compiling it on lion. Removing this restriction allows successful compilation.

I didn't research beyond just getting it to build on my box -- but from the look of it, I don't understand how it could be compiled anywhere.

My main questions on this issue are:

• Am I right that the root_cgo_darwin.go CFLAGS build constraint is strange, or is there a reason for its being the way it is? Is the workaround of deleting -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 safe?
• If this is the only impediment, does 10.7 become a supported platform again? Or should we begin migrating to a 10.8 SDK? (Go would be the only component of Tor Browser that requires 10.8+.)

[josharian]

cc @quentinmit @bradfitz

[bradfitz]

That build constraint may be wrong. I can remove it and see if things pass on the builders.

But we have no intention of making 10.7 supported again. We don't run builders for it. There's even talk of dropping 10.8 support (https://groups.google.com/d/msg/golang-dev/5DMm7lBDAqY/hlTg3cQUBwAJ) and making 10.9 the minimum requirement.

You're of course welcome to carry your own patches, but having a giant testing matrix has a real cost and/or slows down the project, so we have to unsupported platforms over time, especially as Apple drops support as well.

[gopherbot]

CL https://golang.org/cl/32580 mentions this issue.

[bradfitz]

@AxbB36, does changing -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060 to -D__MAC_OS_X_VERSION_MAX_ALLOWED=1080 fix the problem for you? Please confirm, and then we'll submit https://golang.org/cl/32580

[AxbB36]

@bradfitz, yes, -D__MAC_OS_X_VERSION_MAX_ALLOWED=1080 works for me.