lima: ⚠️ QEMU (homebrew) was broken on Intel: `[hostagent] Driver stopped due to error: "signal: abort trap"` (or `"exit status 255"`) ... `QEMU has already exited`

Note

Colima users may still see QEMU binary /Users/<USER>/.colima/_wrapper/<HASH>/bin/qemu-system-x86_64 is not properly signed with the latest version of QEMU:

https://github.com/abiosoft/colima/issues/796

The warning is negligible if the VM is actually working.

The warning should not be printed if you use Lima directly without Colima:
limactl start template://docker

Update (Aug 27, 2023): The issue is solved again in 8.1.0_1 (https://github.com/Homebrew/brew/pull/15903 , ~https://github.com/Homebrew/homebrew-core/pull/140596~ https://github.com/Homebrew/homebrew-core/pull/140643). Run brew reinstall -f --force-bottle qemu to install the updated v8.1.0 bottle.

Update (Aug 23, 2023): This seems to be broken again in v8.1.0 😞 (https://github.com/Homebrew/homebrew-core/issues/140244) . See the Workarounds below.

Update (Aug 14, 2023): The issue is now solved in https://github.com/Homebrew/homebrew-core/pull/139492 . Run brew reinstall -f --force-bottle qemu to install the updated v8.0.4 bottle.

Homebrew bottle of QEMU v8.0.4 (Intel) ~is~ was broken due to a signing issue: https://github.com/Homebrew/homebrew-core/pull/139409

$ limactl start
...
[hostagent] Driver stopped due to error: "signal: abort trap" 
...
[hostagent] QEMU has already exited
...

$ qemu-system-x86_64 -accel hvf
qemu-system-x86_64: -accel hvf: Unknown Error
Abort trap: 6

$ codesign --verify /usr/local/Cellar/qemu/8.0.4/bin/qemu-system-x86_64 
/usr/local/Cellar/qemu/8.0.4/bin/qemu-system-x86_64: invalid signature (code or signature have been modified)
In architecture: x86_64

(The error message can be also [hostagent] Driver stopped due to error: "exit status 255")

Workarounds

Option 1: Downgrade QEMU to v8.0.3

brew uninstall qemu
curl -OSL https://raw.githubusercontent.com/Homebrew/homebrew-core/dc0669eca9479e9eeb495397ba3a7480aaa45c2e/Formula/qemu.rb
brew install ./qemu.rb

Option 2: Install QEMU from the source

brew uninstall qemu
brew install --build-from-source qemu

Option 3: Sign the QEMU binary locally

Lima v0.17.2 shows a prompt to suggest applying this workaround.

cat >entitlements.xml <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.hypervisor</key>
    <true/>
</dict>
</plist>
EOF

codesign --sign - --entitlements entitlements.xml --force /usr/local/bin/qemu-system-$(uname -m | sed -e s/arm64/aarch64/)

Thanks to @z0sen for reporting this in https://github.com/abiosoft/colima/issues/777

About this issue

Original URL
State: closed
Created a year ago
Reactions: 12
Comments: 23 (12 by maintainers)

Commits related to this issue

Fix Flux and Mac OS CI steps The Flux CI step often fails because the `attrs` module cannot be found on the system. This commit fixes this behaviour by explicitly installing the module through `pip` ... — committed to alpha-unito/streamflow by GlassOfWhiskey 10 months ago
Fix Flux and Mac OS CI steps The Flux CI step often fails because the `attrs` module cannot be found on the system. This commit fixes this behaviour by explicitly installing the module through `pip` ... — committed to alpha-unito/streamflow by GlassOfWhiskey 10 months ago
Fix Flux and Mac OS CI steps The Flux CI step often fails because the `attrs` module cannot be found on the system. This commit fixes this behaviour by explicitly installing the module through `pip` ... — committed to alpha-unito/streamflow by GlassOfWhiskey 10 months ago
Fix Flux and Mac OS CI steps The Flux CI step often fails because the `attrs` module cannot be found on the system. This commit fixes this behaviour by explicitly installing the module through `pip` ... — committed to alpha-unito/streamflow by GlassOfWhiskey 10 months ago
Fix Flux and Mac OS CI steps The Flux CI step often fails because the `attrs` module cannot be found on the system. This commit fixes this behaviour by explicitly installing the module through `pip` ... — committed to alpha-unito/streamflow by GlassOfWhiskey 10 months ago
Fix Flux and Mac OS CI steps The Flux CI step often fails because the `attrs` module cannot be found on the system. This commit fixes this behaviour by explicitly installing the module through `pip` ... — committed to alpha-unito/streamflow by GlassOfWhiskey 10 months ago
Fix Flux and Mac OS CI steps The Flux CI step often fails because the `attrs` module cannot be found on the system. This commit fixes this behaviour by explicitly installing the module through `pip` ... — committed to alpha-unito/streamflow by GlassOfWhiskey 10 months ago
Fix Flux and Mac OS CI steps The Flux CI step often fails because the `attrs` module cannot be found on the system. This commit fixes this behaviour by explicitly installing the module through `pip` ... — committed to alpha-unito/streamflow by GlassOfWhiskey 10 months ago
Fix Flux and Mac OS CI steps (#209) The Flux CI step often fails because the `attrs` module cannot be found on the system. This commit fixes this behaviour by explicitly installing the module throu... — committed to alpha-unito/streamflow by GlassOfWhiskey 10 months ago
Fix Mac OS CI steps As per issue lima-vm/lima#1742, the QEMU 8.1.0 Homebrew package is broken on Intel architectures. This commit upgrades the `douglascamata/setup-docker-macos-action` to version `v1... — committed to alpha-unito/streamflow-postgresql by GlassOfWhiskey 10 months ago
Fix Mac OS CI steps (#26) As per issue lima-vm/lima#1742, the QEMU 8.1.0 Homebrew package is broken on Intel architectures. This commit upgrades the `douglascamata/setup-docker-macos-action` to ver... — committed to alpha-unito/streamflow-postgresql by GlassOfWhiskey 10 months ago

