Mac OSX: "terraform" or "packer" will damage your computer. You should move it to the trash. Hashicorp tooling security errors.
-A customer asked:
\n\n\nI\"ve just tried to run a Terraform command and got the following error on Mac OSX. What does this mean and how do I fix it?
\n
![\"terraform-damage\"](\"https://user-images.githubusercontent.com/1769996/234879120-900249fa-dc36-4a9f-b1a5-0732411019e6.png\")
\n\n \n","answer":{"body":"## `tldr` What happened?\r\nHashiCorp intentionally invalidated several released binaries (Terraform, Packer, etc) in response to a CircleCI security incident. This means that the versions of the binaries that HashiCorp invalidated will not run properly on Mac OSX. This is expected to affect all HashiCorp projects (terraform, packer, nomad, etc).\r\n\r\n## `tldr` To fix this issue\r\nYou need to delete your current `terraform` or `packer` binary and re-install it again. Terraform, Packer and other HashiCorp binaries that were downloaded before January 23rd are now intended to not work properly. \r\n\r\n## To fix the issue when using `terraform` directly\r\n\r\nDelete your current `terraform` installation. [Re-install Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)\r\n\r\n## To fix the issue when using `tfenv`\r\n\r\nUsers report that it is possible to resolve the issue via `tfenv` by installing the latest version of Terraform. You may receive some errors on `STDOUT`: \r\n```\r\n$ tfenv install 1.2.6\r\nInstalling Terraform v1.2.6\r\nDownloading release tarball from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_darwin_amd64.zip\r\n######################################################################################################################################################################################################################################################### 100.0%\r\nDownloading SHA hash file from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_SHA256SUMS\r\n▶ ERROR No UID given but one was expected\r\nUnable to verify OpenPGP signature unless logged into keybase and following hashicorp\r\nArchive: /var/folders/qr/fqg8j0f50p96ss1yl436ls100000gn/T/tfenv_download.XXXXXX.jvmuCTni/terraform_1.2.6_darwin_amd64.zip\r\n inflating: /usr/local/Cellar/tfenv/3.0.0/versions/1.2.6/terraform\r\nInstallation of terraform v1.2.6 successful. To make this your default version, run 'tfenv use 1.2.6'\r\n```\r\n\r\n# Understanding why this issue is occuring\r\n\r\nOn January 3, 2023, CircleCI issued a security alert that they had discovered an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session. Out of an abundance of caution, they began rotating all API token secrets for all customers. \r\n\r\nRecently, HashiCorp took their own action to rotate the signing key for their RPM packages. As a result, users must now re-download binaries that have been signed with the updated key.\r\nhttps://support.hashicorp.com/hc/en-us/articles/13177506317203","bodyHTML":"
tldr What happened?
\nHashiCorp intentionally invalidated several released binaries (Terraform, Packer, etc) in response to a CircleCI security incident. This means that the versions of the binaries that HashiCorp invalidated will not run properly on Mac OSX. This is expected to affect all HashiCorp projects (terraform, packer, nomad, etc).
\ntldr To fix this issue
\nYou need to delete your current terraform or packer binary and re-install it again. Terraform, Packer and other HashiCorp binaries that were downloaded before January 23rd are now intended to not work properly.
To fix the issue when using terraform directly
\nDelete your current terraform installation. Re-install Terraform
To fix the issue when using tfenv
\nUsers report that it is possible to resolve the issue via tfenv by installing the latest version of Terraform. You may receive some errors on STDOUT:
$ tfenv install 1.2.6\nInstalling Terraform v1.2.6\nDownloading release tarball from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_darwin_amd64.zip\n######################################################################################################################################################################################################################################################### 100.0%\nDownloading SHA hash file from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_SHA256SUMS\n▶ ERROR No UID given but one was expected\nUnable to verify OpenPGP signature unless logged into keybase and following hashicorp\nArchive: /var/folders/qr/fqg8j0f50p96ss1yl436ls100000gn/T/tfenv_download.XXXXXX.jvmuCTni/terraform_1.2.6_darwin_amd64.zip\n inflating: /usr/local/Cellar/tfenv/3.0.0/versions/1.2.6/terraform\nInstallation of terraform v1.2.6 successful. To make this your default version, run 'tfenv use 1.2.6'\nUnderstanding why this issue is occuring
\nOn January 3, 2023, CircleCI issued a security alert that they had discovered an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session. Out of an abundance of caution, they began rotating all API token secrets for all customers.
\nRecently, HashiCorp took their own action to rotate the signing key for their RPM packages. As a result, users must now re-download binaries that have been signed with the updated key.
\nhttps://support.hashicorp.com/hc/en-us/articles/13177506317203
A customer asked:
\n\n\nI\"ve just tried to run a Terraform command and got the following error on Mac OSX. What does this mean and how do I fix it?
\n
\n\n \n","answer":{"body":"## `tldr` What happened?\r\nHashiCorp intentionally invalidated several released binaries (Terraform, Packer, etc) in response to a CircleCI security incident. This means that the versions of the binaries that HashiCorp invalidated will not run properly on Mac OSX. This is expected to affect all HashiCorp projects (terraform, packer, nomad, etc).\r\n\r\n## `tldr` To fix this issue\r\nYou need to delete your current `terraform` or `packer` binary and re-install it again. Terraform, Packer and other HashiCorp binaries that were downloaded before January 23rd are now intended to not work properly. \r\n\r\n## To fix the issue when using `terraform` directly\r\n\r\nDelete your current `terraform` installation. [Re-install Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)\r\n\r\n## To fix the issue when using `tfenv`\r\n\r\nUsers report that it is possible to resolve the issue via `tfenv` by installing the latest version of Terraform. You may receive some errors on `STDOUT`: \r\n```\r\n$ tfenv install 1.2.6\r\nInstalling Terraform v1.2.6\r\nDownloading release tarball from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_darwin_amd64.zip\r\n######################################################################################################################################################################################################################################################### 100.0%\r\nDownloading SHA hash file from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_SHA256SUMS\r\n▶ ERROR No UID given but one was expected\r\nUnable to verify OpenPGP signature unless logged into keybase and following hashicorp\r\nArchive: /var/folders/qr/fqg8j0f50p96ss1yl436ls100000gn/T/tfenv_download.XXXXXX.jvmuCTni/terraform_1.2.6_darwin_amd64.zip\r\n inflating: /usr/local/Cellar/tfenv/3.0.0/versions/1.2.6/terraform\r\nInstallation of terraform v1.2.6 successful. To make this your default version, run 'tfenv use 1.2.6'\r\n```\r\n\r\n# Understanding why this issue is occuring\r\n\r\nOn January 3, 2023, CircleCI issued a security alert that they had discovered an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session. Out of an abundance of caution, they began rotating all API token secrets for all customers. \r\n\r\nRecently, HashiCorp took their own action to rotate the signing key for their RPM packages. As a result, users must now re-download binaries that have been signed with the updated key.\r\nhttps://support.hashicorp.com/hc/en-us/articles/13177506317203","bodyHTML":"
tldr What happened?
\nHashiCorp intentionally invalidated several released binaries (Terraform, Packer, etc) in response to a CircleCI security incident. This means that the versions of the binaries that HashiCorp invalidated will not run properly on Mac OSX. This is expected to affect all HashiCorp projects (terraform, packer, nomad, etc).
\ntldr To fix this issue
\nYou need to delete your current terraform or packer binary and re-install it again. Terraform, Packer and other HashiCorp binaries that were downloaded before January 23rd are now intended to not work properly.
To fix the issue when using terraform directly
\nDelete your current terraform installation. Re-install Terraform
To fix the issue when using tfenv
\nUsers report that it is possible to resolve the issue via tfenv by installing the latest version of Terraform. You may receive some errors on STDOUT:
$ tfenv install 1.2.6\nInstalling Terraform v1.2.6\nDownloading release tarball from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_darwin_amd64.zip\n######################################################################################################################################################################################################################################################### 100.0%\nDownloading SHA hash file from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_SHA256SUMS\n▶ ERROR No UID given but one was expected\nUnable to verify OpenPGP signature unless logged into keybase and following hashicorp\nArchive: /var/folders/qr/fqg8j0f50p96ss1yl436ls100000gn/T/tfenv_download.XXXXXX.jvmuCTni/terraform_1.2.6_darwin_amd64.zip\n inflating: /usr/local/Cellar/tfenv/3.0.0/versions/1.2.6/terraform\nInstallation of terraform v1.2.6 successful. To make this your default version, run 'tfenv use 1.2.6'\nUnderstanding why this issue is occuring
\nOn January 3, 2023, CircleCI issued a security alert that they had discovered an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session. Out of an abundance of caution, they began rotating all API token secrets for all customers.
\nRecently, HashiCorp took their own action to rotate the signing key for their RPM packages. As a result, users must now re-download binaries that have been signed with the updated key.
\nhttps://support.hashicorp.com/hc/en-us/articles/13177506317203
![\"unlink-github\"](\"https://user-images.githubusercontent.com/21035422/239361741-ab96fc47-c051-4a16-adae-5c4d4961715b.png\")