Skip to content
This repository has been archived by the owner on Jul 14, 2021. It is now read-only.

OSX ruby executable has an invalid signature #258

Closed
irvingpop opened this issue Dec 2, 2014 · 7 comments
Closed

OSX ruby executable has an invalid signature #258

irvingpop opened this issue Dec 2, 2014 · 7 comments
Labels
Aspect: Packaging Distribution of the projects 'compiled' artifacts. Status: Blocked on Upstream Bug

Comments

@irvingpop
Copy link

Using ChefDK 0.3.5 (and earlier versions) on OSX (tested with Yosemite) you'll frequently see the following pop-up message:

screen shot 2014-12-02 at 2 37 47 pm

This happens because the signature is invalid:

codesign --verify --verbose /opt/chefdk/embedded/bin/ruby
/opt/chefdk/embedded/bin/ruby: invalid signature (code or signature have been modified)
In architecture: x86_64

I'm able to fix it using these instructions signing like so:

sudo codesign -f -s irving-local-code-signing /opt/chefdk/embedded/bin/ruby
/opt/chefdk/embedded/bin/ruby: replacing existing signature
@lamont-granquist
Copy link
Contributor

Pretty sure this is a dup, but i think you've got better information and a fix, so the other issues should probably be hunted down and closed with a pointer to this one.

Also paging in @opscode/release-engineers because this most likely is properly a bug against omnibus and needs a patch there.

@irvingpop
Copy link
Author

Retested this on ChefDK 0.5.15 - this is still an issue when using chef-zero and/or chef-provisioning which opens a port to listen on
cc: @charlesjohnson

@irvingpop
Copy link
Author

I take it back! The pop-up happens the first time, but not on subsequent runs which is a considerable improvement. Considering this closed.

@lamont-granquist
Copy link
Contributor

seems like this happening at all is still bad tho?

@irvingpop
Copy link
Author

irvingpop commented Jun 25, 2016

It's a little bad, but not as bad as before. To go into more detail:

  • Previous: Invalid signature on the ruby executable, you had to click "Allow" every time you used it
  • Today: Binary is not signed at all, you click "Allow" once the first time you use it and then move on :)
$ codesign --verify --verbose /opt/chefdk/embedded/bin/ruby
/opt/chefdk/embedded/bin/ruby: code object is not signed at all
In architecture: x86_64

Yes it would be better if the binaries were signed (that's tracked in chef/omnibus#431 ) but the specific issue reported here (invalid signatures) is gone and the inconvenience is massively reduced.

@irvingpop
Copy link
Author

irvingpop commented Aug 8, 2016

Hm, this appears to have returned in ChefDK 0.16.28

$ chef --version
Chef Development Kit Version: 0.16.28
chef-client version: 12.12.15
delivery version: master (921828facad8a8bbbd767368bfc72f19bd30e7bd)
berks version: 4.3.5
kitchen version: 1.10.2

$ ruby -v
ruby 2.1.8p440 (2015-12-16 revision 53160) [x86_64-darwin13.0]

$ codesign --verify --verbose /opt/chefdk/embedded/bin/ruby
/opt/chefdk/embedded/bin/ruby: invalid signature (code or signature have been modified)
In architecture: x86_64

@irvingpop irvingpop reopened this Aug 8, 2016
@lamont-granquist
Copy link
Contributor

I'm seeing "code object is not signed at all" again in both 1.1.16 and 1.2.20

closing again in favor of chef/omnibus#431

@chef-boneyard chef-boneyard locked and limited conversation to collaborators Feb 14, 2018
@tas50 tas50 added Aspect: Packaging Distribution of the projects 'compiled' artifacts. Aspect: UX and removed Area: Packaging labels Jan 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Aspect: Packaging Distribution of the projects 'compiled' artifacts. Status: Blocked on Upstream Bug
Development

No branches or pull requests

4 participants