fix: zig cc for portable standalone binaries with PKCS11 support (#779)

jevonearth · web-flow · commit a950f88450b7 · 2026-03-06T17:25:14.000-08:00
* fix: use zig cc for portable standalone binaries with PKCS11 support

Replace static builds (which break dlopen/PKCS11) with zig cc portable
builds targeting glibc 2.17+. Binaries are dynamically linked but run
on virtually any Linux distro, including Amazon Linux 2023 (glibc 2.34),
while preserving PKCS11/CloudHSM dlopen support.

- Add zig cc wrapper scripts targeting glibc 2.17 for amd64/arm64/arm
- Install zig toolchain in goreleaser before hooks
- Replace static build targets with portable zig-cc builds
- Fix buildx driver: remove docker driver for dockers_v2 attestation
  support, use imagetools create for snapshot retag

* fix: use double quotes for sh -c in goreleaser before hooks

* fix: goreleaser before hooks are plain strings, not maps

* fix: bake zig cc into custom goreleaser-cross image

Move zig toolchain and wrapper scripts into a custom Docker image
(ghcr.io/ecadlabs/goreleaser-cross-zig) instead of downloading at
release time. Eliminates runtime curl downloads and supply chain risk.

- Add .goreleaser/Dockerfile extending goreleaser-cross with zig 0.14.0
- Remove wrapper scripts from repo (baked into image)
- Remove before hooks (nothing to install at build time)
- Use absolute CC paths via PATH (zig-cc-x86_64, etc.)
- Update Makefile to use custom image

* fix: revert to docker driver, disable attestations for dockers_v2

goreleaser snapshot mode doesn't push images, so imagetools create
can't retag them. Revert to the docker driver with local image
loading and manual tag/push for snapshots.

Disable attestations (--provenance=false, --sbom=false) in dockers_v2
build_flags since the docker driver doesn't support them.

* fix: use correct dockers_v2 fields (sbom, flags) to disable attestations
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -108,113 +108,87 @@ builds:
     flags:
       - '{{ if .IsSnapshot }}-cover{{ else }}-v{{ end }}'
 
-# Static builds (for standalone archives, no glibc dependency)
+# Portable builds (for standalone archives, targets glibc 2.17+ via zig cc)
 # Skipped during snapshot/PR builds to save CI time.
-# Uses the same glibc cross-compilers as dynamic builds but with static
-# linking flags. dlopen won't work (PKCS11 users should use Docker).
-  - id: signatory-linux-amd-static
+# Dynamically linked against old glibc so dlopen/PKCS11 works everywhere.
+  - id: signatory-linux-amd-portable
     skip: '{{ .IsSnapshot }}'
     binary: signatory
     env:
       - CGO_ENABLED=1
-      - CC=gcc
+      - CC=zig-cc-x86_64
     main: ./cmd/signatory/main.go
-    tags:
-      - netgo
-      - osusergo
     ldflags:
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitRevision={{.Version}}'
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitBranch={{.Version}}'
-      - '-linkmode external'
-      - '-extldflags "-static"'
     goos:
       - linux
     goarch:
       - amd64
     flags:
       - -v
 
-  - id: signatory-cli-linux-amd-static
+  - id: signatory-cli-linux-amd-portable
     skip: '{{ .IsSnapshot }}'
     binary: signatory-cli
     env:
       - CGO_ENABLED=1
-      - CC=gcc
+      - CC=zig-cc-x86_64
     main: ./cmd/signatory-cli/main.go
-    tags:
-      - netgo
-      - osusergo
     ldflags:
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitRevision={{.Version}}'
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitBranch={{.Version}}'
-      - '-linkmode external'
-      - '-extldflags "-static"'
     goos:
       - linux
     goarch:
       - amd64
     flags:
       - -v
 
-  - id: signatory-linux-arm64-static
+  - id: signatory-linux-arm64-portable
     skip: '{{ .IsSnapshot }}'
     binary: signatory
     env:
       - CGO_ENABLED=1
-      - CC=aarch64-linux-gnu-gcc
+      - CC=zig-cc-aarch64
     main: ./cmd/signatory/main.go
-    tags:
-      - netgo
-      - osusergo
     ldflags:
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitRevision={{.Version}}'
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitBranch={{.Version}}'
-      - '-linkmode external'
-      - '-extldflags "-static"'
     goos:
       - linux
     goarch:
       - arm64
     flags:
       - -v
 
-  - id: signatory-cli-linux-arm64-static
+  - id: signatory-cli-linux-arm64-portable
     skip: '{{ .IsSnapshot }}'
     binary: signatory-cli
     env:
       - CGO_ENABLED=1
-      - CC=aarch64-linux-gnu-gcc
+      - CC=zig-cc-aarch64
     main: ./cmd/signatory-cli/main.go
-    tags:
-      - netgo
-      - osusergo
     ldflags:
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitRevision={{.Version}}'
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitBranch={{.Version}}'
-      - '-linkmode external'
-      - '-extldflags "-static"'
     goos:
       - linux
     goarch:
       - arm64
     flags:
       - -v
 
-  - id: signatory-linux-arm-static
+  - id: signatory-linux-arm-portable
     skip: '{{ .IsSnapshot }}'
     binary: signatory
     env:
       - CGO_ENABLED=1
-      - CC=arm-linux-gnueabihf-gcc
+      - CC=zig-cc-arm
     main: ./cmd/signatory/main.go
-    tags:
-      - netgo
-      - osusergo
     ldflags:
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitRevision={{.Version}}'
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitBranch={{.Version}}'
-      - '-linkmode external'
-      - '-extldflags "-static"'
     goos:
       - linux
     goarch:
@@ -224,21 +198,16 @@ builds:
     flags:
       - -v
 
