If you try to compile the following Go program:
package main
import _ "crypto/tls"
func main() {
}
You'll wind up with a dynamically linked Go binary. This is annoying for me (I'm building a Go binary inside a Docker container, which uses a different libc from my host, which will result in the binary not running on my host).
How does one force Go to build such a program statically?
The only OS where crypto/tls uses cgo is darwin, where it needs to call FetchPEMRootsto get the root CAs.
The reason your program is using cgo is because crypto/tls imports the net package, which links to the host resolver by default. You can build the net package without cgo using the "netgo" build tag.
go build -tags netgo
Or if you're on a release where the std lib packages won't be built by default, you can trigger them to be compiled with a new installsuffix
go build -installsuffix netgo -tags netgo
Since you're not going to have the need or ability to use cgo in your environment, you may want to just build everything with CGO_ENABLED=0 to disable cgo entirely.