cannot use https in darwin-amd64 binary built on a linux-amd64

Question

I build a darwin-amd64 version of my program on linux-amd64, the cross-compiling command is:

GOOS=darwin GOARCH=amd64 GOBIN=/tmp go install <myprogram>

Before that I've prepared the darwin-amd64 tool-chain using:

sudo GOOS=darwin GOARCH=amd64 ./make.bash

However, after giving this darwin-amd64 version binary to my colleagues, they can't use it for login because login will send a HTTPS request, which will use CGO. Errmsg returned is:

x509: failed to load system roots and no roots provided

Any suggestions on how to fix this?

Answer 1

That looks like a certificate issue, as the one mentioned in "Building Docker Images for Static Go Binaries"

The reason for this is that on Linux systems the tls package reads the root CA certificates from /etc/ssl/certs/ca-certificates.crt, which is missing from the scratch image.
The Contributors app gets around this problem by bundling a copy of the root CA certificates and configuring outbound calls to use them.

So you can check if that /etc/ssl/certs/ca-certificates.crt is there on your colleague's workstation.

But this bug report suggests:

Just got some clarifications from go-nuts. It's due to cross-compile won't work for loading x509 cert...

the cross-compiler can't use 'cgo' during compilation, but 'cgo' is required to access the root certificate store on Darwin.

I had a similar issue, was solved after copying crt file from any of these linux distro. for golang to read the file, you have to place the file in the exact same directory.
crypto/x509 will loop over all the possible certificate files.

Another solution involves cross-compiling with "export CGO_ENABLED=0".

The bug 8349 shows some progress too with more recent Go.