cmd/link: OS X codesign only works with -ldflags -s

[derekparker]

Using the Go 1.5 compiler toolchain and compiling a binary that uses CGO and then codesigning that binary, upon attempting to execute the program it will be killed immediately by the system. Codesigning a non-cgo binary works just fine, as expected.

Given the following small program:

package main

/*
int
cfunc() {
    return 2;
}
*/
import "C"
import "fmt"

func main() {
    fmt.Println("cfunc says:", C.cfunc())
}

and building simply with go build and running codesign -f -s my_cert ./myprog, when attempting to execute the program in a shell the response is "killed: ./myprog".

The system log reports:

$ taskgated[92]: no signature for pid=1991 (cannot make code: UNIX[No such process])

Tested against Go1.5beta2 and:

$ go version devel +765cea2 Mon Jul 27 18:03:45 2015 +0000 darwin/amd64

[ianlancetaylor]

Please run "go build -ldflags=-v" and attach the output. I'd like to confirm that the linker is invoking the external linker. Thanks.

[derekparker]

$ go build -ldflags=-v

# github.com/derekparker/testcgo
HEADER = -H1 -T0x2000 -D0x0 -R0x1000
searching for runtime.a in $WORK/runtime.a
searching for runtime.a in /usr/local/go/pkg/darwin_amd64/runtime.a
 0.00 deadcode
 0.02 pclntab=334118 bytes, funcdata total 69364 bytes
 0.02 dodata
 0.02 symsize = 0
 0.03 symsize = 0
 0.03 reloc
 0.04 reloc
 0.05 asmb
 0.05 codeblk
 0.07 datblk
 0.07 dwarf
 0.08 symsize = 0
 0.13 dwarf pass 2.
 0.14 sym
 0.16 headr
host link: "clang" "-m64" "-gdwarf-2" "-Wl,-no_pie,-headerpad,1144" "-Wl,-pagezero_size,4000000" "-o" "/var/folders/qk/sdqgc3hn4v7_zxpkbmms53k00000gn/T/go-build627095567/github.com/derekparker/testcgo/_obj/exe/a.out" "-Qunused-arguments" "/var/folders/qk/sdqgc3hn4v7_zxpkbmms53k00000gn/T/go-link-928391324/000000.o" "/var/folders/qk/sdqgc3hn4v7_zxpkbmms53k00000gn/T/go-link-928391324/000001.o" "/var/folders/qk/sdqgc3hn4v7_zxpkbmms53k00000gn/T/go-link-928391324/go.o" "-g" "-O2" "-g" "-O2" "-lpthread"
 0.26 cpu time
42397 symbols
30720 liveness data

[ianlancetaylor]

Thanks. We apparently have a program built by clang for which codesign does not work. Off hand I have no guess as to what the Go linker might be doing to cause this to fail. This will have to be tackled by somebody who understands how codesign works on Darwin.

[rsc]

If you build with -ldflags -s, which drops the DWARF information from the executable, then codesign produces a valid binary. I think this is mostly not Go's fault (except that Go works hard to put DWARF info in the binaries, unlike most OS X programs). Certainly for Go 1.5 but possibly long term we can suggest that people who need codesign can use -ldflags -s.

[derekparker]

Thanks, that does seem to work.