Compiling for darwin w/ CGO_ENABLED=0 on OS X doesn't produce the same result as compiling on Linux

[bgentry]

I was helping @ddollar test his gobuild app yesterday. It does cross-compiled builds from a Heroku dyno for any platform.

So I fetched the hk binary from it and tried it out:

$ wget -O hk-gobuild http://gobuild-dev.herokuapp.com/kr/hk/master/darwin/amd64 && chmod +x hk-gobuild

...

$ ./hk-gobuild apps
Get https://api.heroku.com/apps: x509: failed to load system roots and no roots provided

This is a known issue for binaries cross-compiled to darwin.

All of the other builds so far have been done from my OS X machine, so they are fine. But I don't really understand why. I thought that running the builds with CGO_ENABLED=0 would give us the same result on any system we built from. Clearly that's not true, either because we're using it wrong, or because it doesn't do what I thought it did.

[kr]

That known issue is unlikely to be fixed, ever.

For your local Darwin builds, did you also build package crypto/x509 (so, the entire stdlib) with cgo disabled?

$ CGO_ENABLED=0 ./make.bash

[bgentry]

Yeah, I understand that it's not something that can really be fixed. And no, I used golang-crosscompile, which doesn't explicitly disable cgo if it's supported. So that's why it's working for me.

How do you think we should deal with this? @ddollar did a hack to embed his CA's cert in dist, but that feels ugly & brittle to me.

We could say that for the foreseeable future, all builds will be happening from OSX. That would probably get us by for a bit, and let us push the problem off until we really need to deal with it.

[ddollar]

I think you should use the same method that dist is using, but instead include the full compliment of trusted root certs that something like Firefox or Chrome uses. A hardcoded system root certificate store isn't brittle, it's the norm.

[ddollar]

If you compile everything on OSX will you have the same problem on the Windows and Linux cross compiled builds?

[bgentry]

If you compile everything on OSX will you have the same problem on the Windows and Linux cross compiled builds?

@ddollar golang-crosscompile builds a cross compiling environment for all platforms, but it only disables cgo during those builds for non-native platforms. So since I built my cross-compilation environment using that script on OSX, my OSX target builds actually do include cgo dependencies.

I guess one thing to fix here is that setting CGO_ENABLED=0 doesn't actually have a purpose when building from the environment I have.

[ddollar]

What I mean is will your builds for Linux compiled on OSX also be missing their root certificates?

[kr]

If you compile everything on OSX will you have the same problem on the Windows and Linux cross compiled builds?

I think that Windows and Linux don't use cgo for looking up root certs.

https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/root_unix.go https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/root_windows.go

But there may be other packages, unrelated to x509 certs, that do require cgo on those platforms.