Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

macOS Catalina error: “terraform” cannot be opened because the developer cannot be verified. #23033

Closed
roura356a opened this issue Oct 8, 2019 · 39 comments

Comments

@roura356a
Copy link

@roura356a roura356a commented Oct 8, 2019

Terraform Version

terraform_0.12.10_darwin_amd64

Expected Behavior

It should run.

Actual Behavior

Screen Shot 2019-10-09 at 8 44 03 am

Steps to Reproduce

Run any terraform command.

@roura356a roura356a changed the title “terraform” cannot be opened because the developer cannot be verified. macOS Catalina error: “terraform” cannot be opened because the developer cannot be verified. Oct 8, 2019
@roura356a
Copy link
Author

@roura356a roura356a commented Oct 8, 2019

Apparently, the workaround is quite painful:

  • In the Finder on your Mac, locate the app you want to open.
  • Control-click the app icon, then choose Open from the shortcut menu.
  • Click Open.

The app is saved as an exception to your security settings, and you can open it in the future by double-clicking it or from cli, just as you can with any authorised app.

@teamterraform
Copy link
Collaborator

@teamterraform teamterraform commented Oct 9, 2019

Hi @roura356a! Thanks for reporting this.

Indeed the new version of MacOS is stricter about running software you've downloaded that isn't signed with an Apple developer key. Terraform distributions are signed with a HashiCorp key with signatures distributed out of band on releases.hashicorp.com, but MacOS Catalina is requiring participation in Apple's developer program specifically, and Terraform is currently not built to support that.

Thank you for sharing your workaround. We're looking into the best way to proceed here to see if we can make this work better.

@EmpireJones
Copy link

@EmpireJones EmpireJones commented Oct 10, 2019

sudo spctl --master-disable to allow apps downloaded from Anywhere

@rajdeepbhatia
Copy link

@rajdeepbhatia rajdeepbhatia commented Oct 10, 2019

sudo spctl --master-disable to allow apps downloaded from Anywhere

@EmpireJones Is there a way to do it for a specific app only?

@aprofromindia
Copy link

@aprofromindia aprofromindia commented Oct 10, 2019

Another simpler way is to go to System Preferences -> Security & Privacy -> General and enable any blocked app from Allow apps downloaded from pane at the bottom of the window.

@michtio
Copy link

@michtio michtio commented Oct 10, 2019

@aprofromindia agreed, just like it always worked in Mac OS when you had security settings. Whenever an app is blocked. You just have to allow them there.

@paliwalvimal
Copy link

@paliwalvimal paliwalvimal commented Oct 14, 2019

Removing existing terraform executable and installing it with brew install terraform solved the problem for me.

@jimmywan
Copy link

@jimmywan jimmywan commented Oct 14, 2019

Another simpler way is to go to System Preferences -> Security & Privacy -> General and enable any blocked app from Allow apps downloaded from pane at the bottom of the window.

This does not appear to be available in Catalina.

Screen Shot 2019-10-14 at 15 13 30

  • In the Finder on your Mac, locate the app you want to open.
  • Control-click the app icon, then choose Open from the shortcut menu.
  • Click Open.

The app is saved as an exception to your security settings, and you can open it in the future by double-clicking it or from cli, just as you can any authorised app.

This does work.

@jbayer
Copy link
Member

@jbayer jbayer commented Oct 15, 2019

This is affecting all HashiCorp binaries on Catalina. We are looking into the macOS notarizing process to no longer require these work-arounds on Catalina. We will provide an update when we learn more about this.

Here is the process I used to run the existing binaries on Catalina that does not require control-click. First I open the "Security & Privacy" control panel from System Preferences.

  1. Attempt to run the binary after upgrading to Catalina. It will fail. Click cancel instead of moving it to the trash. You should see Killed: 9 as output in the terminal.

Screenshot 2019-10-15 09 19 36

  1. The "Security & Privacy" panel, "General" tab is updated to reflect that the binary was recently prevented from running. I clicked "Allow Anyway".

Screenshot 2019-10-15 09 19 56

  1. Attempt to run the binary again. This time a different prompt is shown and you are able to select "Open". After clicking open, the binary should run as you expect.

Screenshot 2019-10-15 09 20 07

@anksank
Copy link

@anksank anksank commented Oct 18, 2019

Try giving access to the Terminal in Security & Privacy under System Preferences, and then run the command in Terminal after restarting it.

Screenshot 2019-10-18 at 10 33 47 AM

@mfekadu
Copy link

@mfekadu mfekadu commented Oct 21, 2019

Had a similar issue with racket so that supports the idea that this issue is macOS Catalina specific.

The simple answer that @roura356a shared worked for me (just locate file > right click > open).

Good to know there are other workarounds too.

image

“racket” cannot be opened because the developer cannot be verified.

Thanks for the wonderful and generally applicable workarounds!

