v0.12.0 - 2024-02-10
This release continues support for Go 1.21 and includes fixes for Go 1.22, now that the final 1.22.0 release is out.
@lu4p improved the detection of types used with reflection to track make
calls too,
fixing more cannot use T1 as T2
errors when obfuscating types. See #690.
@pagran added a trash block generator to the control flow obfuscator. See #825.
A number of bugfixes are also included:
- Avoid an error when building for
GOOS=ios
- #816 - Prevent the shuffle literal obfuscation from being optimized away - #819
- Support inline comments in assembly
#include
lines - #812
v0.11.0 - 2023-12-02
This release drops support for Go 1.20, continues support for Go 1.21, and adds initial support for the upcoming Go 1.22.
@lu4p and @mvdan improved the code using SSA to detect which types are used with reflection,
which should fix a number of errors such as cannot use T1 as T2
or cannot convert T1 to T2
.
See: #685, #763, #782, #785, #807.
@pagran added experimental support for control flow obfuscation, which should provide stronger obfuscation of function bodies when enabled. See the documentation at docs/CONTROLFLOW.md. See #462.
A number of bugfixes are also included:
- Avoid panicking on a struct embedding a builtin alias - #798
- Strip struct field tags when hashing struct types for type identity - #801
v0.10.1 - 2023-06-25
This bugfix release continues support for Go 1.20 and the upcoming 1.21, and features:
- Avoid obfuscating local types used for reflection, like in
go-spew
- #765
v0.10.0 - 2023-06-05
This release drops support for Go 1.19, continues support for Go 1.20, and adds initial support for the upcoming Go 1.21.
@lu4p rewrote the code to detect whether reflect
is used on each Go type,
which is used to decide which Go types should not be obfuscated to prevent breakage.
The old code analyzed syntax trees with type information, which is cheap but clumsy.
The new code uses SSA, which adds a bit of CPU cost to builds, but allows for a
more powerful analysis that is less likely to break on edge cases.
While this change does slow down builds slightly, we will start using SSA for more
features in the near term, such as control flow obfuscation. See #732.
@pagran improved the patching of Go's linker to also obfuscate funcInfo.entryoff, making it harder to relate a function's metadata with its body in the binary. See #641.
@mvdan rewrote garble's caching to be more robust, avoiding errors such as
"cannot load garble export file". The new caching system is entirely separate
from Go's GOCACHE
, being placed in GARBLE_CACHE
, which defaults to a directory
such as ~/.cache/garble
. See #708.
@DominicBreuker taught -literals
to support obfuscating large string literals
by using the "simple" obfuscator on them, as it runs in linear time. See #720.
@mvdan added support for garble run
, the obfuscated version of go run
,
to quickly test that a main program still works when obfuscated. See #661.
A number of bugfixes are also included:
- Ensure that
sync/atomic
types are still aligned by the compiler - #686 - Print the chosen random seed when using
-seed=random
- #696 - Avoid errors in
git apply
if the system language isn't English - #698 - Avoid a panic when importing a missing package - #694
- Suggest a command when asking the user to rebuild garble - #739
v0.9.3 - 2023-02-12
This bugfix release continues support for Go 1.19 and 1.20, and features:
- Support inline comments in assembly to fix
GOARCH=ppc64
- #672 - Avoid obfuscating
reflect.Value
to fixdavecgh/go-spew
- #676 - Fix runtime panics when using
garble build
inside a VCS directory - #675
v0.9.2 - 2023-02-07
This bugfix release continues support for Go 1.19 and 1.20, and features:
- Support
go:linkname
directives referencing methods - #656 - Fix more "unused import" errors with
-literals
- #658
v0.9.1 - 2023-01-26
This bugfix release continues support for Go 1.19 and the upcoming Go 1.20, and features:
- Support obfuscating code which uses "dot imports" - #610
- Fix linking errors for MIPS architectures - #646
- Compiler intrinsics for packages like
math/bits
work again - #655
v0.9.0 - 2023-01-17
This release continues support for Go 1.19 and the upcoming Go 1.20.
Noteworthy changes include:
- Randomize the magic number header in
pclntab
- #622 - Further reduce binary sizes with
-tiny
by 4% - #633 - Reduce the size overhead of all builds by 2% - #629
- Reduce the binary size overhead of
-literals
by 20% - #637 - Support assembly references to the current package name - #619
- Support package paths with periods in assembly - #621
Note that the first two changes are done by patching and rebuilding Go's linker. While this adds complexity, it enables more link time obfuscation.
v0.8.0 - 2022-12-15
This release drops support for Go 1.18, continues support for Go 1.19, and adds initial support for the upcoming Go 1.20.
