当我们在go项目中使用C库，或者引用的第三方库有使用C库，有时候会遇到 invalid flag in #cgo LDFLAGS: -w 这种错误。

这是因为在项目代码中，使用了#cgo指令符(directive)，对C/C++编译器添加了 CFLAGS、 CPPFLAGS、CXXFLAGS 、LDFLAGS 等选项设置。

例如github.com/spacemonkeygo/openssl库的build.go中，则对各个特定平台的C/C++编译器，设置了不同的编译约束参数：

package openssl

// #cgo pkg-config: libssl libcrypto
// #cgo linux CFLAGS: -Wno-deprecated-declarations
// #cgo darwin CFLAGS: -I/usr/local/opt/openssl@1.1/include -I/usr/local/opt/openssl/include -Wno-deprecated-declarations
// #cgo darwin LDFLAGS: -w -L/usr/local/opt/openssl@1.1/lib -L/usr/local/opt/openssl/lib
// #cgo windows CFLAGS: -DWIN32_LEAN_AND_MEAN
import "C"

当我们使用go版本在1.10及其以上版本进行项目编译的时候，则会提示如下错误：

go build xxxx/vendor/github.com/spacemonkeygo/openssl: invalid flag in #cgo LDFLAGS: -w

原因是golang为了安全，在使用go get，go build和friends期间，禁止编译器/链接器使用LDFLAGS等连接参数，目的是防止编译器被攻击。

如果要使用LDFLAGS等连接参数，我们需要手动指定CGO_LDFLAGS_ALLOW等参数，例如：CGO_LDFLAGS_ALLOW='-w'。

因此在命令行编译的时候，使用：

CGO_LDFLAGS_ALLOW='-w' go rum main.go

或者在IDE工具中，添加如上环境变量即可。

相关文章：https://github.com/golang/go/wiki/InvalidFlag

相关内容

InvalidFlag

Eddie Webb edited this page on 27 Feb 2019 · 2 revisions

invalid flag in #cgo CFLAGS

This page describes the background for build errors like invalid flag in #cgo CFLAGS and what you can do about them.

CVE-2018-6574 described a potential security violation in the go tool: running go get downloads and builds Go code from the Internet, Go code that uses cgo can specify options to pass to the compiler, so careful use of -fplugin can cause go get to execute arbitrary code. While it is difficult to block every possible way that the compiler might be attacked, we have chosen to block the obvious ones.

As described at issue 23672, this is done by using a safelist of compiler/linker options that are permitted during go get, go build, and friends. When cgo code tries to use to pass an option that is not on the safelist, the go tool will report an error invalid flag in #cgo CFLAGS (or #cgo LDFLAGS, pkg-config --cflags, pkg-config --ldflags, and so forth).

This safelist is new in releases 1.8.7, 1.9.4, and 1.10, and all subsequent releases.

What can I do?

If this happens to you, and the option is benign, you should do two things:

Set the environment variable CGO_CFLAGS_ALLOW (or CGO_LDFLAGS_ALLOW, CGO_CXXFLAGS_ALLOW, and so forth) to a regexp that matches the option.
File a bug requesting that the option be added to the safelist. Be sure to include the complete error message and, if possible, a description of the code you are building.

Why not use an unsafe list?

Because if some new unsafe option is added to a compiler, all existing Go releases will become immediately vulnerable.

Why not get a complete list of compiler options and safelist all of them?

Because there are hundreds of options, and there is no clear way to get a complete list. Many compiler and linker options are target dependent, and thus only reported on specific platforms or in specific configurations. The documentation is known to be incomplete.