diff --git a/main.go b/main.go
index 25d76e2..11194c4 100644
--- a/main.go
+++ b/main.go
@@ -327,7 +327,13 @@ func transformCompile(args []string) ([]string, error) {
 		return args, nil
 	}
 	pkgPath := flagValue(flags, "-p")
-	if !isPrivate(pkgPath) {
+	if pkgPath == "runtime/internal/sys" {
+		// Even though this package isn't private, we will still process
+		// it to remove the go version constant later. However, we only
+		// want flags to work on private packages.
+		envGarbleLiterals = false
+		envGarbleDebugDir = ""
+	} else if !isPrivate(pkgPath) {
 		return args, nil
 	}
 	for i, path := range paths {
@@ -419,8 +425,22 @@ func transformCompile(args []string) ([]string, error) {
 	// TODO: randomize the order and names of the files
 	for i, file := range files {
 		origName := filepath.Base(filepath.Clean(paths[i]))
-		name := fmt.Sprintf("z%d.go", i)
+		name := origName
 		switch {
+		case pkgPath == "runtime/internal/sys":
+			// The first declaration in zversion.go contains the Go
+			// version as follows. Replace it here, since the
+			// linker's -X does not work with constants.
+			//
+			//     const TheVersion = `devel ...`
+			//
+			// Don't touch the source in any other way.
+			if origName != "zversion.go" {
+				break
+			}
+			spec := file.Decls[0].(*ast.GenDecl).Specs[0].(*ast.ValueSpec)
+			lit := spec.Values[0].(*ast.BasicLit)
+			lit.Value = "`unknown`"
 		case strings.HasPrefix(origName, "_cgo_"):
 			// Cgo generated code requires a prefix. Also, don't
 			// garble it, since it's just generated code and it gets
@@ -428,6 +448,7 @@ func transformCompile(args []string) ([]string, error) {
 			name = "_cgo_" + name
 		default:
 			file = transformGo(file, info, blacklist)
+			name = fmt.Sprintf("z%d.go", i)
 		}
 		tempFilePath := filepath.Join(tempDir, name)
 		tempFile, err := os.Create(tempFilePath)
@@ -874,12 +895,6 @@ func transformLink(args []string) ([]string, error) {
 	// link operation or the main package's compilation.
 	flags = flagSetValue(flags, "-buildid", "")
 
-	// Ensure that we don't leak the Go version that built this binary. This
-	// is present as a string in the runtime package, and the linker has no
-	// flag like -buildid to omit it, so we manually replace the values.
-	flags = append(flags, "-X", "runtime/internal/sys.TheVersion=unknown")
-	flags = append(flags, "-X", "runtime.buildVersion=unknown")
-
 	// Strip debug information and symbol tables.
 	flags = append(flags, "-w", "-s")
 	return append(flags, paths...), nil
diff --git a/main_test.go b/main_test.go
index 4d2539a..1a361d5 100644
--- a/main_test.go
+++ b/main_test.go
@@ -52,6 +52,7 @@ func TestScripts(t *testing.T) {
 			env.Vars = append(env.Vars,
 				"GOPROXY="+proxyURL,
 				"GONOSUMDB=*",
+				"gofullversion="+runtime.Version(),
 			)
 			bindir := filepath.Join(env.WorkDir, ".bin")
 			if err := os.Mkdir(bindir, 0o777); err != nil {
diff --git a/testdata/scripts/basic.txt b/testdata/scripts/basic.txt
index 938577e..3f42075 100644
--- a/testdata/scripts/basic.txt
+++ b/testdata/scripts/basic.txt
@@ -24,8 +24,10 @@ go version main$exe
 stdout 'unknown'
 ! stdout 'go1'
 ! stdout 'devel'
+! stdout $gofullversion
 
-! binsubstr main$exe ${WORK@R} 'globalVar' 'globalFunc'
+# The binary can't contain the version string either.
+! binsubstr main$exe ${WORK@R} 'globalVar' 'globalFunc' $gofullversion
 
 [short] stop # checking that the build is reproducible is slow
 
@@ -48,7 +50,7 @@ cmp stderr main.stderr
 
 # The default build includes full non-trimmed paths, as well as our names.
 # Only check $WORK on non-windows, because it's difficult to do it there.
-binsubstr main$exe 'globalVar' 'globalFunc'
+binsubstr main$exe 'globalVar' 'globalFunc' $gofullversion
 [!windows] binsubstr main$exe ${WORK@R}
 
 -- main.go --