crypto/x509: TestSystemRoots failure #21416
Comments
|
happens since: 4dbcacd... crypto/x509: load all trusted certs on darwin (nocgo) |
martisch
added
NeedsInvestigation
|
adding authors and more reviewers from the CL |
|
I tagged this Go1.9 since i traced it to a CL merged at end of 1.9 cycle and it would be nice to have a working test suite on darwin with 1.9 release and also counter confusion and issue tickets from any others that will encounter the above failure when compiling 1.9 from source on darwin. |
|
I suspect this is due to the cgo counterpart to that fix not having made it into 1.9 (as it's still in-progress) |
|
Change https://golang.org/cl/57830 mentions this issue: |
golang.org/cl/36941 enabled loading of all trusted certs on darwin
for the non-cgo execSecurityRoots.
The corresponding cgo version golang.org/cl/36942 for systemRootsPool
has not been merged yet.
This tests fails reliably on some darwin systems:
--- FAIL: TestSystemRoots (1.28s)
root_darwin_test.go:31: cgo sys roots: 353.552363ms
root_darwin_test.go:32: non-cgo sys roots: 921.85297ms
root_darwin_test.go:44: got 169 roots
root_darwin_test.go:44: got 455 roots
root_darwin_test.go:73: insufficient overlap between cgo and non-cgo roots; want at least 227, have 168
FAIL
FAIL crypto/x509 2.445s
Updates #16532
Updates #21416
Change-Id: I52c2c847651fb3621fdb6ab858ebe8e28894c201
Reviewed-on: https://go-review.googlesource.com/57830
Run-TryBot: Martin Möhrmann <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Joe Tsai <[email protected]>
|
If this is a release blocker why did 1.9 get released without this? |
|
Because the label was a suggestion by me but the as far as i know the decision was made by the go team that the issue should not hold up the release of 1.9 (which sounds like the right call to me). It can be considered for 1.9.x. |
|
If I'm reading this correctly, the fix for this test failure is to disable the test. I guess that is OK for a backport to 1.9. |
|
Sure, we can disable the test that non-cgo works here.
|
|
I'm going to remilestone this to Go 1.10 for a proper fix, since there is good context in this thread, and I created #22256 for the Go 1.9.2 cherry-pick. |
|
Change https://golang.org/cl/70847 mentions this issue: |
golang.org/cl/36941 enabled loading of all trusted certs on darwin
for the non-cgo execSecurityRoots.
The corresponding cgo version golang.org/cl/36942 for systemRootsPool
has not been merged yet.
This tests fails reliably on some darwin systems:
--- FAIL: TestSystemRoots (1.28s)
root_darwin_test.go:31: cgo sys roots: 353.552363ms
root_darwin_test.go:32: non-cgo sys roots: 921.85297ms
root_darwin_test.go:44: got 169 roots
root_darwin_test.go:44: got 455 roots
root_darwin_test.go:73: insufficient overlap between cgo and non-cgo roots; want at least 227, have 168
FAIL
FAIL crypto/x509 2.445s
Updates #16532
Updates #21416
Change-Id: I52c2c847651fb3621fdb6ab858ebe8e28894c201
Reviewed-on: https://go-review.googlesource.com/57830
Run-TryBot: Martin Möhrmann <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Joe Tsai <[email protected]>
Reviewed-on: https://go-review.googlesource.com/70847
Run-TryBot: Russ Cox <[email protected]>
Reviewed-by: Martin Möhrmann <[email protected]>
FiloSottile
added
Testing
|
Change https://golang.org/cl/117055 mentions this issue: |
It was apparently waiting on CL 36942, which was submitted. Fixes golang#21416 Change-Id: I8f4ccc5a3176070abf0df019c82700c5761b5f53 Reviewed-on: https://go-review.googlesource.com/117055 Run-TryBot: Brad Fitzpatrick <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Ian Lance Taylor <[email protected]>
|
reopening because after submission of https://golang.org/cl/117055 $ git checkout 2642df9 @bradfitz |
|
Change https://golang.org/cl/122435 mentions this issue: |
|
@martisch Could you try with these CL's and see if the test is fixed? |
|
applied 3 patches from #24652 to tip: result: any other CLs i should apply? |
|
@martisch 400+ roots seems like a lot compared to my system. I only have two custom CA's installed. I tried from Could you explain more about the certificates picked up in the non-cgo route? Adding |
|
I have a lot of email certificates in my login key chain from smime signed emails from a common authority (e.g. DFN-PKI) . AFAIK apple mail adds them automatically to my keychain when i receive signed mails and they have been verified against a trusted authority. I just deleted one of those and the number of "got roots" decreased by one. The trust on those certificates is system default and they are not system root certificates. GODEBUG=x509roots=1 go test |
|
It's been mentioned Do these certificates only have SubjectAltNames's for emails or Extended KeyUsage for email? |
|
The certificates have: and: (Where X and Y are placeholders here for actual email addresses) |
|
@FiloSottile Should we ignore picking up certs that only have email SANs? Also, I don't really see crypto/x509 documented as "web pki only", but should we? |
|
Change https://golang.org/cl/125259 mentions this issue: |
cgo and non-cgo code paths can disagree
on the number of root certificates:
=== RUN TestSystemRoots
--- FAIL: TestSystemRoots (0.31s)
root_darwin_test.go:31: cgo sys roots: 93.605184ms
root_darwin_test.go:32: non-cgo sys roots: 213.998586ms
root_darwin_test.go:44: got 168 roots
root_darwin_test.go:44: got 427 roots
root_darwin_test.go:73: insufficient overlap between cgo and non-cgo roots; want at least 213, have 168
FAIL
exit status 1
Updates #21416
Updates #24652
Change-Id: Idb6d35b17c142dfff79a10cf6b40a42d12f9d17e
Reviewed-on: https://go-review.googlesource.com/125259
Run-TryBot: Martin Möhrmann <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Brad Fitzpatrick <[email protected]>
|
This is failing again on the 10.11 builders (but not the other darwin builders) as of https://golang.org/cl/128117. |
|
I'm working on it. I have so far not figured out where those three certificates come from. |
|
Just a note that this is still failing the darwin 10.11 builds. There is also a similar failure for darwin-amd64-race. Example: https://build.golang.org/log/a93b418cfdfb8f67374c79b7bb2fb2a804c53fc6 |
|
Change https://golang.org/cl/156329 mentions this issue: |
go tip 23cd87e and earlier in 1.9 candidates
while running ./all.bash i have a reproducible test error on darwin:
--- FAIL: TestSystemRoots (1.41s)
root_darwin_test.go:31: cgo sys roots: 443.728642ms
root_darwin_test.go:32: non-cgo sys roots: 964.424609ms
root_darwin_test.go:44: got 169 roots
root_darwin_test.go:44: got 453 roots
root_darwin_test.go:73: insufficient overlap between cgo and non-cgo roots; want at least 226, have 168
FAIL
macOS Sierra 10.12.6 but i have seen that failure on macOS 10.11 too since i just upgraded.
Darwin ender 16.7.0 Darwin Kernel Version 16.7.0: Thu Jun 15 17:36:27 PDT 2017; root:xnu-3789.70.16~2/RELEASE_X86_64 x86_64
another similar report here:
https://groups.google.com/forum/#!topic/golang-nuts/LZvj2N_8gs4
The text was updated successfully, but these errors were encountered: