strip debug symbols, add BoringCryto to buildinfo

Signed-off-by: Spike Curtis <spike@coder.com>
coder · spikecurtis · Sep 5, 2023 · Sep 5, 2023 · Sep 5, 2023 · Sep 5, 2023
commit dbb504f36f8f1000e3cf696e6e85ad0b5759013d
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -151,22 +151,6 @@ jobs:
           AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
           AC_APIKEY_FILE: /tmp/apple_apikey.p8
 
-      - name: Check Boring Crypto
-        run: |
-          set -euo pipefail
-
-          version="$(./scripts/version.sh)"
-          go tool nm build/coder_"$version"_linux_amd64 | grep "_Cfunc__goboringcrypto_" &>/dev/null
-          if [[ "$?" == "1" ]]; then
-            echo "build/coder_${version}_linux_amd64 is not built with Boring Crypto"
-            exit 1
-          fi
-          go tool nm build/coder-slim_"$version"_linux_amd64 | grep "_Cfunc__goboringcrypto_" &>/dev/null
-          if [[ "$?" == "1" ]]; then
-            echo "build/coder-slim_${version}_linux_amd64 is not built with Boring Crypto"
-            exit 1
-          fi
-
       - name: Delete Apple Developer certificate and API key
         run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
 

diff --git a/Makefile b/Makefile
@@ -106,16 +106,8 @@ CODER_ARCH_IMAGE_PREREQUISITES := \
 endif
 
 # used to decide if we can build with boringcrypto
-ifeq ($(OS),Windows_NT)
-	local_os:=Windows
-	local_arch:="" #ignored, no boringcrypto support for Windows
-else
-	local_os:=$(shell uname -s)
-	local_arch:=$(shell uname -m)
-endif
-ifeq ($(local_arch),x86_64)
-	local_arch:=amd64
-endif
+local_os:=$(shell go env GOHOSTOS)
+local_arch:=$(shell go env GOHOSTARCH)
 
 clean:
 	rm -rf build site/out
@@ -235,7 +227,7 @@ $(CODER_ALL_BINARIES): go.mod go.sum \
 
 	# boringcrypto is only supported on Linux
 	# boringcrypto uses CGO, which isn't supported when cross compiling architectures
-	if [[ "$$os" == "linux" ]] && [[ "${local_os}" == "Linux" ]] && [[ "$$arch" == "${local_arch}" ]]; then
+	if [[ "$$os" == "linux" ]] && [[ "${local_os}" == "linux" ]] && [[ "$$arch" == "${local_arch}" ]]; then
 		build_args+=(--boringcrypto)
 	fi
 

diff --git a/buildinfo/boring.go b/buildinfo/boring.go
@@ -0,0 +1,7 @@
+//go:build boringcrypto
+
+package buildinfo
+
+import "crypto/boring"
+
+var boringcrypto = boring.Enabled()
diff --git a/buildinfo/buildinfo.go b/buildinfo/buildinfo.go
@@ -87,6 +87,10 @@ func IsAGPL() bool {
 	return strings.Contains(agpl, "t")
 }
 
+func IsBoringCrypto() bool {
+	return boringcrypto
+}
+
 // ExternalURL returns a URL referencing the current Coder version.
 // For production builds, this will link directly to a release.
 // For development builds, this will link to a commit.

diff --git a/buildinfo/notboring.go b/buildinfo/notboring.go
@@ -0,0 +1,5 @@
+//go:build !boringcrypto
+
+package buildinfo
+
+var boringcrypto = false
diff --git a/cli/version.go b/cli/version.go
@@ -13,11 +13,12 @@ import (
 // versionInfo wraps the stuff we get from buildinfo so that it's
 // easier to emit in different formats.
 type versionInfo struct {
-	Version     string    `json:"version"`
-	BuildTime   time.Time `json:"build_time"`
-	ExternalURL string    `json:"external_url"`
-	Slim        bool      `json:"slim"`
-	AGPL        bool      `json:"agpl"`
+	Version      string    `json:"version"`
+	BuildTime    time.Time `json:"build_time"`
+	ExternalURL  string    `json:"external_url"`
+	Slim         bool      `json:"slim"`
+	AGPL         bool      `json:"agpl"`
+	BoringCrypto bool      `json:"boring_crypto"`
 }
 
 // String() implements Stringer
@@ -28,6 +29,9 @@ func (vi versionInfo) String() string {
 		_, _ = str.WriteString("(AGPL) ")
 	}
 	_, _ = str.WriteString(vi.Version)
+	if vi.BoringCrypto {
+		_, _ = str.WriteString(" BoringCrypto")
+	}
 
 	if !vi.BuildTime.IsZero() {
 		_, _ = str.WriteString(" " + vi.BuildTime.Format(time.UnixDate))
@@ -45,11 +49,12 @@ func (vi versionInfo) String() string {
 func defaultVersionInfo() *versionInfo {
 	buildTime, _ := buildinfo.Time()
 	return &versionInfo{
-		Version:     buildinfo.Version(),
-		BuildTime:   buildTime,
-		ExternalURL: buildinfo.ExternalURL(),
-		Slim:        buildinfo.IsSlim(),
-		AGPL:        buildinfo.IsAGPL(),
+		Version:      buildinfo.Version(),
+		BuildTime:    buildTime,
+		ExternalURL:  buildinfo.ExternalURL(),
+		Slim:         buildinfo.IsSlim(),
+		AGPL:         buildinfo.IsAGPL(),
+		BoringCrypto: buildinfo.IsBoringCrypto(),
 	}
 }
 

diff --git a/scripts/build_go.sh b/scripts/build_go.sh
@@ -102,16 +102,11 @@ if [[ "$sign_darwin" == 1 ]]; then
 fi
 
 ldflags=(
+	-s
 	-w
 	-X "'github.com/coder/coder/v2/buildinfo.tag=$version'"
 )
 
-# For boringcrypto we want to leave the symbols so we can verify it was build correctly for
-# FIPS compliance.  This adds a few MiB to the binary.
-if [[ "$boringcrypto" == 0 ]]; then
-	ldflags+=(-s)
-fi
-
 # We use ts_omit_aws here because on Linux it prevents Tailscale from importing
 # github.com/aws/aws-sdk-go-v2/aws, which adds 7 MB to the binary.
 TS_EXTRA_SMALL="ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"