@rolandshoemaker, @FiloSottile: I suspect that this is closely related to CL 362294 / CL 353403.

(This is a release-blocker for Go 1.18 via #11811.)

(See previously #42459, which also reported a link error for _SecItemExport; CC @cherrymui.)

Change https://golang.org/cl/363985 mentions this issue: dashboard: remove known issue for iOS and Android builders

Change https://golang.org/cl/364554 mentions this issue: crypto/x509/internal/macos: use APIs available on ios

This is a two part issue:

(1) we used an API which is only available on macOS, so it's obviously unavailable on iOS. CL364554 switches to an API available on both.
(2) SecTrustEvaluateWithError is available on iOS, as of 12.0. The builders use iOS 14.6, but the clang wrapper sets the minimum version to 6.0, and the SDK in use is for 11.2 (there appears to be no real documentation of this. Bumping the minimum version to 12.0, and updating the SDK to a modern one (14.5) appears to fix these issues.

I've sent a CL for (1), but I'm not sure how best to go about fixing (2). I can send a CL which bumps the min version, but the SDK on the builders needs to be bumped, but that appears to be supplied OOB (and the only instructions appear to be for a new instance, and I can't see any documentation for what to do if we need to make changes? Possibly wipe the instance and re-initialize?)

CC @steeve, @changkun Are you able to help with updating the SDK on the ios-arm64-corellium builder? Thanks very much.

I am not sure how to bump the SDK on the builders, @eliasnaur do you recall where this is kept?
Also, bumping ios-version-min=12 might require some discussion (but I think it's okay) as some folks might still be distributing on ios 11 (we do, but we could bump I guess).

bumping ios-version-min=12 might require some discussion

That seems to be #48076?

The SDK lives at /var/root/iPhoneOS.sdk and the clang wrapper lives at /var/root/bin/clangwrap on the builders.

The builders are initialized using https://github.com/golang/build/blob/master/env/corellium/ios/install.sh

Would it make sense to add a build constraint (maybe ios-11) that replaces the function that calls SecTrustEvaluateWithError with one that fails unconditionally? That might allow users who really want to support older iOS to do so at the expense of not being able to verify certificates (which I'm guessing may not have up-to-date revocations on older iOS anyway).

That is a viable approach if we want to continue to support older iOS versions. Another option is that we could implement a special pre-iOS version which uses the older APIs for certificate verification which have been deprecated, but that is a significant amount of work, since a lot of the old APIs don't interoperate well with the new ones.

Looking at #48076, it feels like raising the minimum version to iOS 12 is the right choice for Go 1.18, regardless of the complete policy. This fortunately solves our problem here, too.

If iOS 12 is decided (as in #48076) to be the minimum targeting version for 1.18, I can help with updating the SDKs inside the builders.

Change https://golang.org/cl/366914 mentions this issue: doc/go1.18: document that iOS 12 or newer is required

@changkun Yes, I think we'll go with iOS 12 for Go 1.18. I've mailed CL 366914 to document it in the release notes. Thank you for your help with with updating the builders accordingly, and in turn resolving this release-blocking issue.

I've updated the SDK in one of the three iOS builders. The other two seem to have trouble connecting to them (still waiting for Corellium's response). But according to the log, there might be another issue.

@changkun what SDK did you update to? (and were there any other steps you took?)

From the most recent builder logs I see a panic due to bad syscall, which I didn't see when I was testing against the 14.5 SDK on the builder.

@rolandshoemaker Yes, the iPhone SDK is updated to 12.4, and the go bootstrap is updated 1.17.3

I don't know if the bad syscall panic is caused by the SDK version. But should I further bump the SDK version to 14.5 so that we could learn more experience on the error? or could it be another issue?

I don't really have enough experience with iOS to know, I'd suggest bumping it to 14.5 just to check if that's it, but it could also be the bootstrap version change, or something else entirely 🤷.

(out of interest, what was the reason for bumping the bootstrap version? did it break without?)

I tried with gomote that disabling sendfile makes all.bash pass on the iOS builder.

It is interesting that it signals with SIGSYS, instead of returning ENOSYS, which one would expect if the syscall is not supported, and our code handles. Googling found ndfred/iperf-ios#17 . Maybe sendfile is just broken on (some version of) iOS?

Maybe it was not broken on the old version of iOS which the builder used to run? Or it wasn't available so it just returned ENOSYS?

Change https://golang.org/cl/368054 mentions this issue: net: do not use sendfile on iOS

Update: This build log is based on iPhoneSDK14.5, and as we see the build log is still failing, hence we can remove the reason from SDK versions.

I have replaced the SDK with 14.5.
We should need to wait for another commit on the master branch to see what will happen or so?

The bump of the bootstrap version was because the previous bootstrap was built on a commit between 1.16beta1 and 1.16 release, according to the log, the bootstrap was problematic and did not enable cgo in the build.

The actually selected version of go bootstrap has no particular reason and simply represents the latest release.

In terms of the iOS version, the current running iOS on the builder is 14.6, and it seems that the mentioned issue from @cherrymui is relatively old (although I don't have further supporting evidence)

With the builder updates that @changkun performed, and as of CL 368054 landing, the iOS builder is passing. If I understand correctly, there's nothing more to do for this issue, right?

If so, I'll send a CL that removes the builder's known issue.

Change https://golang.org/cl/369255 mentions this issue: dashboard: clear known issue for ios builder

SGTM. Thanks.

And I think we can close this issue.

Closed. Thanks very much for everyone's help resolving this.