strip buildid information from linked binaries

Otherwise, one can use 'go tool buildid' to obtain the main package's build ID, which can make de-obfuscating the main package much simpler. Fixes #43.
4 years ago · c7d1fc7c60
parent 199d24d24f
commit c7d1fc7c60
2 changed files with 12 additions and 0 deletions
--- a/main.go
+++ b/main.go
@ -866,6 +866,10 @@ func transformLink(args []string) ([]string, error) {
 		}
 	})

+	// Ensure we strip the -buildid flag, to not leak any build IDs for the
+	// link operation or the main package's compilation.
+	flags = flagSetValue(flags, "-buildid", "")
+
 	flags = append(flags, "-w", "-s")
 	return append(flags, paths...), nil
 }
--- a/testdata/scripts/basic.txt
+++ b/testdata/scripts/basic.txt
@ -7,10 +7,18 @@ garble build main.go
 exec ./main
 cmp stderr main.stderr

+# Ensure that -w and -s worked.
 [!windows] [exec:readelf] exec readelf --section-headers main$exe
 [!windows] [exec:readelf] ! stdout 'debug_info'
 [!windows] [exec:readelf] ! stdout '\.symtab'

+# The buildid needs to be missing from the binary. Otherwise, we leak
+# information unnecessarily, which is made worse by how we use part of said
+# buildid to obfuscate the main package.
+[!windows] [exec:readelf] ! stdout 'buildid'
+go tool buildid main$exe
+! stdout .
+
 ! binsubstr main$exe ${WORK@R} 'globalVar' 'globalFunc'

 [short] stop # checking that the build is reproducible is slow