Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qemu: ask to sign QEMU binary when the binary is not properly signed #1743

Merged
merged 1 commit into from
Aug 14, 2023
Merged

qemu: ask to sign QEMU binary when the binary is not properly signed #1743

merged 1 commit into from
Aug 14, 2023

Conversation

AkihiroSuda
Copy link
Member

@AkihiroSuda AkihiroSuda commented Aug 13, 2023
edited
Loading 

$ limactl start
INFO[0000] Using the existing instance "default"        
WARN[0000] QEMU binary "/usr/local/bin/qemu-system-x86_64" is not properly signed with the "com.apple.security.hypervisor" entitlement  error="failed to run [codesign --verify /usr/local/bin/qemu-system-x86_64]: exit status 1 (out=\"/usr/local/bin/qemu-system-x86_64: invalid signature (code or signature have been modified)\\nIn architecture: x86_64\\n\")"
? Try to sign "/usr/local/bin/qemu-system-x86_64" with the "com.apple.security.hypervisor" entitlement? (Y/n)
...

Workaround for:

This workaround is needed because Homebrew's QEMU binary is not properly signed since v8.0.4. Homebrew/homebrew-core#139409 (comment)

@AkihiroSuda AkihiroSuda added this to the v0.17.2 milestone Aug 13, 2023
@AkihiroSuda AkihiroSuda requested a review from a team August 13, 2023 15:30
@AkihiroSuda
Copy link
Member Author

cc @lima-vm/maintainers

I'll release v0.17.2 after merging this workaround.

@afbjorklund
Copy link
Member

Wouldn't this sign any random qemu binary in the path ?

@AkihiroSuda
Copy link
Member Author

Wouldn't this sign any random qemu binary in the path ?

Sorry what do you mean?

@afbjorklund
Copy link
Member

afbjorklund commented Aug 13, 2023
edited
Loading

How do we know that the current qemu is the authentic homebrew ?

But maybe this is not so much about authenticating the prebuilt binary, as it is about adding com.apple.security.hypervisor entitlement to the existing program. Otherwise it seems like homebrew made a bug, and the right fix would be for them to make another "package" (well, tarball) revision where they sign it properly.

@AkihiroSuda
Copy link
Member Author

How do we know that the current qemu is the authentic homebrew ?

We may check if the binary path contains "/Cellar/" ?

@AkihiroSuda AkihiroSuda changed the title qemu: automatically sign QEMU binary when the binary is not properly signed qemu: ask to sign QEMU binary when the binary is not properly signed Aug 14, 2023
@AkihiroSuda AkihiroSuda marked this pull request as draft August 14, 2023 02:07
@AkihiroSuda
qemu: ask to sign QEMU binary when the binary is not properly signed
c0b48a9 
Workaround for issue 1742 .
This workaround is needed because Homebrew's QEMU binary is not properly signed since v8.0.4.

Signed-off-by: Akihiro Suda <[email protected]>
@AkihiroSuda
Copy link
Member Author

Modified to open a Y/n prompt before signing.
NOP if tty is not available.

@AkihiroSuda AkihiroSuda marked this pull request as ready for review August 14, 2023 02:24
AkihiroSuda
AkihiroSuda commented Aug 14, 2023
View reviewed changes
pkg/start/start.go
"text/template"
"time"

"github.com/lima-vm/lima/pkg/driver"
"github.com/lima-vm/lima/pkg/driverutil"
"github.com/lima-vm/lima/pkg/qemu"
"github.com/lima-vm/lima/pkg/qemu/entitlementutil"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(I don't want to let pkg/start depend on a specific driver, but I'm going to merge this right now anyway, as the Homebrew issue #1742 is critical. We can refactor this later.)

@AkihiroSuda AkihiroSuda merged commit bee0502 into lima-vm:master Aug 14, 2023
22 of 23 checks passed
@AkihiroSuda AkihiroSuda mentioned this pull request Aug 23, 2023
Closed
@AkihiroSuda AkihiroSuda mentioned this pull request Sep 4, 2023
Closed
@mggluscevic59
Copy link

On Mac Big Sur entitlement check exits on: codesign --display --entitlements - --xml /usr/local/bin/qemu-system-x86_64 because that command is a bit different - it does not have --xml

Is there a way to turn off entitlements check all together?

@AkihiroSuda
Copy link
Member Author

Big Sur

Addressed in:

Will be in v0.19

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
component/qemu QEMU priority/high
Projects
None yet
Milestone
v0.17.2
Development

Successfully merging this pull request may close these issues.
3 participants
@AkihiroSuda @afbjorklund @mggluscevic59