Closed webvictim closed 3 years ago
cc @benarent
Related to #2979
It can be linked to this issue - https://github.com/golang/go/issues/11887
PIE and Upxified
teleport binary can be signed successfully.
Waiting for the release of Go 1.16 which should have support for packaging the webassets inside the binary.
What a coincidence https://blog.golang.org/go1.16 :)
Signing the
tsh
andtctl
binaries works fine, but attempts to sign theteleport
binary on MacOS are failing with the errormain executable failed strict validation
Apparently this error is raised when the executable being signed does not conform to Apple's strict Mach-O layout rules (https://github.com/zeit/pkg/issues/128) - I highly suspect that this is because of the way we zip the web assets and tack them onto the end of the binary as part of the build process. We had a similar sort of problem when initially building RPMs - when you run
rpmbuild
, the default config tries to strip symbols from the binary. In our case, it ended up stripping the web assets because they just look like junk stuck on the end of the file.Apple will only notarize a package which has a signed payload, so for now we can't sign a full
teleport
archive (although the client onlytsh
package I'm working on should be fine)One idea would be to use something like https://github.com/shurcooL/vfsgen to build the assets directly into the binary rather than the current method.