New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable open RC4 encrypted pdf #520
Comments
How was pikepdf installed? PyPI or some other source? |
Best bet is probably to change macOS build config to
since presumably the macOS OpenSSL-LibreSSL implementation doesn't have/want obsolete crypto like RC4, and the easiest alternative is to compile QPDF's native crypto to ensure legacy support. |
I install with |
I try to building from source, but it is too slow. So, I check if older version still can do, since I already installed in the past and ran my code without error. Latest version that still works is 7.2.0. Since version 8, it returns error like above. Maybe there is change in build system. |
The older binary wheels will have different binaries included. I will probably need to change the build script for macOS. |
I could not reproduce this on macOS Ventura with a build against Homebrew's qpdf or with the most recent wheel. Note that Catalina is 10.15. The wheel only claims support for 11.0 and newer, so it may not link old libraries correctly. Since Catalina is not supported by Homebrew or Apple anymore I'm going to have to close this as something I can't support. If it shows up in newer OS versions I will definitely check. |
Hi @jbarlow83 - I'm seeing this on an Intel Mac with macOS 13.4.1. Same error. Also started with 8.0.0 and later of pikepdf, 7.2.0 works for me; both installed using the provided binary wheels. I also came across this blog post from @cfcurtis https://www.pdfstitcher.org/intel-mac-issue/ which indicated it might be constrained to Intel macs on Ventura (although 14/Sonoma has subsequently been released). I'm going to stick with 7.2.0 for now, but please let me know if I can assist with debugging this or testing any fixes. |
The Intel macOS wheels pass the test suite I have not seen pikepdf's test suite fail for this issue. cibuildwheel does create Python wheels, and then creates a new virtual environment and runs the tests there, so it should be capable. The ARM wheels are built on Cirrus CI. Now, I have seen this issue show up... on the ocrmypdf build, also Intel Mac, although lately it's passing again. I suspect it may have to do with the homebrew versions of libqpdf and openssl, which is the encryption provider. Upgrading all of your homebrew things and pikepdf to 8.10.1. I'd be curious if you're able to install the pikepdf test suite and get it to fail. |
Thanks for taking the time to reply. My understanding of how wheels work has been somewhat broken by further experimentation. I updated my brew (which was more out of date than I expected, perhaps a couple of months), log below. I then set about running the pike tests (apologies if this wasn't what you intended):
I then changed the dependency in the project I was having problems with earlier back to the latest version of pikepdf. Now the tests that were failing with this error earlier all pass. That implies to me that the wheel has some external dependency on some tool, but I expected the wheel to include all of the binary dependencies (essentially acting as statically linked). Unfortunately it would be quite painful to back track from here. I tried downgrading qpdf again but the project's tests still pass.
|
What you tested seems fine. Wheels include the binary dependencies necessary for execution, apart from binaries that are always available on the target system. So nothing in /usr/lib, /Library, /System gets bundled, but homebrew-derived libraries do. That way you don't have to install Homebrew to use Python wheels on a Mac. You can use pikepdf 8.8.0 on PyPI has: (bad version)
pikepdf 8.10.1 has: (good version)
It looks like the inclusion of libssl.3 is the problem. For whatever reason (no relevant build changes on my end), pikepdf 8.8.0 bundled a broken libssl, presumably with legacy providers switched off. pikepdf 8.10.1 does not bundle this library, so some other binary takes over. You have both openssl@1.1 and @3.3 installed; I don't know how priority is settled. It could also be that the system openssl-libressl does the job instead. If you're able to explore further https://github.com/matthew-brett/delocate is the program that gets used to decide what binaries go in a wheel. (I don't have an Intel Mac.) That would answer where a given pikepdf is getting its dylibs from. How this happened, I still don't know. I check qpdf pikepdf delocate and Homebrew's openssl package, and didn't see any relevant changes. I've been tracking this issue for about two weeks since it broke my ocrmypdf build. |
Just now, I test which version works in my machine: OS Catalina For now, my openssl pointing to macport version |
To clarify, I'm fairly confident I originally had the issue with My IntelliJ IDEA local history backs up my recollection of the original version I'd tested against. A quick test shows that
I've reinstalled older versions of openssl@3 and openssl@1.1 under Homebrew and that hasn't recreated the problem. Out of my depth now, but having unpacked the 8.10.1 wheel and looked at what they load there really shouldn't be any external dependencies that my homebrew versions would impact. I'm going to ask colleagues to see if they can reproduce.
|
A colleague has managed to reproduce the error on
After he ran I then managed to reproduce the issue, on my machine, against I've run the test suite with the older version of openssl installed and it works just fine! I suspect that packaging a newer libssl in the wheel might resolve the issue for everyone and that the short term workaround is to upgrade their brewed openssl. For reference, to install
|
Thanks for the mention, I've completely ignored this problem and I have to admit I thought it was an issue with PyInstaller. I'm glad to hear you're making some headway! I don't have an Intel mac myself so it's been very challenging to debug, and when I tried to reproduce it on the GitHub action runners I couldn't get it consistently. I wonder if running |
I won't try to change how delocate decides what to include in the wheel -- "not my circus, not my monkeys". Especially deciding whether to include libssl which has security implications. The solution seems to be to upgrade to openssl to 3.2.0_1 or newer. That's easy enough to ask of users. If it keeps coming up I'll add a note to the error message that "This means your openssl is out of date". Another option in the bag of tricks is to switch to gnutls - I'm avoiding that because it will make the macOS build more complex. |
Unfortunately upgrading openssl did not work when bundling the app with PyInstaller. However, thanks for the tip on v7.2.0 - I will try rolling back the pikepdf version and see if that helps. |
Users reported trouble with open legacy encrypted files on macOS specifically, e.g. #520 It appears this is because we were using Homebrew's qpdf which is currently linked against Homebrew's openssl, which is phasing out legacy crypto and needs to be compiled in a special mode to enable it. Understandable but inconvenient for us. So now we build and link against our own libqpdf, which in turn is linked against gnutls, which does not seem to have the same issues. All of our Linux and macOS builds are doing the same thing now, rather than being split on crypto provider.
@cfcurtis 8.11.1 replaces openssl with gnutls which should...hopefully.. fix this. |
OS: MacOS Catalina
OpenSSL: LibreSSL 2.8.3
Python: 3.11.0
PikePDF: 8.4.1
The text was updated successfully, but these errors were encountered: