-
-
Notifications
You must be signed in to change notification settings - Fork 12.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
qemu: invalid signature (code or signature have been modified)
(regression in 8.0.4, fixed in 8.0.4-1, re-regression in 8.1.0)
#140244
Comments
invalid signature (code or signature have been modified)
(regression in 8.0.4, fixed in 8.0.4\_1, re-regression in 8.1.0)invalid signature (code or signature have been modified)
(regression in 8.0.4, fixed in 8.0.4_1, re-regression in 8.1.0)
I think the previous analysis in #139409 (comment) is most likely reason. Qemu codesigns the binaries as part of Meson install (https://github.com/qemu/qemu/blob/v8.1.0/meson.build#L3852-L3854). Homebrew modifies the binaries (e.g. things like RPATH rewrites) invalidating it. Most likely needs to be handled on RPATH modification is one possible reason for invalidation. Looking at RPATH of bottles (pre-poured), the working binary uses placeholder Though, working binary may have issues on systems that use non-default prefix as the RPATH would be different than original CI path.
Local builds may also behave differently unless |
Fixed in |
invalid signature (code or signature have been modified)
(regression in 8.0.4, fixed in 8.0.4_1, re-regression in 8.1.0)invalid signature (code or signature have been modified)
(regression in 8.0.4, fixed in 8.0.4-1, re-regression in 8.1.0, fixed again in 8.1.0-1)
Still doesn't seem to work for me. I have done.
Yet
My system
|
Works for me 🤔
|
@AkihiroSuda I notice a couple (major?) differences in our set up I guess. Not sure what is causing the issue.
I don't think mine have the same sha256 though
|
Does it work for you @AkihiroSuda because And THANKS for all your work shepherding this fix through. |
@ngocphamm |
@AkihiroSuda Unforutunately no 😢
|
This time, it looks like bottle is using placeholders again (not sure why): ❯ otool -L bin/qemu-system-x86_64 | head -5
bin/qemu-system-x86_64:
/System/Library/Frameworks/Hypervisor.framework/Versions/A/Hypervisor (compatibility version 1.0.0, current version 1.0.0)
@@HOMEBREW_PREFIX@@/opt/pixman/lib/libpixman-1.0.dylib (compatibility version 43.0.0, current version 43.2.0)
@@HOMEBREW_PREFIX@@/opt/capstone/lib/libcapstone.4.dylib (compatibility version 4.0.0, current version 4.0.2)
@@HOMEBREW_PREFIX@@/opt/libpng/lib/libpng16.16.dylib (compatibility version 57.0.0, current version 57.0.0) Which means some RPATH updates (specifically placeholder substitutions) are happening on installation, e.g. try with
This does mean you will need my commit Homebrew/brew#15903 which is only available in HEAD of |
That will be because we don't have Tbh I'd be fine with a revision bump here if it's affecting a number of people. |
@AkihiroSuda is there a plan to bring this solution for users not on HEAD? I agree with @Bo98, a version bump might be the quickest solution to avoid manual codesign? Thanks in advance. |
I can't answer, as I'm not a maintainer. Reopening the issue to get attention from maintainers. |
invalid signature (code or signature have been modified)
(regression in 8.0.4, fixed in 8.0.4-1, re-regression in 8.1.0, fixed again in 8.1.0-1)invalid signature (code or signature have been modified)
(regression in 8.0.4, fixed in 8.0.4-1, re-regression in 8.1.0)
New We can just bump EDIT: Though, if there are any other modifications that happen at install-time that may invalidate code signature, then may still need new |
Closing as should hopefully be fixed with #140643 (binaries have been re-signed in bottle with |
Can someone on this thread verify the latest bottle and confirm the fix? Thanks! 🙏 |
There is a new tag (4.1.7) including this released now. |
I can confirm solution for Thanks for being so fast. |
brew gist-logs <formula>
link ORbrew config
ANDbrew doctor
outputVerification
brew doctor
output" saysYour system is ready to brew.
and am still able to reproduce my issue.brew update
and am still able to reproduce my issue.brew doctor
and that did not fix my problem.What were you trying to do (and why)?
/usr/local/Cellar/qemu/8.1.0/bin/qemu-system-x86_64 -accel hvf
for running a QEMU machine withHypervisor.framework
(HVF)What happened (include all command output)?
It crashes, as the signature on the binary is broken:
What did you expect to happen?
The signature shouldn't be broken.
Step-by-step reproduction instructions (by running
brew
commands)This was a regression in 8.0.4 bottle (#139409), and was once fixed in its rebuild 1, (#139492 , Homebrew/brew#15864), but broken again in 8.1.0.
Workarounds
Option 1: Downgrade QEMU to v8.0.3
Option 2: Install QEMU from the source
Option 3: Sign the QEMU binary locally
Lima v0.17.2 shows a prompt to suggest applying this workaround.
The text was updated successfully, but these errors were encountered: