build universal binaries for orbit in macOS in our test tuf server (#16712)

Roberto Dip · web-flow · commit 8645d4525ed3 · 2024-02-23T19:09:56.000-03:00
two motivations:

- prevent mysterious crashes in arm64 machines without Rosetta (often
the case in fresh VMs)
- prevent unexpected errors in Windows arm64 VMs when using certain
system calls

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Manual QA for all new/changed functionality
diff --git a/orbit/tools/build/build.go b/orbit/tools/build/build.go
@@ -33,6 +33,11 @@ func main() {
 	commit := os.Getenv("ORBIT_COMMIT")
 	date := time.Now().UTC().Format("2006-01-02T15:04:05Z")
 
+	binaryPath := os.Getenv("ORBIT_BINARY_PATH")
+	if binaryPath == "" {
+		binaryPath = "orbit-darwin"
+	}
+
 	codesign := false
 	if codesignIdentity != "" {
 		codesign = true
@@ -50,7 +55,6 @@ func main() {
 	const (
 		amdBinaryPath    = "orbit-darwin-amd64"
 		armBinaryPath    = "orbit-darwin-arm64"
-		binaryPath       = "orbit-darwin"
 		bundleIdentifier = "com.fleetdm.orbit"
 	)
 	if err := buildOrbit(amdBinaryPath, "amd64", version, commit, date); err != nil {
diff --git a/tools/tuf/test/README.md b/tools/tuf/test/README.md
@@ -68,6 +68,19 @@ GOOS=windows GOARCH=amd64 go build -o orbit-windows.exe ./orbit/cmd/orbit
 ./tools/tuf/test/push_target.sh windows orbit orbit-windows.exe 43
 ```
 
+If the script was executed on a macOS host, the Orbit binary will be an universal binary. To push updates you can do:
+
+```sh
+# Compile a universal binary of Orbit:
+CGO_ENABLED=1 \
+ORBIT_VERSION=42 \
+ORBIT_BINARY_PATH="orbit-macos" \
+go run ./orbit/tools/build/build.go
+
+# Push the compiled Orbit as a new version
+./tools/tuf/test/push_target.sh macos orbit orbit-macos 43
+```
+
 E.g. to add a new version of `osqueryd` for macOS:
 ```sh
 # Generate osqueryd app bundle.
diff --git a/tools/tuf/test/create_repository.sh b/tools/tuf/test/create_repository.sh
@@ -61,20 +61,30 @@ for system in $SYSTEMS; do
     rm $osqueryd_path
 
     goose_value="$system"
+    goarch_value="" # leave it empty to use the default for the system
     if [[ $system == "macos" ]]; then
         goose_value="darwin"
+	# for all platforms except Darwin, GOARCH is hardcoded to amd64 to
+	# prevent cross compilation issues when building macOS arm64 binaries
+	# from Linux (CGO + libraries are required)
+	goarch_value="amd64"
     fi
     orbit_target=orbit-$system
     if [[ $system == "windows" ]]; then
         orbit_target="${orbit_target}.exe"
     fi
 
-    # Compile the latest version of orbit from source.
-    GOOS=$goose_value GOARCH=amd64 go build -ldflags="-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Version=42" -o $orbit_target ./orbit/cmd/orbit
-
-    # If macOS and CODESIGN_IDENTITY is defined, sign the executable.
-    if [[ $system == "macos" && -n "$CODESIGN_IDENTITY" ]]; then
-        codesign -s "$CODESIGN_IDENTITY" -i com.fleetdm.orbit -f -v --timestamp --options runtime $orbit_target
+    # compiling a macOS-arm64 binary requires CGO and a macOS computer (for
+    # Apple keychain, some tables, etc), if this is the case, compile an
+    # universal binary.
+    if [ $system == "macos" ] && [ "$(uname -s)" = "Darwin" ]; then
+       CGO_ENABLED=1 \
+       CODESIGN_IDENTITY=$CODESIGN_IDENTITY \
+       ORBIT_VERSION=42 \
+       ORBIT_BINARY_PATH=$orbit_target \
+       go run ./orbit/tools/build/build.go
+    else
+      GOOS=$goose_value GOARCH=$goarch_value go build -ldflags="-X github.com/fleetdm/fleet/v4/orbit/pkg/build.Version=42" -o $orbit_target ./orbit/cmd/orbit
     fi
 
     ./build/fleetctl updates add \
