diff --git a/GNUmakefile b/GNUmakefile
index ac7f66f12e..110ab5463f 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -310,6 +310,7 @@ TEST_PACKAGES_FAST = \
 	container/list \
 	container/ring \
 	crypto/des \
+	crypto/ecdsa \
 	crypto/elliptic \
 	crypto/md5 \
 	crypto/rc4 \
diff --git a/loader/goroot.go b/loader/goroot.go
index c7ac029d3d..05eeeda190 100644
--- a/loader/goroot.go
+++ b/loader/goroot.go
@@ -229,30 +229,33 @@ func needsSyscallPackage(buildTags []string) bool {
 // means use the TinyGo version.
 func pathsToOverride(goMinor int, needsSyscallPackage bool) map[string]bool {
 	paths := map[string]bool{
-		"":                      true,
-		"crypto/":               true,
-		"crypto/rand/":          false,
-		"crypto/tls/":           false,
-		"device/":               false,
-		"examples/":             false,
-		"internal/":             true,
-		"internal/abi/":         false,
-		"internal/binary/":      false,
-		"internal/bytealg/":     false,
-		"internal/cm/":          false,
-		"internal/fuzz/":        false,
-		"internal/reflectlite/": false,
-		"internal/task/":        false,
-		"internal/wasi/":        false,
-		"machine/":              false,
-		"net/":                  true,
-		"net/http/":             false,
-		"os/":                   true,
-		"reflect/":              false,
-		"runtime/":              false,
-		"sync/":                 true,
-		"testing/":              true,
-		"unique/":               false,
+		"":                            true,
+		"crypto/":                     true,
+		"crypto/rand/":                false,
+		"crypto/tls/":                 false,
+		"crypto/x509/":                true,
+		"crypto/x509/internal/":       true,
+		"crypto/x509/internal/macos/": false,
+		"device/":                     false,
+		"examples/":                   false,
+		"internal/":                   true,
+		"internal/abi/":               false,
+		"internal/binary/":            false,
+		"internal/bytealg/":           false,
+		"internal/cm/":                false,
+		"internal/fuzz/":              false,
+		"internal/reflectlite/":       false,
+		"internal/task/":              false,
+		"internal/wasi/":              false,
+		"machine/":                    false,
+		"net/":                        true,
+		"net/http/":                   false,
+		"os/":                         true,
+		"reflect/":                    false,
+		"runtime/":                    false,
+		"sync/":                       true,
+		"testing/":                    true,
+		"unique/":                     false,
 	}
 
 	if goMinor >= 19 {
diff --git a/src/crypto/x509/internal/macos/macos.go b/src/crypto/x509/internal/macos/macos.go
new file mode 100644
index 0000000000..e9ec2ef843
--- /dev/null
+++ b/src/crypto/x509/internal/macos/macos.go
@@ -0,0 +1,185 @@
+package macos
+
+import (
+	"errors"
+	"time"
+)
+
+// Exported symbols copied from Big Go, but stripped of functionality.
+// Allows building of crypto/x509 on macOS.