@weldpua2008
Copy link

@weldpua2008 weldpua2008 commented Oct 30, 2019

Same issue with 0.12.12

@davidainslie
Copy link

@davidainslie davidainslie commented Oct 31, 2019

Argh! Same with latest Java (version 13.0.1)

@bahaa
Copy link

@bahaa bahaa commented Nov 1, 2019

The only solution that worked for me is to delete the com.apple.quarantine extended attribute from the downloaded directory of the app. For example this command solved the issue with GraalVM:

xattr -d com.apple.quarantine /Library/Java/JavaVirtualMachines/graalvm-ce-19.2.1

@jbayer
Copy link
Member

@jbayer jbayer commented Nov 1, 2019

I've learned a bit more about this. The com.apple.quarantine metadata attribute is set on files by applications like browsers that download files over the network. It is possible to remove the com.apple.quarantine metadata attribute with a user that has permission to do it. Additionally there are some other alternatives mentioned by MITRE that avoid the attribute being set on files.

Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag.

@jefpauwels
Copy link

@jefpauwels jefpauwels commented Nov 13, 2019

If you use the -r flag, this will run recursively:

xattr -r -d com.apple.quarantine /path/to/dir

This works, thanks a lot.

@kirinzer
Copy link

@kirinzer kirinzer commented Nov 19, 2019

@roura356a It is worked, pretty cool! thx.

@danieldreier
Copy link
Contributor

@danieldreier danieldreier commented Dec 5, 2019

Hi all! Good news! HashiCorp release engineering has been working hard on getting a process build for OS X Catalina release notarization. We're planning on using this process for the upcoming Terraform 0.12.18 release, which is tentatively scheduled for Wednesday December 11th.

Before then, we'd appreciate your help confirming that our signed binaries work in your environment. We've built an 0.12.18 pre-release solely for the sake of verifying that Catalina code notarization is working. I do not recommend using this build for production use - it's just for the sake of validating that we've added Apple notarization to the release process correctly.

Here's the output of codesign on the terraform binary in that attached zip:

codesign -dv --verbose=4  terraform                                                                                                                                127 ↵  956  10:19:50
Executable=/Users/danieldreier/Downloads/terraform
Identifier=terraform
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=442581 flags=0x10000(runtime) hashes=13825+2 location=embedded
VersionPlatform=1
VersionMin=657664
VersionSDK=657664
Hash type=sha256 size=32
CandidateCDHash sha1=a9b11c0f3308e0688cc869ba91292987a477c7fb
CandidateCDHash sha256=a057f871b185c90cce79436afc7ed55769c8ef90
Hash choices=sha1,sha256
Page size=4096
CDHash=a057f871b185c90cce79436afc7ed55769c8ef90
Signature size=9060
Authority=Developer ID Application: Hashicorp, Inc. (D38WU7D763)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Dec 5, 2019 at 7:41:22 AM
Info.plist=not bound
TeamIdentifier=D38WU7D763
Runtime Version=10.9.0
Sealed Resources=none
Internal requirements count=1 size=172

If you care about this issue, please download that zip, run it on your Catalina OS X machine, and let us know here if you run into notarization issues. If we don't get any negative feedback here, we'll move forward and start notarizing future terraform releases starting on 0.12.18.

And, again, when you're done please do not use this as 0.12.18 - throw it away when you're done and don't install it permanently.

@JoeyGarcia
Copy link

@JoeyGarcia JoeyGarcia commented Dec 5, 2019

I downloaded 0.12.18 pre-release and tried getting it to run on my MacOS w/Catalina and I still get no response. I did update my XCode Tools before this so that I can get the Developer Tools icon to show up in the Security & Privacy dialog in the Privacy window based on the post above. I also clicked Agree to allow the terraform app to run even though it is an application purchased through the App Store.

So after doing all the above, I open a new terminal window and navigate to the downloaded terraform app (already unzipped) and try to run it and it just hangs; no response. I voted down the post above indicating my issue with the terraform cli is not fixed with this release. I kinda need to get this working, I would have to have to roll back just to use terraform.

@mdeggies
Copy link
Contributor

@mdeggies mdeggies commented Dec 5, 2019

I downloaded 0.12.18 pre-release and tried getting it to run on my MacOS w/Catalina and I still get no response. I did update my XCode Tools before this so that I can get the Developer Tools icon to show up in the Security & Privacy dialog in the Privacy window based on the post above. I also clicked Agree to allow the terraform app to run even though it is an application purchased through the App Store.

So after doing all the above, I open a new terminal window and navigate to the downloaded terraform app (already unzipped) and try to run it and it just hangs; no response. I voted down the post above indicating my issue with the terraform cli is not fixed with this release. I kinda need to get this working, I would have to have to roll back just to use terraform.

Sorry you're still having issues with this. Do you have time for a screenshare so we can help sort this out? You can reach me at mdegges@hashicorp.com.

