search

smallstep / certificates

🛡️ A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH.
https://smallstep.com/certificates
Apache License 2.0
6.38k stars 417 forks source link

Supply CGO enabled ARM Package #1912

Closed SnoutBug closed 6 days ago

SnoutBug commented 1 week ago

Hello!

Issue details

I have troubles compiling the proper binaries for ARM. It seems there are too many hurdles to overcome without a proper setup. CC to ARM from Fedora is not supported and Docker images for ARM compilation are difficult to control since it seems to be required to manually override some go.mod files because of invalid package versions.

Why is this needed?

Compilation with CGO enabled allows the use of Yubikeys which is a functionallity I want to use. This is not the case with the current builds.

maraino commented 6 days ago

To create a CGO package for ARM, we need access to C/C++ cross-compilers. The easiest way I know is using the docker image goreleaser-cross. In that page there is a table with the platforms and architectures supported that includes the CC and CXX variables that you will need.

I suppose that with ARM you mean GOARCH=arm, or what is also known as armhf. There are different versions of armhf (5, 6, and 7), you can control those with the GOARM environment variable, the most common one is probably the 7. So with goreleaser-cross, docker, and this you can build your own binary:

docker run -it --rm --privileged \
 -v /var/run/docker.sock:/var/run/docker.sock \
 -v `pwd`:/go/src/github.com/smallstep/certificates \
 -w /go/src/github.com/smallstep/certificates \
 --entrypoint /bin/bash \
 ghcr.io/goreleaser/goreleaser-cross:v1.22

This will run bash in the same terminal where you can install the dependencies and fix a linking issue:

apt-get update
apt-get install -y pkg-config libpcsclite-dev libpcsclite1:armhf
ln -s /usr/lib/arm-linux-gnueabihf/libpcsclite.so.1.0.0 /usr/lib/arm-linux-gnueabihf/libpcsclite.so

And then compile with:

# GO_ENVS="CGO_ENABLED=1 GOARCH=arm GOARM=7 CC=arm-linux-gnueabihf-gcc CXX=arm-linux-gnueabihf-g++" make build
...
Build Complete!
# file bin/step-ca
bin/step-ca: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, BuildID[sha1]=0ba25999580542861bf03bb517cb56c7cb7c5528, for GNU/Linux 3.2.0, with debug_info, not stripped


🎉 Then you can use that binary to build your own image.

Of course, you can always do this directly on an ARM machine without needing goreleaser-cross, but that's the easiest way on my machine.

SnoutBug commented 6 days ago

Thanks a bunch. I should have specified that I personally needed a build for ARMv8, but modifying your command accordingly worked fine, giving me a successful build.

But I still think that those builds should also be officially supplied here each release instead, to reduce the number of steps needed to perform by the end user, even though the solution you provided is really straight forward.

dopey commented 6 days ago

Hey @SnoutBug 👋. Thanks for opening the issue!

We appreciate the feedback, but sadly we don't have the resources to support configuring and maintaining CGO builds for all the various operating systems and architectures in open source. We support Linux AMD64 because our CI already runs in that environment and it's helpful for our team to test with. We won't be introducing prebuilt CGO enabled packages for other architectures / operating systems in open source.

That said, Step CA Pro (a commercial build of step-ca with additional features that we maintain) does come with prebuilt CGO packages.