For example:

	// #cgo pkg-config: png cairo
	// #include <png.h>
	import "C"

The default pkg-config tool may be changed by setting the PKG_CONFIG environment variable.

For security reasons, only a limited set of flags are allowed, notably -D, -U, -I, and -l.
To allow additional flags, set CGO_CFLAGS_ALLOW to a regular expression
matching the new flags. To disallow flags that would otherwise be allowed,

//go:build darwin

package issue24161e0

/*
#cgo CFLAGS: -x objective-c
#cgo LDFLAGS: -framework CoreFoundation -framework Security
#include <TargetConditionals.h>
#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>
#if TARGET_OS_IPHONE == 0 && __MAC_OS_X_VERSION_MAX_ALLOWED < 101200
  typedef CFStringRef SecKeyAlgorithm;

the behavior you are seeing is confirmed as a bug or issue, it can easily be re-raised in the issue tracker.

## Filing issues

Sensitive security-related issues should be reported to [security@golang.org](mailto:security@golang.org).
See the [security policy](https://golang.org/security) for details.

The recommended way to file an issue is by running `go bug`.
Otherwise, when filing an issue, make sure to answer these five questions:

//go:build darwin

package issue24161e2

/*
#cgo CFLAGS: -x objective-c
#cgo LDFLAGS: -framework CoreFoundation -framework Security
#include <TargetConditionals.h>
#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>
#if TARGET_OS_IPHONE == 0 && __MAC_OS_X_VERSION_MAX_ALLOWED < 101200
  typedef CFStringRef SecKeyAlgorithm;

			Xattrs: map[string]string{
				"security.selinux": "unconfined_u:object_r:default_t:s0\x00",
			},
			PAXRecords: map[string]string{
				"mtime":                         "1386065770.449252304",
				"atime":                         "1389782991.41987522",
				"ctime":                         "1386065770.449252304",
				"SCHILY.xattr.security.selinux": "unconfined_u:object_r:default_t:s0\x00",
			},

pkg syscall (linux-386), const SO_RCVTIMEO ideal-int
pkg syscall (linux-386), const SO_RXQ_OVFL ideal-int
pkg syscall (linux-386), const SO_SECURITY_AUTHENTICATION ideal-int
pkg syscall (linux-386), const SO_SECURITY_ENCRYPTION_NETWORK ideal-int
pkg syscall (linux-386), const SO_SECURITY_ENCRYPTION_TRANSPORT ideal-int
pkg syscall (linux-386), const SO_SNDBUFFORCE ideal-int
pkg syscall (linux-386), const SO_SNDLOWAT ideal-int

controlled by the [`panicnil` setting](/pkg/builtin/#panic).

Go 1.21 made it an error for html/template actions to appear inside of an ECMAScript 6
template literal, controlled by the
[`jstmpllitinterp` setting](/pkg/html/template#hdr-Security_Model).
This behavior was backported to Go 1.19.8+ and Go 1.20.3+.

Go 1.21 introduced a limit on the maximum number of MIME headers and multipart
forms, controlled by the

//go:build darwin

package issue24161e1

/*
#cgo CFLAGS: -x objective-c
#cgo LDFLAGS: -framework CoreFoundation -framework Security
#include <TargetConditionals.h>
#include <CoreFoundation/CoreFoundation.h>
#include <Security/Security.h>
#if TARGET_OS_IPHONE == 0 && __MAC_OS_X_VERSION_MAX_ALLOWED < 101200
  typedef CFStringRef SecKeyAlgorithm;

					matches++
				}
			}
		}
		if matches == len(udids) {
			files = append(files, string(line))
		}
	}
	return files
}

func parseMobileProvision(fname string) *exec.Cmd {
	return exec.Command("security", "cms", "-D", "-i", string(fname))
}

func plistExtract(fname string, path string) ([]byte, error) {
	out, err := exec.Command("/usr/libexec/PlistBuddy", "-c", "Print "+path, fname).CombinedOutput()
	if err != nil {

pkg syscall (linux-386), const SO_REUSEADDR = 2
pkg syscall (linux-386), const SO_RXQ_OVFL = 40
pkg syscall (linux-386), const SO_SECURITY_AUTHENTICATION = 22
pkg syscall (linux-386), const SO_SECURITY_ENCRYPTION_NETWORK = 24
pkg syscall (linux-386), const SO_SECURITY_ENCRYPTION_TRANSPORT = 23
pkg syscall (linux-386), const SO_SNDBUF = 7
pkg syscall (linux-386), const SO_SNDBUFFORCE = 32