Noteworthy changes include:
GOGARBLE=*
is now the default to obfuscate all packages - #594GOPRIVATE
is no longer used, being deprecated in v0.5.0- Obfuscate assembly source code filenames - #605
- Randomize the lengths of obfuscated names
- Support obfuscating
time
andsyscall
- Avoid reflect method call panics if
reflect
is obfuscated
v0.7.2 - 2022-09-26
This bugfix release continues support for Go 1.18 and 1.19 and features:
- Fix an edge case resulting in bad syntax due to comments - #573
- Avoid a panic involving generic code - #577
- Obfuscate Go names in assembly header files - #553
- Support
garble reverse
on packages using cgo or assembly - #555
v0.7.1 - 2022-08-02
This bugfix release finishes support for Go 1.19 and features:
- Obfuscate all cgo filenames to not leak import paths
- Support obfuscating
net
andruntime/debug
- Don't leak temporary directories after obfuscating
- Fix an edge case resulting in broken import declarations
- Reduce allocations involved in obfuscating code
v0.7.0 - 2022-06-10
This release drops support for Go 1.17, continues support for Go 1.18, and adds initial support for the upcoming Go 1.19.
Noteworthy changes include:
- Initial support for obfuscating generic code - #414
- Remove unused imports in
-literals
more reliably - #481 - Support obfuscating package paths ending with
.go
- #539 - Support installing garble in paths containing spaces - #544
- Avoid a panic when obfuscating variadic functions - #524
- Avoid a "refusing to list package" panic in
garble test
- #522 - Some module builds are now used as regression tests - #240
v0.6.0 - 2022-03-22
This release adds support for Go 1.18 while continuing support for Go 1.17.x. Note that building generic code isn't supported just yet.
Noteworthy changes include:
- Obfuscation is now fully deterministic with a fixed
-seed
- #449 - Improve support for type aliases to fix some build failures - #466
- Add support for quotes in
-ldflags
as pergo help build
- #492 - Fail if the current Go version is newer than what built garble - #269
- Various optimizations resulting in builds being up to 5% faster - #456
v0.5.1 - 2022-01-18
This bugfix release features:
- Obfuscate exported names in
main
packages - Fix build errors when using
-literals
withGOGARBLE=*
- Avoid breaking
-ldflags=-X
when-literals
is used - Avoid link errors when using
-debugdir
- Speed up obfuscating the
runtime
package
v0.5.0 - 2022-01-06
This release of Garble adds initial support for the upcoming Go 1.18, continues support for Go 1.17.x, and drops support for Go 1.16.x. Note that building generic code isn't supported just yet.
Two breaking changes are introduced:
- Deprecate the use of
GOPRIVATE
in favor ofGOGARBLE
(see burrowers#276) garble reverse
now requires a main package argument
Noteworthy changes include:
- Improve detection of
reflect
usage even further - Support obfuscating some more standard library packages
- Improve literal obfuscation by using constant folding
- Add the
-debug
flag to log details of the obfuscated build - Ensure the
runtime
package is built in a reproducible way - Obfuscate local variable names to prevent shadowing bugs
- Fix and test support for using garble on 32-bit hosts
v0.4.0 - 2021-08-26
This release of Garble adds support for Go 1.17.x while maintaining support for Go 1.16.x. A few other noteworthy changes are included:
- Support obfuscating literals in more edge cases with
-literals
- Improve detection of
reflect
usage with standard library APIs - Names exported for cgo are no longer obfuscated
- Avoid breaking consts using
iota
with-literals
Known bugs:
- obfuscating the entire standard library with
GOPRIVATE=*
is not well supported yet
v0.3.0 - 2021-05-31
This release of Garble fixes a number of bugs and improves existing features, while maintaining support for Go 1.16.x. Notably:
- Make builds reproducible even when cleaning
GOCACHE
- Detecting types used with reflection is more reliable
- Cross builds with
GOPRIVATE=*
are now supported - Support conversion between struct types from different packages
- Improve support for type aliases
- Function names used with
go:linkname
are now obfuscated garble reverse
can now reverse field names and lone filenames
Known bugs:
- obfuscating the entire standard library with
GOPRIVATE=*
is not well supported yet
v0.2.0 - 2021-04-08
This release of Garble drops support for Go 1.15.x, which is necessary for some of the enhancements below:
- New:
garble test
allows running Go tests built with obfuscation - New:
garble reverse
allows de-obfuscating output like stack traces - Names of functions implemented in assembly are now obfuscated
GOPRIVATE=*
now works with packages likecrypto/tls
andembed
garble build
can now be used with many main packages at once-literals
is more robust and now works on all ofstd
The README is also overhauled to be more helpful to first-time users.
Known bugs:
- obfuscating the entire standard library with
GOPRIVATE=*
is not well supported yet
v0.1.0 - 2021-03-05
This is the first release of Garble. It supports Go 1.15.x and 1.16.x.
It ships all the major features that have worked for the past year, including:
- Obfuscation of all names, except methods and reflect targets
- Obfuscation of package import paths and position information
- Stripping of build and module information
- Support for Go modules
- Reproducible and cacheable builds
- Stripping of extra information via
-tiny
- Literal obfuscation via
-literals
Known bugs:
- obfuscating the standard library with
GOPRIVATE=*
is not well supported yet garble test
is temporarily disabled, as it is currently broken