Golang MacOS Intel x86_64 Darwin _SecTrustEvaluateWithError

Hello,
I am having issues getting some golang code to build in nix when running on an intel based mac.
nix (Nix) 2.21.1
MacOS 14.4.1
golang 1.21.8

flake.nix

{
  description = "test developement shell";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = inputs@{ self, nixpkgs, flake-utils, ... }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = import nixpkgs { inherit system; overlays = [ ]; };
      in rec {
        devShell = pkgs.callPackage ./shell.nix {inherit pkgs;};
        formatter = pkgs.nixpkgs-fmt;
      });
}

shell.nix

{ pkgs }:
with pkgs;
let
  go = pkgs.go_1_21;
  postgresql = postgresql_14;
  nodejs = nodejs-18_x;
  nodePackages = pkgs.nodePackages.override { inherit nodejs; };
in
mkShell {
  nativeBuildInputs = [
    go
    goreleaser
    postgresql

    python3
    python3Packages.pip

    curl
    nodejs
    nodePackages.pnpm
    pre-commit
    go-ethereum # geth
    go-mockery
    gotools
    gopls
    delve
    golangci-lint
    github-cli
    jq
    awscli2
    devspace
    kubectl
    kubernetes-helm
    k9s
  ] ++ lib.optionals stdenv.isLinux [
    # some dependencies needed for node-gyp on pnpm install
    pkg-config
    libudev-zero
    libusb1
  ];
  LD_LIBRARY_PATH = "${stdenv.cc.cc.lib}/lib64:$LD_LIBRARY_PATH";
  GOROOT = "${go}/share/go";
}

Error I am running into on go build:

go build ./...
...
/Users/user/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.21.8.darwin-amd64/pkg/tool/darwin_amd64/link: running clang failed: exit status 1
Undefined symbols for architecture x86_64:
  "_SecTrustEvaluateWithError", referenced from:
      _crypto/x509/internal/macos.x509_SecTrustEvaluateWithError_trampoline.abi0 in go.o
ld: symbol(s) not found for architecture x86_64
clang-16: error: linker command failed with exit code 1 (use -v to see invocation)

I have tried everything I could find so far in this forum, stack overflow, options chatGPT thought I should try. So far no luck. From what I have read it sounds like this was a change in mac around the 10.13 era and golang may have started having this kind of issue around go 1.18. Does anyone know of a solution to this?

1 Like

The default SDK version on x86_64-darwin is 10.12, which lacks that symbol. You need to use the 11.0 SDK.

Try the following to use the 11.0 SDK. In your shell.nix, override mkShell then replace your mkShell invocation with mkShell' (or whatever you decide to call it).

  mkShell' = mkShell.override {
    stdenv = if stdenv.isDarwin then overrideSDK stdenv "11.0" else stdenv; }
  };
1 Like

Sadly I still see the same with that override.

I did find an unfortunate workaround that will help me get by temporarily by setting CGO_ENABLED=0. This at least lets me build my project in its current state but doesn’t save me for other projects that need it enabled.

1 Like

Finally found a better fix for this. In my flake.nix I added:

callPackage = pkgs.darwin.apple_sdk_11_0.callPackage or pkgs.callPackage;

So now my flake file looks like:

{
  description = "test developement shell";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = inputs@{ self, nixpkgs, flake-utils, ... }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = import nixpkgs { inherit system; overlays = [ ]; };
        callPackage = pkgs.darwin.apple_sdk_11_0.callPackage or pkgs.callPackage;
      in rec {
        devShell = callPackage ./shell.nix {inherit pkgs;};
        formatter = pkgs.nixpkgs-fmt;
      });
}

This is still not perfect but fixes a lot more issues when building go code using my shell.nix now. So far for all my projects this combined with setting CGO_ENABLED=0; in the shell.nix have cleaned up all my issues. I don’t know if this would fix it for all issues though.

2 Likes

If overrideSDK is not working, it would be good to have a test case, so it can be investigated. apple_sdk_11_0.callPackage is not deprecated yet, but it will be, and overrideSDK is the intended replacementx

I did a nix flake update this morning and now have golang 1.21.9 and that problem goes away. So this wasn’t even a nix issue, at least the _SecTrustEvaluateWithError wasn’t. I did then run into:

/nix/store/1ilwk5v4vqbx9hsh695cdfxjsispqfvj-go-1.21.9/share/go/pkg/tool/darwin_amd64/link: running clang failed: exit status 1
Undefined symbols for architecture x86_64:
  "_utimensat", referenced from:
      _syscall.libc_utimensat_trampoline.abi0 in go.o
      _libc_utimensat_trampoline in go.o
ld: symbol(s) not found for architecture x86_64
clang-16: error: linker command failed with exit code 1 (use -v to see invocation)

which your changes added to my shell.nix do now fix:

  mkShell' = mkShell.override {
    stdenv = if stdenv.isDarwin then overrideSDK stdenv "11.0" else stdenv;
  };
2 Likes

I tried a lot of other approaches, this worked. I believe it some temporary transition moment in nixos-unstable. They did cleanup in area.