-  - id: signatory-cli-linux-arm-static
+  - id: signatory-cli-linux-arm-portable
     skip: '{{ .IsSnapshot }}'
     binary: signatory-cli
     env:
       - CGO_ENABLED=1
-      - CC=arm-linux-gnueabihf-gcc
+      - CC=zig-cc-arm
     main: ./cmd/signatory-cli/main.go
-    tags:
-      - netgo
-      - osusergo
     ldflags:
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitRevision={{.Version}}'
       - '-X github.com/ecadlabs/signatory/pkg/metrics.GitBranch={{.Version}}'
-      - '-linkmode external'
-      - '-extldflags "-static"'
     goos:
       - linux
     goarch:
@@ -250,12 +219,12 @@ builds:
 
 archives:
   - ids:
-      - signatory-linux-amd-static
-      - signatory-cli-linux-amd-static
-      - signatory-linux-arm64-static
-      - signatory-cli-linux-arm64-static
-      - signatory-linux-arm-static
-      - signatory-cli-linux-arm-static
+      - signatory-linux-amd-portable
+      - signatory-cli-linux-amd-portable
+      - signatory-linux-arm64-portable
+      - signatory-cli-linux-arm64-portable
+      - signatory-linux-arm-portable
+      - signatory-cli-linux-arm-portable
 
 dockers_v2:
   - id: release
@@ -282,6 +251,9 @@ dockers_v2:
       org.opencontainers.image.revision: '{{.FullCommit}}'
       org.opencontainers.image.version: '{{.Version}}'
       org.opencontainers.image.source: '{{.GitURL}}'
+    sbom: false
+    flags:
+      - --provenance=false
     disable: '{{ .IsSnapshot }}'
   - id: snapshot
     ids:
@@ -306,6 +278,9 @@ dockers_v2:
       org.opencontainers.image.revision: '{{.FullCommit}}'
       org.opencontainers.image.version: '{{.Version}}'
       org.opencontainers.image.source: '{{.GitURL}}'
+    sbom: false
+    flags:
+      - --provenance=false
     disable: '{{ not .IsSnapshot }}'
 
 checksum:
diff --git a/.goreleaser/Dockerfile b/.goreleaser/Dockerfile
@@ -0,0 +1,17 @@
+FROM ghcr.io/goreleaser/goreleaser-cross:v1.25.5
+
+# Install zig toolchain at build time (not at release time).
+# This image is built once, pushed to our GHCR, and pinned by tag.
+ARG ZIG_VERSION=0.14.0
+RUN curl -sSL "https://ziglang.org/download/${ZIG_VERSION}/zig-linux-x86_64-${ZIG_VERSION}.tar.xz" \
+    -o /tmp/zig.tar.xz && \
+    tar xJf /tmp/zig.tar.xz -C /usr/local && \
+    ln -sf "/usr/local/zig-linux-x86_64-${ZIG_VERSION}/zig" /usr/local/bin/zig && \
+    rm /tmp/zig.tar.xz && \
+    zig version
+
+# Install zig cc wrapper scripts targeting glibc 2.17
+RUN printf '#!/bin/sh\nexec zig cc -target x86_64-linux-gnu.2.17 "$@"\n' > /usr/local/bin/zig-cc-x86_64 && \
+    printf '#!/bin/sh\nexec zig cc -target aarch64-linux-gnu.2.17 "$@"\n' > /usr/local/bin/zig-cc-aarch64 && \
+    printf '#!/bin/sh\nexec zig cc -target arm-linux-gnueabihf.2.17 "$@"\n' > /usr/local/bin/zig-cc-arm && \
+    chmod +x /usr/local/bin/zig-cc-*
diff --git a/Makefile b/Makefile
@@ -34,7 +34,7 @@ release-dry-run:
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		-v `pwd`:/go/src/$(PACKAGE_NAME) \
 		-w /go/src/$(PACKAGE_NAME) \
-		ghcr.io/goreleaser/goreleaser-cross:${GOLANG_CROSS_VERSION} \
+		ghcr.io/ecadlabs/goreleaser-cross-zig:${GOLANG_CROSS_VERSION} \
 		release \
 		--clean \
 		--snapshot
@@ -50,7 +50,7 @@ release-preview:
 		-v $(HOME)/.docker:/root/.docker \
 		-v `pwd`:/go/src/$(PACKAGE_NAME) \
 		-w /go/src/$(PACKAGE_NAME) \
-		ghcr.io/goreleaser/goreleaser-cross:${GOLANG_CROSS_VERSION} \
+		ghcr.io/ecadlabs/goreleaser-cross-zig:${GOLANG_CROSS_VERSION} \
 		release \
 		--clean \
 		--snapshot
@@ -71,7 +71,7 @@ release:
 		-v $(HOME)/.docker:/root/.docker \
 		-v `pwd`:/go/src/$(PACKAGE_NAME) \
 		-w /go/src/$(PACKAGE_NAME) \
-		ghcr.io/goreleaser/goreleaser-cross:${GOLANG_CROSS_VERSION} \
+		ghcr.io/ecadlabs/goreleaser-cross-zig:${GOLANG_CROSS_VERSION} \
 		release \
 		--clean \
 		--skip=validate