+
+const (
+	ErrSecCertificateExpired = -67818
+	ErrSecHostNameMismatch   = -67602
+	ErrSecNotTrusted         = -67843
+)
+
+var ErrNoTrustSettings = errors.New("no trust settings found")
+var SecPolicyAppleSSL = StringToCFString("1.2.840.113635.100.1.3") // defined by POLICYMACRO
+var SecPolicyOid = StringToCFString("SecPolicyOid")
+var SecTrustSettingsPolicy = StringToCFString("kSecTrustSettingsPolicy")
+var SecTrustSettingsPolicyString = StringToCFString("kSecTrustSettingsPolicyString")
+var SecTrustSettingsResultKey = StringToCFString("kSecTrustSettingsResult")
+
+func CFArrayAppendValue(array CFRef, val CFRef) {}
+
+func CFArrayGetCount(array CFRef) int {
+	return 0
+}
+
+func CFDataGetBytePtr(data CFRef) uintptr {
+	return 0
+}
+
+func CFDataGetLength(data CFRef) int {
+	return 0
+}
+
+func CFDataToSlice(data CFRef) []byte {
+	return nil
+}
+
+func CFEqual(a, b CFRef) bool {
+	return false
+}
+
+func CFErrorGetCode(errRef CFRef) int {
+	return 0
+}
+
+func CFNumberGetValue(num CFRef) (int32, error) {
+	return 0, errors.New("not implemented")
+}
+
+func CFRelease(ref CFRef) {}
+
+func CFStringToString(ref CFRef) string {
+	return ""
+}
+
+func ReleaseCFArray(array CFRef) {}
+
+func SecCertificateCopyData(cert CFRef) ([]byte, error) {
+	return nil, errors.New("not implemented")
+}
+
+func SecTrustEvaluateWithError(trustObj CFRef) (int, error) {
+	return 0, errors.New("not implemented")
+}
+
+func SecTrustGetCertificateCount(trustObj CFRef) int {
+	return 0
+}
+
+func SecTrustGetResult(trustObj CFRef, result CFRef) (CFRef, CFRef, error) {
+	return 0, 0, errors.New("not implemented")
+}
+
+func SecTrustSetVerifyDate(trustObj CFRef, dateRef CFRef) error {
+	return errors.New("not implemented")
+}
+
+type CFRef uintptr
+
+func BytesToCFData(b []byte) CFRef {
+	return 0
+}
+
+func CFArrayCreateMutable() CFRef {
+	return 0
+}
+
+func CFArrayGetValueAtIndex(array CFRef, index int) CFRef {
+	return 0
+}
+
+func CFDateCreate(seconds float64) CFRef {
+	return 0
+}
+
+func CFDictionaryGetValueIfPresent(dict CFRef, key CFString) (value CFRef, ok bool) {
+	return 0, false
+}
+
+func CFErrorCopyDescription(errRef CFRef) CFRef {
+	return 0
+}
+
+func CFStringCreateExternalRepresentation(strRef CFRef) (CFRef, error) {
+	return 0, errors.New("not implemented")
+}
+
+func SecCertificateCreateWithData(b []byte) (CFRef, error) {
+	return 0, errors.New("not implemented")
+}
+
+func SecPolicyCreateSSL(name string) (CFRef, error) {
+	return 0, errors.New("not implemented")
+}
+
+func SecTrustCreateWithCertificates(certs CFRef, policies CFRef) (CFRef, error) {
+	return 0, errors.New("not implemented")
+}
+
+func SecTrustEvaluate(trustObj CFRef) (CFRef, error) {
+	return 0, errors.New("not implemented")
+}
+
+func SecTrustGetCertificateAtIndex(trustObj CFRef, i int) (CFRef, error) {
+	return 0, errors.New("not implemented")
+}
+
+func SecTrustSettingsCopyCertificates(domain SecTrustSettingsDomain) (certArray CFRef, err error) {
+	return 0, errors.New("not implemented")
+}
+
+func SecTrustSettingsCopyTrustSettings(cert CFRef, domain SecTrustSettingsDomain) (trustSettings CFRef, err error) {
+	return 0, errors.New("not implemented")
+}
+
+func TimeToCFDateRef(t time.Time) CFRef {
+	return 0
+}
+
+type CFString CFRef
+
+func StringToCFString(s string) CFString {
+	return 0
+}
+
+type OSStatus struct {
+	// Has unexported fields.
+}
+
+func (s OSStatus) Error() string
+
+type SecTrustResultType int32
+
+const (
+	SecTrustResultInvalid SecTrustResultType = iota
+	SecTrustResultProceed
+	SecTrustResultConfirm // deprecated
+	SecTrustResultDeny
+	SecTrustResultUnspecified
+	SecTrustResultRecoverableTrustFailure
+	SecTrustResultFatalTrustFailure
+	SecTrustResultOtherError
+)
+
+type SecTrustSettingsDomain int32
+
+const (
+	SecTrustSettingsDomainUser SecTrustSettingsDomain = iota
+	SecTrustSettingsDomainAdmin
+	SecTrustSettingsDomainSystem
+)
+
+type SecTrustSettingsResult int32
+
+const (
+	SecTrustSettingsResultInvalid SecTrustSettingsResult = iota
+	SecTrustSettingsResultTrustRoot
+	SecTrustSettingsResultTrustAsRoot
+	SecTrustSettingsResultDeny
+	SecTrustSettingsResultUnspecified
+)