go binary compiled for debug crashes and removed because of wrong codesign

[ybizeul]

Go version

go version go1.23.0 darwin/arm64

Output of go env in your module/workspace:

GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/yann/Library/Caches/go-build'
GOENV='/Users/yann/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/yann/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/yann/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.23.0'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/Users/yann/Library/Application Support/go/telemetry'
GCCGO='gccgo'
GOARM64='v8.0'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/yann/Archives/Developpement/hupload/hupload/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/lb/634kc9l90njb7_lp5_nqgqxc001h8c/T/go-build3831521526=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

Compiled binary with -l to be run in debug, this is the command line used by vscode

go build -o ../__debug_bin288148591 -gcflags "all=-N -l"  .

What did you see happen?

Run the produced binary :

` ../__debug_bin288148591
zsh: killed ../__debug_bin288148591

Then the binary is removed from disk.

What did you expect to see?

Correct execution.

In the console log, macOS show the following :

default	16:44:40.857846+0200	kernel	AMFI: '/Users/yann/Archives/Developpement/hupload/hupload/__debug_bin288148591' has no CMS blob?
default	16:44:40.857857+0200	kernel	AMFI: '/Users/yann/Archives/Developpement/hupload/hupload/__debug_bin288148591': Unrecoverable CT signature issue, bailing out.

Here is the codesign output for the binary :

❯ codesign -dvvvv Executable=/Users/yann/Archives/Developpement/hupload/hupload/__debug_bin288148591
Identifier=a.out
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=194750 flags=0x20002(adhoc,linker-signed) hashes=6083+0 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=720896
Hash type=sha256 size=32
CandidateCDHash sha256=1f8835aed58373ebf44f964730a3b446fbf74afc
CandidateCDHashFull sha256=1f8835aed58373ebf44f964730a3b446fbf74afce69024acf423451cf4813344
Hash choices=sha256
CMSDigest=1f8835aed58373ebf44f964730a3b446fbf74afce69024acf423451cf4813344
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=14041088
Executable Segment flags=0x1
Page size=4096
CDHash=1f8835aed58373ebf44f964730a3b446fbf74afc
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none

If I re-sign the binary it runs :

codesign -f -s - /Users/yann/Archives/Developpement/hupload/hupload/__debug_bin28814859

Codesign info for the re-signed binary :

Executable=/Users/yann/Archives/Developpement/hupload/hupload/__debug_bin288148591
Identifier=__debug_bin288148591-c2c798ff16c60b083613a33b8268cdffdf3691fa
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=194870 flags=0x2(adhoc) hashes=6083+2 location=embedded
VersionPlatform=1
VersionMin=720896
VersionSDK=720896
Hash type=sha256 size=32
CandidateCDHash sha256=106865af80ab3fd70b855fbe3e2cb6d8770f9e54
CandidateCDHashFull sha256=106865af80ab3fd70b855fbe3e2cb6d8770f9e54cdde5c0084c634a53257ccbc
Hash choices=sha256
CMSDigest=106865af80ab3fd70b855fbe3e2cb6d8770f9e54cdde5c0084c634a53257ccbc
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=14041088
Executable Segment flags=0x1
Page size=4096
CDHash=106865af80ab3fd70b855fbe3e2cb6d8770f9e54
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

[gabyhelp]

Related Issues and Documentation

• cmd/link: go test on darwin/arm64 produces invalid code signature in combination with cgo #43105 (closed)
• cmd/link/internal/ld: Passing incorrect offset to `codesign.Sign` #59555 (closed)
• MacOS M1 can not run binary with go build, CODE SIGNING #64351 (closed)
• Code Signature Invalid when run on macOS Sonoma #63584 (closed)
• cmd/go/internal/list: segmentation fault on darwin #67113 (closed)
• cmd/link: go test -c on darwin/arm64 produces invalid code signature in combination with cgo #63576 (closed)
• go build #52634 (closed)
• cmd/go: build failed #59694 (closed)
• cmd/go: macOS plugin builds are not reproducible #58557 (closed)
• cmd/go: program built by `go build` misses debug information in go1.21.x on darwin/amd64 #65014 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

Maybe #63997 ?
which clang do you have?

[ybizeul]

I thought about that as well, bu the problem here isn't that a preinstalled binary like gopls has the issue, it's that locally compiled binaries have it.

❯ which clang
/usr/bin/clang

❯ /usr/bin/clang --version
Apple clang version 15.0.0 (clang-1500.3.9.4)
Target: arm64-apple-darwin23.6.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin

❯ /Library/Developer/CommandLineTools/usr/bin/clang --version
Apple clang version 15.0.0 (clang-1500.3.9.4)
Target: arm64-apple-darwin23.6.0
Thread model: posix
InstalledDir: /Library/Developer/CommandLineTools/usr/bin

Thanks

[seankhliao]

does it work if you set CC to the system clang?
the issue I referenced is about building code locally

[ybizeul]

I'm not sure how to do that.

❯ CC=/usr/bin/clang go build -o ../__debug_bin288148591 -gcflags "all=-N -l"  .
❯ ../__debug_bin288148591
zsh: killed     ../__debug_bin288148591

Or :

❯ go env -w "CC=/usr/bin/clang"
❯ CC=/Library/Developer/CommandLineTools/usr/bin/clag go build -o ../__debug_bin288148591 -gcflags "all=-N -l"  .
❯ ../__debug_bin288148591

That said, if I put an intentional typo :

❯ go env -w "CC=/usr/bin/clag"
❯ go build -o ../__debug_bin288148591 -gcflags "all=-N -l"  .
❯ ../__debug_bin288148591
zsh: killed     ../__debug_bin288148591

So I'm confused

[ybizeul]

It's worth noting, I guess, that I keep working on the code, trying to do stuff without debugging, and sometimes the code has something different that now it accepts to run in debug.
I keep working and eventually it'll fail again.

[marchanbbb]

That said, if I put an intentional typo :

I set CC to the system clang, but it doesn't work, still can't debug

[ybizeul]

I have no problems anymore, and not sure how I fixed it.
At some point I removed brew install of go, and deployed the official distribution, and it seemed to be better, but something else eventually sorted it out, not sure what.