From 5347e6a292506ea35ab3988f7bb5d56f614cd9db Mon Sep 17 00:00:00 2001 From: Adrian Dewhurst Date: Tue, 17 Oct 2023 21:21:28 -0400 Subject: [PATCH] control/controlclient: support certstore without cgo We no longer build Windows releases with cgo enabled, which automatically turned off certstore support. Rather than re-enabling cgo, we updated our fork of the certstore package to no longer require cgo. This updates the package, cleans up how the feature is configured, and removes the cgo build tag requirement. Fixes tailscale/corp#14797 Fixes tailscale/coral#118 Change-Id: Iaea34340761c0431d759370532c16a48c0913374 Signed-off-by: Adrian Dewhurst --- cmd/tailscaled/depaware.txt | 3 +-- control/controlclient/sign_supported.go | 10 ++++------ control/controlclient/sign_unsupported.go | 2 +- go.mod | 2 +- go.sum | 4 ++-- 5 files changed, 9 insertions(+), 12 deletions(-) diff --git a/cmd/tailscaled/depaware.txt b/cmd/tailscaled/depaware.txt index bd3fb065d..3ae8c6bef 100644 --- a/cmd/tailscaled/depaware.txt +++ b/cmd/tailscaled/depaware.txt @@ -133,7 +133,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de L github.com/pierrec/lz4/v4/internal/lz4errors from github.com/pierrec/lz4/v4+ L github.com/pierrec/lz4/v4/internal/lz4stream from github.com/pierrec/lz4/v4 L github.com/pierrec/lz4/v4/internal/xxh32 from github.com/pierrec/lz4/v4/internal/lz4stream - W github.com/pkg/errors from github.com/tailscale/certstore LD github.com/pkg/sftp from tailscale.com/ssh/tailssh LD github.com/pkg/sftp/internal/encoding/ssh/filexfer from github.com/pkg/sftp W 💣 github.com/tailscale/certstore from tailscale.com/control/controlclient @@ -367,7 +366,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de tailscale.com/util/testenv from tailscale.com/ipn/ipnlocal+ tailscale.com/util/uniq from tailscale.com/wgengine/magicsock+ tailscale.com/util/vizerror from tailscale.com/types/ipproto+ - 💣 tailscale.com/util/winutil from tailscale.com/control/controlclient+ + 💣 tailscale.com/util/winutil from tailscale.com/clientupdate+ W 💣 tailscale.com/util/winutil/authenticode from tailscale.com/util/osdiag+ W tailscale.com/util/winutil/policy from tailscale.com/ipn/ipnlocal tailscale.com/version from tailscale.com/derp+ diff --git a/control/controlclient/sign_supported.go b/control/controlclient/sign_supported.go index 0c7925452..3f696dbcd 100644 --- a/control/controlclient/sign_supported.go +++ b/control/controlclient/sign_supported.go @@ -1,11 +1,9 @@ // Copyright (c) Tailscale Inc & AUTHORS // SPDX-License-Identifier: BSD-3-Clause -//go:build windows && cgo +//go:build windows -// darwin,cgo is also supported by certstore but machineCertificateSubject will -// need to be loaded by a different mechanism, so this is not currently enabled -// on darwin. +// darwin,cgo is also supported by certstore but untested, so it is not enabled. package controlclient @@ -21,7 +19,7 @@ import ( "github.com/tailscale/certstore" "tailscale.com/tailcfg" "tailscale.com/types/key" - "tailscale.com/util/winutil" + "tailscale.com/util/syspolicy" ) var getMachineCertificateSubjectOnce struct { @@ -40,7 +38,7 @@ var getMachineCertificateSubjectOnce struct { // Example: "CN=Tailscale Inc Test Root CA,OU=Tailscale Inc Test Certificate Authority,O=Tailscale Inc,ST=ON,C=CA" func getMachineCertificateSubject() string { getMachineCertificateSubjectOnce.Do(func() { - getMachineCertificateSubjectOnce.v, _ = winutil.GetRegString("MachineCertificateSubject") + getMachineCertificateSubjectOnce.v, _ = syspolicy.GetString("MachineCertificateSubject", "") }) return getMachineCertificateSubjectOnce.v diff --git a/control/controlclient/sign_unsupported.go b/control/controlclient/sign_unsupported.go index 6d7ea21d2..5e161dcbc 100644 --- a/control/controlclient/sign_unsupported.go +++ b/control/controlclient/sign_unsupported.go @@ -1,7 +1,7 @@ // Copyright (c) Tailscale Inc & AUTHORS // SPDX-License-Identifier: BSD-3-Clause -//go:build !windows || !cgo +//go:build !windows package controlclient diff --git a/go.mod b/go.mod index b77af6a1e..c34694db4 100644 --- a/go.mod +++ b/go.mod @@ -58,7 +58,7 @@ require ( github.com/prometheus/client_golang v1.17.0 github.com/prometheus/common v0.44.0 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e - github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d + github.com/tailscale/certstore v0.1.1-0.20231020161753-77811a65f4ff github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e diff --git a/go.sum b/go.sum index 24d5c8ace..1c117802a 100644 --- a/go.sum +++ b/go.sum @@ -864,8 +864,8 @@ github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c h1:+aPplBwWcHBo6q9xrfWdMrT9o4kltkmmvpemgIjep/8= github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk= -github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d h1:K3j02b5j2Iw1xoggN9B2DIEkhWGheqFOeDkdJdBrJI8= -github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d/go.mod h1:2P+hpOwd53e7JMX/L4f3VXkv1G+33ES6IWZSrkIeWNs= +github.com/tailscale/certstore v0.1.1-0.20231020161753-77811a65f4ff h1:vnxdYZUJbsSRcIcduDW3DcQqfqaiv4FUgy25q8X+vfI= +github.com/tailscale/certstore v0.1.1-0.20231020161753-77811a65f4ff/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4= github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HPjrSuJYEkdZ+0ItmGQAQ75cRHIiftIyE= github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8= github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=