Edit:

Below are the steps you can use to test the 0.12.18 pre-release binary

  1. Navigate to https://github.com/hashicorp/terraform/files/3928438/terraform-v0.12.18-prerelease-catalina-signed__darwin_amd64.zip in a browser to download the zipfile
  2. Run open /path/to/terraform-v0.12.18-prerelease-catalina-signed__darwin_amd64.zip in your terminal. The terraform binary will now be available for use
  3. Run /path/to/terraform in your terminal to view the available commands
  4. Test out a command, e.g. /path/to/terraform/version to view the version

@JoeyGarcia
Copy link

@JoeyGarcia JoeyGarcia commented Dec 5, 2019

Update: I uninstalled all the versions of terraform and reinstalled it using Brew and it installed this version: https://homebrew.bintray.com/bottles/terraform-0.12.17.catalina.bottle.tar.gz

And it worked perfectly.

@wavemoran
Copy link

@wavemoran wavemoran commented Dec 5, 2019

Below are the steps you can use to test the 0.12.18 pre-release binary

  1. Navigate to https://github.com/hashicorp/terraform/files/3928438/terraform-v0.12.18-prerelease-catalina-signed__darwin_amd64.zip in a browser to download the zipfile
  2. Run open /path/to/terraform-v0.12.18-prerelease-catalina-signed__darwin_amd64.zip in your terminal. The terraform binary will now be available for use
  3. Run /path/to/terraform in your terminal to view the available commands
  4. Test out a command, e.g. /path/to/terraform/version to view the version

Followed these steps and received no prompt. Everything worked as expected.

@ryanmaclean
Copy link

@ryanmaclean ryanmaclean commented Dec 5, 2019

Same here - steps followed, no prompt:
image

@sanspace
Copy link

@sanspace sanspace commented Dec 9, 2019

@danieldreier When can we expect this pre-release to become an actual release? The notarization process seems to works fine. Is it possible to make a release with this ASAP?

@pselle
Copy link
Contributor

@pselle pselle commented Dec 9, 2019

@sanspace We're planning a release this week! We know people are eager to have this 😄

@chenrui333
Copy link

@chenrui333 chenrui333 commented Dec 11, 2019

brrew install terraform should be the easiest way for latest installation.

@pkolyvas
Copy link
Contributor

@pkolyvas pkolyvas commented Dec 11, 2019

Terraform 0.12.18 has been released with a notarized binary for OS X 10.15+: https://github.com/hashicorp/terraform/releases/tag/v0.12.18

A huge thanks to the community for your help and patience.

From the changelog:

NOTES:

@pkolyvas pkolyvas closed this Dec 11, 2019
@iiro
Copy link

@iiro iiro commented Dec 11, 2019

This is really awesome. Sorry for commenting a closed issue, but @pkolyvas - does this apply to providers as well, or is only Terraform core signed...? The reason I'm asking is, the providers seem to be executing as different binaries. Some security software on Windows/Macs tend to block terraform - and not having signed binaries has been a painful issue also on those before, hence the question.

@mdeggies
Copy link
Contributor

@mdeggies mdeggies commented Dec 11, 2019

The reason I'm asking is, the providers seem to be executing as different binaries. Some security software on Windows/Macs tend to block terraform - and not having signed binaries has been a painful issue also on those before, hence the question.

Are you running into any errors trying to use the providers with the latest terraform core release? Testing with the AWS and GCP providers on my end doesn't reveal any errors, but we're happy to help troubleshoot if you can send over repro steps.

@iiro
Copy link

@iiro iiro commented Dec 12, 2019

Are you running into any errors trying to use the providers with the latest terraform core release? Testing with the AWS and GCP providers on my end doesn't reveal any errors, but we're happy to help troubleshoot if you can send over repro steps.

I need to test this with our company's IT support to see how this works or not. Let's see... What I've understood is, it is the provider binary (AWS as an example) which would communicate with AWS APIs. hence I think the provider binary should also be signed so it could be whitelisted.

@jbayer
Copy link
Member

@jbayer jbayer commented Dec 12, 2019

@iiro my understanding of the way MacOS new protections work is that specified MacOS programs (such as web browsers like Chrome, Safari, Firefox) will add file system extended attributes like com.apple.quarantine that denote that files were downloaded from the internet if the files are not notarized. So if you download the AWS Provider directly from a browser directly, I believe you would need the file notarized or explicitly enable it to work.

However, the typical terraform workflow the standard terraform binary that is signed will download the providers and does not add the file system extended attributes for the provider binaries that it downloads. That's why I think this worked in @mdeggies example.

@pselle
Copy link
Contributor

@pselle pselle commented Dec 12, 2019

Friendly reminder that this is a closed issue and will be locked eventually -- any new issues should be reported as such (but it seems like what has followed has generally been discussion).

Please open a new issue for any existing, or emergent, issues related to this, but the original issue is closed.

@phanimullapudi
Copy link

@phanimullapudi phanimullapudi commented Jan 8, 2020

Another simpler way is to go to System Preferences -> Security & Privacy -> General and enable any blocked app from Allow apps downloaded from pane at the bottom of the window.

Good one...
Most of the new apps get blocked after upgrade. You can see the terraform is blocked when you open Security and Privacy and then allow it. Instead of allow of them as told by some people.

@ghost
Copy link

@ghost ghost commented Jan 11, 2020

I'm going to lock this issue because it has been closed for 30 days . This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@hashicorp hashicorp locked and limited conversation to collaborators Jan 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet