From 280d85a80bd14e732dee7e9991c35da80f62bed7 Mon Sep 17 00:00:00 2001
From: Mikkel Krautz <mikkel@krautz.dk>
Date: Mon, 23 Jan 2012 09:42:09 -0500
Subject: [PATCH] ld: fix Mach-O code signing for non-cgo binaries

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/5561060
---
 src/cmd/ld/macho.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/cmd/ld/macho.c b/src/cmd/ld/macho.c
index 05638f7254..6781c25a43 100644
--- a/src/cmd/ld/macho.c
+++ b/src/cmd/ld/macho.c
@@ -499,7 +499,24 @@ domacholink(void)
 	s3 = lookup(".linkedit.got", 0);
 	s4 = lookup(".dynstr", 0);
 
-	while(s4->size%4)
+	// Force the linkedit section to end on a 16-byte
+	// boundary.  This allows pure (non-cgo) Go binaries
+	// to be code signed correctly.
+	//
+	// Apple's codesign_allocate (a helper utility for
+	// the codesign utility) can do this fine itself if
+	// it is run on a dynamic Mach-O binary.  However,
+	// when it is run on a pure (non-cgo) Go binary, where
+	// the linkedit section is mostly empty, it fails to
+	// account for the extra padding that it itself adds
+	// when adding the LC_CODE_SIGNATURE load command
+	// (which must be aligned on a 16-byte boundary).
+	//
+	// By forcing the linkedit section to end on a 16-byte
+	// boundary, codesign_allocate will not need to apply
+	// any alignment padding itself, working around the
+	// issue.
+	while(s4->size%16)
 		adduint8(s4, 0);
 	
 	size = s1->size + s2->size + s3->size + s4->size;
-- 
2.50.0