certstore_darwin: fix deprecation warnings

Corrects a number of deprecation warnings in the darwin code.

This updates the go check to 1.25/1.26 which pins the minimum
supported macOS version to 12.0 which corresponds with the
macOS version required for those Security framework API changes.

Author: barnstar

certstore_darwin.go

@@ -160,19 +160,25 @@ func (i *macIdentity) CertificateChain() ([]*x509.Certificate, error) {
 	}
 	defer C.CFRelease(C.CFTypeRef(trustRef))
 
-	var status C.SecTrustResultType
-	if err := osStatusError(C.SecTrustEvaluate(trustRef, &status)); err != nil {
-		return nil, err
+	// Evaluate trust to populate the certificate chain; ignore the trust
+	// result since we only need the chain structure, not trust validation.
+	var cfTrustErr C.CFErrorRef
+	C.SecTrustEvaluateWithError(trustRef, &cfTrustErr)
+	if cfTrustErr != nilCFErrorRef {
+		C.CFRelease(C.CFTypeRef(cfTrustErr))
 	}
 
-	var (
-		nchain = C.SecTrustGetCertificateCount(trustRef)
-		chain  = make([]*x509.Certificate, 0, int(nchain))
-	)
+	certChain := C.SecTrustCopyCertificateChain(trustRef)
+	if certChain == nilCFArrayRef {
+		return nil, errors.New("error getting certificate chain")
+	}
+	defer C.CFRelease(C.CFTypeRef(certChain))
+
+	nchain := C.CFArrayGetCount(certChain)
+	chain := make([]*x509.Certificate, 0, int(nchain))
 
-	for i := C.CFIndex(0); i < nchain; i++ {
-		// TODO: do we need to release these?
-		chainCertref := C.SecTrustGetCertificateAtIndex(trustRef, i)
+	for j := C.CFIndex(0); j < nchain; j++ {
+		chainCertref := C.SecCertificateRef(C.CFArrayGetValueAtIndex(certChain, j))
 		if chainCertref == nilSecCertificateRef {
 			return nil, errors.New("nil certificate in chain")
 		}