crypto/tls: force OS X target version to 10.6 for API compatibility

This is a band-aid until we can use weak imports with cgo.

Fixes #3131.

R=minux.ma, rsc
CC=golang-dev
https://golang.org/cl/5700083

root_darwin.go

@@ -5,11 +5,9 @@
 package tls
 
 /*
-// Note: We disable -Werror here because the code in this file uses a deprecated API to stay
-// compatible with both Mac OS X 10.6 and 10.7. Using a deprecated function on Darwin generates
-// a warning.
-#cgo CFLAGS: -Wno-error -Wno-deprecated-declarations
+#cgo CFLAGS: -mmacosx-version-min=10.6 -D__MAC_OS_X_VERSION_MAX_ALLOWED=1060
 #cgo LDFLAGS: -framework CoreFoundation -framework Security
+
 #include <CoreFoundation/CoreFoundation.h>
 #include <Security/Security.h>
 
@@ -40,27 +38,13 @@ int FetchPEMRoots(CFDataRef *pemRoots) {
 			continue;
 		}
 
-		// SecKeychainImportExport is deprecated in >= OS X 10.7, and has been replaced by
-		// SecItemExport.  If we're built on a host with a Lion SDK, this code gets conditionally
-		// included in the output, also for binaries meant for 10.6.
-		//
-		// To make sure that we run on both Mac OS X 10.6 and 10.7 we use weak linking
-		// and check whether SecItemExport is available before we attempt to call it. On
-		// 10.6, this won't be the case, and we'll fall back to calling SecKeychainItemExport.
-#if __MAC_OS_X_VERSION_MAX_ALLOWED >= 1070
-		if (SecItemExport) {
-			err = SecItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
-			if (err != noErr) {
-				continue;
-			}
-		} else
-#endif
-		if (data == NULL) {
+		// Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
+		// Once we support weak imports via cgo we should prefer that, and fall back to this
+		// for older systems.
 		err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
 		if (err != noErr) {
 			continue;
 		}
-		}
 
 		if (data != NULL) {
 			CFDataAppendBytes(combinedData, CFDataGetBytePtr(data), CFDataGetLength(data));