chef-workstation icon indicating copy to clipboard operation
chef-workstation copied to clipboard
verified publisher icon chef

Unable to run latest irb with apparent code signing issue

Open longspell opened this issue 6 years ago • 3 comments

Description

Fresh install of chef-workstation-0.16.31-1.dmg on OSX 10.14.6 is unable to run upgraded irb

Chef Workstation Version

0.16.31

Platform Version

OSX 10.14.6

Immediately after installing chef-workstation, I ran gem install irb to get the latest version of irb, this resulted in the following gems installed into ~/.chefdk/gems:

$ gem install irb
Fetching reline-0.1.3.gem
Fetching io-console-0.5.6.gem
Fetching irb-1.2.3.gem
Building native extensions. This could take a while...
Successfully installed io-console-0.5.6
Successfully installed reline-0.1.3
Successfully installed irb-1.2.3
Done installing documentation for io-console, reline, irb after 1 seconds
3 gems installed

Then, running the newly installed irb I get the following:

Traceback (most recent call last):
        15: from /Users/longspell/.chefdk/gem/ruby/2.6.0/bin/irb:23:in `<main>'
        14: from /Users/longspell/.chefdk/gem/ruby/2.6.0/bin/irb:23:in `load'
        13: from /Users/longspell/.chefdk/gem/ruby/2.6.0/gems/irb-1.2.3/exe/irb:9:in `<top (required)>'
        12: from /opt/chef-workstation/embedded/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
        11: from /opt/chef-workstation/embedded/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
        10: from /Users/longspell/.chefdk/gem/ruby/2.6.0/gems/irb-1.2.3/lib/irb.rb:15:in `<top (required)>'
         9: from /opt/chef-workstation/embedded/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
         8: from /opt/chef-workstation/embedded/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
         7: from /Users/longspell/.chefdk/gem/ruby/2.6.0/gems/irb-1.2.3/lib/irb/context.rb:14:in `<top (required)>'
         6: from /Users/longspell/.chefdk/gem/ruby/2.6.0/gems/irb-1.2.3/lib/irb/context.rb:14:in `require_relative'
         5: from /Users/longspell/.chefdk/gem/ruby/2.6.0/gems/irb-1.2.3/lib/irb/input-method.rb:15:in `<top (required)>'
         4: from /opt/chef-workstation/embedded/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
         3: from /opt/chef-workstation/embedded/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
         2: from /Users/longspell/.chefdk/gem/ruby/2.6.0/gems/reline-0.1.3/lib/reline.rb:1:in `<top (required)>'
         1: from /opt/chef-workstation/embedded/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require'
/opt/chef-workstation/embedded/lib/ruby/2.6.0/rubygems/core_ext/kernel_require.rb:54:in `require': dlopen(/Users/longspell/.chefdk/gem/ruby/2.6.0/gems/io-console-0.5.6/lib/io/console.bundle, 9): no suitable image found.  Did find: (LoadError)
        /Users/longspell/.chefdk/gem/ruby/2.6.0/gems/io-console-0.5.6/lib/io/console.bundle: code signature in (/Users/longspell/.chefdk/gem/ruby/2.6.0/gems/io-console-0.5.6/lib/io/console.bundle) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed. - /Users/longspell/.chefdk/gem/ruby/2.6.0/gems/io-console-0.5.6/lib/io/console.bundle

longspell avatar Feb 27 '20 16:02 longspell

Uninstalling the latest chef-workstation and instead specifically installing the latest chefdk (https://downloads.chef.io/chefdk/#mac_os_x) the issue does not occur, I can upgrade irb and run it without issue.

$ chef --version
ChefDK version: 4.7.73
Chef Infra Client version: 15.7.32
Chef InSpec version: 4.18.51
Test Kitchen version: 2.3.4
Foodcritic version: 16.2.0
Cookstyle version: 5.20.0

longspell avatar Feb 28 '20 16:02 longspell

First, Thank you for taking the time to file such a detailed issue! There's a few things to unwind here:

  1. We haven't really supported gem installs in dk or workstation for some time. Folks still use it so we haven't removed the commands, but with the way we bundle the embedded ruby it's impossible for us to guarantee a working Workstation ruby environment once custom gems are used. We app bundle to prevent custom gems being loaded wherever possible.
  2. With the new signing in macOS Catalina and greater I suspect we'll see this error more often. The os requires that all binaries and libraries be signed by the same identity or apple; or that explicit entitlements get added to allow the loading/running of code that is un-signed or signed by different identity. Since we build the ruby environment form source as part of our build we sign everything we include.
  3. The fact you are seeing different behavior on dk and workstation is definitely odd. At this point we'd expect the same behavior.

I'm not sure when we'll be able to look at this but I'll bring it in for investigation in a future sprint. That being said I'm not sure our fix will be what you are looking for since we really don't expect users to upgrade the ruby bits we ship.

jonsmorrow avatar Mar 04 '20 18:03 jonsmorrow

My team has run into this issue the last week or two with what we presume to be the release of macOS 10.15.5 as the cause (or perhaps a new version of a gem trying to pull in an unsigned library, we specifically saw openssl called out). We've been using Chef Workstation (and formerly, ChefDK) for a long time as our defacto non-system Ruby environment and while occasionally there's some gem conflicts, we never really ran into a major problem until Apple seemingly bumped up the code signing requirements. I get that Chef has no way of signing binaries created by gem installs unfortunately, but it was really convenient not having to deal with yet another Ruby environment on the system.

I think the recommendation here is to use something like rbenv to control your desired Ruby version and gem paths and only use Chef Workstation for its binaries?

mattlqx avatar Jun 10 '20 21:06 mattlqx