control/controlclient: support certstore without cgo

We no longer build Windows releases with cgo enabled, which
automatically turned off certstore support. Rather than re-enabling cgo,
we updated our fork of the certstore package to no longer require cgo.
This updates the package, cleans up how the feature is configured, and
removes the cgo build tag requirement.

Fixes tailscale/corp#14797
Fixes tailscale/coral#118

Change-Id: Iaea34340761c0431d759370532c16a48c0913374
Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>

control/controlclient/sign_supported.go

@@ -1,11 +1,9 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build windows && cgo
+//go:build windows
 
-// darwin,cgo is also supported by certstore but machineCertificateSubject will
-// need to be loaded by a different mechanism, so this is not currently enabled
-// on darwin.
+// darwin,cgo is also supported by certstore but untested, so it is not enabled.
 
 package controlclient
 
@@ -21,7 +19,7 @@ import (
 	"github.com/tailscale/certstore"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/util/winutil"
+	"tailscale.com/util/syspolicy"
 )
 
 var getMachineCertificateSubjectOnce struct {
@@ -40,7 +38,7 @@ var getMachineCertificateSubjectOnce struct {
 // Example: "CN=Tailscale Inc Test Root CA,OU=Tailscale Inc Test Certificate Authority,O=Tailscale Inc,ST=ON,C=CA"
 func getMachineCertificateSubject() string {
 	getMachineCertificateSubjectOnce.Do(func() {
-		getMachineCertificateSubjectOnce.v, _ = winutil.GetRegString("MachineCertificateSubject")
+		getMachineCertificateSubjectOnce.v, _ = syspolicy.GetString("MachineCertificateSubject", "")
 	})
 
 	return getMachineCertificateSubjectOnce.v

control/controlclient/sign_unsupported.go

@@ -1,7 +1,7 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause
 
-//go:build !windows || !cgo
+//go:build !windows
 
 package controlclient