Skip to content

transport/roots/system: fix darwin/arm64 build by removing dead armx stub#1438

Open
lukevalenta wants to merge 1 commit into
cloudflare:masterfrom
lukevalenta:fix-darwin-arm-init-system-roots
Open

transport/roots/system: fix darwin/arm64 build by removing dead armx stub#1438
lukevalenta wants to merge 1 commit into
cloudflare:masterfrom
lukevalenta:fix-darwin-arm-init-system-roots

Conversation

@lukevalenta
Copy link
Copy Markdown
Contributor

@lukevalenta lukevalenta commented May 18, 2026

After this fix, cfssl will compile on Apple Silicon using the 'transport/roots/system/root_cgo_darwin.go' path. The 'armx' path seems to never have been functional. The rest of this description was generated w/ AI assistance. It's a bit wordy, but the context seems useful so I'm leaving it.

transport/roots/system/root_darwin_armx.go defined a void initSystemRoots() that referenced identifiers (systemRoots, NewCertPool, AppendCertsFromPEM) that don't exist in the package and that doesn't match root.go's caller signature. As a result, the package fails to compile on darwin/arm64 (Apple Silicon) with cgo enabled:

root.go:42:11: initSystemRoots() (no value) used as value
root_darwin_armx.go:15:2: undefined: systemRoots
root_darwin_armx.go:15:16: undefined: NewCertPool
root_darwin_armx.go:16:2: undefined: systemRoots

Origin of the bug: root_darwin_armx.go was checked in on 2015-11-04 (0fd8a23) with this signature already wrong. The accompanying generator root_darwin_arm_gen.go (deleted in the same commit) emitted a header that would have produced the correct initSystemRoots() []*x509.Certificate { ... return roots } shape, but the generated file committed alongside the generator's deletion was clearly produced by an earlier version of the tool and never re-run. The pattern systemRoots = NewCertPool() matches the internal API of crypto/x509 circa Go ~1.5. The bug went unnoticed for ~5 years because darwin/arm64 wasn't a common build target until Apple Silicon launched in late 2020; the first user report (#1235) is from August 2022.

The file existed to embed a static blob of Apple-published iOS root certificates because, in 2015, the cgo path's
SecKeychainItemExport API was deprecated on iOS and there was no way to query the system trust store at runtime on iOS/arm. That rationale never applied to darwin/arm64 (macOS Apple Silicon), which can still call the Security framework APIs the same way as darwin/amd64. The static blob is also a decade out of date.

Drop the static-blob approach for arm64 entirely. Broaden the build tags on root_cgo_darwin.go and the nilref_*_darwin.go files so they cover darwin && !ios instead of darwin && !arm && !arm64 && !ios, and delete root_darwin_armx.go. The root_darwin_test.go arch skip is now also unnecessary; remove it. (iOS is still excluded; nobody has been building cfssl for iOS in years and SecKeychainItem Export remains restricted there.)

After this change, darwin/arm64 uses the same runtime-query path as darwin/amd64:

GOOS=darwin GOARCH=arm64 CGO_ENABLED=1 go build ./transport/...
GOOS=darwin GOARCH=arm64 CGO_ENABLED=1 go test  ./transport/roots/system/
# TestSystemRoots now runs (was previously skipped) and passes.

Verified SecKeychainItemExport still functions on macOS 14 arm64 despite its 10.7-era deprecation warning.

Fixes #1235.

@lukevalenta
transport/roots/system: fix darwin/arm64 build by removing dead armx …
be5b8fe 
…stub

After this fix, cfssl will compile on Apple Silicon using the
'transport/roots/system/root_cgo_darwin.go' path. The 'armx' path seems
to never have been functional.  The rest of this description was
generated w/ AI assistance. It's a bit wordy, but the context seems
useful so I'm leaving it.

`transport/roots/system/root_darwin_armx.go` defined a void
`initSystemRoots()` that referenced identifiers (`systemRoots`,
`NewCertPool`, `AppendCertsFromPEM`) that don't exist in the package
and that doesn't match `root.go`'s caller signature. As a result, the
package fails to compile on `darwin/arm64` (Apple Silicon) with cgo
enabled:

    root.go:42:11: initSystemRoots() (no value) used as value
    root_darwin_armx.go:15:2: undefined: systemRoots
    root_darwin_armx.go:15:16: undefined: NewCertPool
    root_darwin_armx.go:16:2: undefined: systemRoots

Origin of the bug: `root_darwin_armx.go` was checked in on 2015-11-04
(0fd8a23) with this signature already wrong. The accompanying
generator `root_darwin_arm_gen.go` (deleted in the same commit)
emitted a header that would have produced the correct
`initSystemRoots() []*x509.Certificate { ... return roots }` shape,
but the generated file committed alongside the generator's deletion
was clearly produced by an earlier version of the tool and never
re-run. The pattern `systemRoots = NewCertPool()` matches the
internal API of `crypto/x509` circa Go ~1.5. The bug went unnoticed
for ~5 years because `darwin/arm64` wasn't a common build target
until Apple Silicon launched in late 2020; the first user report
(cloudflare#1235) is from August 2022.

The file existed to embed a static blob of Apple-published iOS root
certificates because, in 2015, the cgo path's
`SecKeychainItemExport` API was deprecated on iOS and there was no
way to query the system trust store at runtime on iOS/arm. That
rationale never applied to `darwin/arm64` (macOS Apple Silicon),
which can still call the Security framework APIs the same way as
`darwin/amd64`. The static blob is also a decade out of date.

Drop the static-blob approach for arm64 entirely. Broaden the build
tags on `root_cgo_darwin.go` and the `nilref_*_darwin.go` files so
they cover `darwin && !ios` instead of `darwin && !arm && !arm64
&& !ios`, and delete `root_darwin_armx.go`. The `root_darwin_test.go`
arch skip is now also unnecessary; remove it. (iOS is still excluded;
nobody has been building cfssl for iOS in years and `SecKeychainItem
Export` remains restricted there.)

After this change, `darwin/arm64` uses the same runtime-query path
as `darwin/amd64`:

    GOOS=darwin GOARCH=arm64 CGO_ENABLED=1 go build ./transport/...
    GOOS=darwin GOARCH=arm64 CGO_ENABLED=1 go test  ./transport/roots/system/
    # TestSystemRoots now runs (was previously skipped) and passes.

Verified `SecKeychainItemExport` still functions on macOS 14 arm64
despite its 10.7-era deprecation warning.

Fixes cloudflare#1235.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

initSystemRoots() used as value, but it returns nothing

1 participant

@lukevalenta