Can't sign Teleport binary for Mac due to malformed Mach-O binary

[webvictim]

Signing the tsh and tctl binaries works fine, but attempts to sign the teleport binary on MacOS are failing with the error main executable failed strict validation

Apparently this error is raised when the executable being signed does not conform to Apple's strict Mach-O layout rules (https://github.com/zeit/pkg/issues/128) - I highly suspect that this is because of the way we zip the web assets and tack them onto the end of the binary as part of the build process. We had a similar sort of problem when initially building RPMs - when you run rpmbuild, the default config tries to strip symbols from the binary. In our case, it ended up stripping the web assets because they just look like junk stuck on the end of the file.

Apple will only notarize a package which has a signed payload, so for now we can't sign a full teleport archive (although the client only tsh package I'm working on should be fine)

One idea would be to use something like https://github.com/shurcooL/vfsgen to build the assets directly into the binary rather than the current method.

[webvictim]

cc @benarent

[webvictim]

Related to #2979

[Zenithar]

It can be linked to this issue - https://github.com/golang/go/issues/11887

[Zenithar]

PIE and Upxified teleport binary can be signed successfully.

[russjones]

https://github.com/golang/go/issues/35950

[webvictim]

Waiting for the release of Go 1.16 which should have support for packaging the webassets inside the binary.

[awly]

What a coincidence https://blog.golang.org/go1.16 :)