Outdated apple SDK `Security` framework

[cottand]

Describe the bug

The Security framework includes SecTrustCopyCertificateChain as of MacOS 12+, but I can't build packages that require that function via flakes.

I am guessing nixpkgs bundles this somehow (I am not a darwin dev so I am struggling to find where to look)

Steps To Reproduce

You can build this flake. It builds a Go module that tries to make use of this function.

This is not the actual code I am trying to compile (I cannot share it) but this reproduces the same error.

{
  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
  inputs.utils.url = "github:numtide/flake-utils";

  outputs = { nixpkgs, utils, ... }: (utils.lib.eachDefaultSystem (system:
    let
      pkgs = import nixpkgs { inherit system; };
      CoreFoundation = pkgs.darwin.apple_sdk.frameworks.CoreFoundation;
      Security = pkgs.darwin.apple_sdk.frameworks.Security;
    in
    rec {
      packages.default = pkgs.buildGoModule {
        pname = "tools";
        version = "tools-2023.11.23.685";

        vendorHash = "sha256-Qd2xSBm67tQzYgC+vS76ewaZYWmbvICDQK2NvxwOPDY=";
        nativeBuildInputs = [ CoreFoundation Security ];
        buildInputs = [ CoreFoundation Security ];

        # not sure if this is needed
        CGO_CFLAGS = "-iframework ${CoreFoundation}/Library/Frameworks -iframework ${Security}/Library/Frameworks";
        CGO_LDFLAGS = "-F${CoreFoundation}/Library/Frameworks -F${Security}/Library/Frameworks";

        src = pkgs.fetchFromGitHub {
          owner = "aws";
          repo = "rolesanywhere-credential-helper";
          rev = "43f2060";
          hash = "sha256-mXLzHPdQLsny2c5dZsL7Y5RRne8taFJt51XwlYmGwf0=";
        };
      };
    }));
}

Run nix build . on a directory with that flake

Actual behaviour

$ nix build .

error: builder for '/nix/store/cpkx1c0r3bhs2hq8cakzb82vis1lrbad-tools-tools-2023.11.23.685.drv' failed with exit code 1;
       last 10 log lines:
       [ ... ]
       > building
       > Building subPackage .
       > # github.com/aws/rolesanywhere-credential-helper/aws_signing_helper
       > aws_signing_helper/darwin_cert_store_signer.go:212:18: could not determine kind of name for C.SecTrustCopyCertificateChain

Expected behavior

Successful build

Additional context

The function is present in my darwin machine:

$ cat /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrust.h | grep 'SecTrustCopyCertificateChain'
    SecTrustCopyCertificateChain provides thread-safe results.
    API_DEPRECATED_WITH_REPLACEMENT("SecTrustCopyCertificateChain", macos(10.7, 12.0), ios(2.0, 15.0), watchos(1.0, 8.0), tvos(9.0, 15.0));
    @function SecTrustCopyCertificateChain
CFArrayRef SecTrustCopyCertificateChain(SecTrustRef trust)

Although I am not sure if that is the right place to look.

I cannot see it in nixpkgs, when I try to make a derivation that has
pkgs.darwin.apple_sdk.frameworks.Security as a buildInput

cat /nix/store/psigbvki880kklmj933dkx6f3f2z5m4q-apple-framework-Security-11.0.0/Library/Frameworks/Security.framework/Headers/SecTrust.h | grep 'SecTrustCopyCertificateChain'
# no results!!!

Notify maintainers

@wegank or @0xnetfox or @reckenrode ? Based on git blame of what I think might be relevant files. Sorry for pinging you if that's wrong!

Priorities

Add a 👍 reaction to issues you find important.

[reckenrode]

The newest available SDK in nixpkgs is 11.1. #229210 will add several of the missing SDKs (newer and older, hopefully). Until that PR is ready and merged, it won’t be possible to build packages that require newer APIs.

[cottand]

Thank you! That explains everything. Keen to see that merged, then. In the meantime, do you have any workarounds/hacks to make nix build use the systems' present SDK? I realise this would break purity but that is a sacrifice I am willing to make until #229210 is merged

[aviallon]

Closed by #346043