From f199191f88b40e556090e4ccade3ac554c651544 Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Tue, 7 Oct 2025 16:14:11 -0400
Subject: [PATCH] [VAULT-39942] tools: always statically link and strip
 binaries (#9909) (#9918)

Occasionally it seems that the tools will get built and linked against
the platform glibc. We definitely do not want that.

Now we always disable CGO when building tools. While doing this I
realized that we could also strip debug symbols and reduce the size of
the tools significantly, so that is included as well.

Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
---
 tools/tools.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tools/tools.sh b/tools/tools.sh
index b56a3e6bbd..a8cc7b58ba 100755
--- a/tools/tools.sh
+++ b/tools/tools.sh
@@ -11,7 +11,11 @@ repo_root() {
 
 # Install an external Go tool.
 go_install() {
-  if go install "$1"; then
+  local tags=""
+  if [ "$(go env GOOS)" == "darwin" ]; then
+    tags="netcgo"
+  fi
+  if eval CGO_ENABLED=0 go install "-tags=${tags}" \"-ldflags=-w -s\" "$1"; then
     echo "--> $1 ✔"
   else
     echo "--> $1 ✖"