Most upvoted comments

The issue is solved again in 8.1.0_1 (https://github.com/Homebrew/brew/pull/15903 , ~https://github.com/Homebrew/homebrew-core/pull/140596~ https://github.com/Homebrew/homebrew-core/pull/140643).

Run brew reinstall -f --force-bottle qemu to install the updated v8.1.0 bottle.

AkihiroSuda on Sep 4, 2023

I was able to work around the issue by manually signing the wrapper link: codesign --sign - --entitlements entitlements.xml --force /Users/eq/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64

Along with these binaries (which are signed, now, after I trod a path of destruction through all plausible binaries and therefore cannot un-sign to test and see whether signing them is needed): /usr/local/bin/qemu-system-x86_64 /usr/local/Cellar/qemu/8.1.0_1/bin/qemu-system-x86_64

From my slightly-cleaned-up-for-display error below, something seems to be checking whether the wrapper itself is signed. On my system, the wrapper is a link to /usr/local/bin/colima which is signed. So I’m pretty confused bout this check but things are working.

INFO[0000] starting ...                                  context=vm
> Using the existing instance "colima"
> "QEMU binary
/Users/eq/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64 
is not properly signed with the com.apple.security.hypervisor entitlement" 
error="failed to run [
  codesign --verify /Users/eq/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64
]: exit status 1 (out=
  /Users/eq/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64:
  code object is not signed at all
  In architecture: x86_64
)"
> You have to sign the QEMU binary with the "com.apple.security.hypervisor" entitlement manually.
See https://github.com/lima-vm/lima/issues/1742 .
> [hostagent] Starting QEMU (hint: to watch the boot progress, see "/Users/ewehrwein/.lima/colima/serial*.log")
> SSH Local Port: 51848
> [hostagent] Waiting for the essential requirement 1 of 5: "ssh"
^C

edw-eqix on Aug 31, 2023

It doesn’t seem to be fixed for me. When starting colima it is still saying:

/Users/jan/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64\" is not properly signed

Since I have this issue I can also no longer build containers.

Here below the complete log

mac-jan:my-question-generator jan$ brew reinstall -f --force-bottle qemu
==> Fetching qemu
==> Downloading https://ghcr.io/v2/homebrew/core/qemu/manifests/8.1.0_1-1
Already downloaded: /Users/jan/Library/Caches/Homebrew/downloads/e9d42585f1662261d504025b0202672ee9fb0633dd8be378c825c484b68ee297--qemu-8.1.0_1-1.bottle_manifest.json
==> Downloading https://ghcr.io/v2/homebrew/core/qemu/blobs/sha256:845671e9625736ab6a15108d369e47f5a6b20b8f6d0e99ba1a3f39d18df1c94d
Already downloaded: /Users/jan/Library/Caches/Homebrew/downloads/bd376e9d023c700e820d08094f41d7ce9e3e8befb13dd644aeb39e91633ad4db--qemu--8.1.0_1.ventura.bottle.1.tar.gz
==> Reinstalling qemu 
==> Pouring qemu--8.1.0_1.ventura.bottle.1.tar.gz
🍺  /usr/local/Cellar/qemu/8.1.0_1: 162 files, 528.8MB
==> Running `brew cleanup qemu`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
mac-jan:my-question-generator jan$ brew install colima
==> Downloading https://formulae.brew.sh/api/formula.jws.json
######################################################################################################################################################################################### 100.0%
==> Downloading https://formulae.brew.sh/api/cask.jws.json
######################################################################################################################################################################################### 100.0%
Warning: colima 0.5.5 is already installed and up-to-date.
To reinstall 0.5.5, run:
  brew reinstall colima
mac-jan:my-question-generator jan$ colima start
INFO[0000] starting colima                              
INFO[0000] runtime: docker                              
INFO[0000] preparing network ...                         context=vm
INFO[0000] starting ...                                  context=vm
> "QEMU binary \"/Users/jan/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64\" is not properly signed with the \"com.apple.security.hypervisor\" entitlement" error="failed to run [codesign --verify /Users/jan/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64]: exit status 1 (out=\"/Users/jan/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64: code object is not signed at all\\nIn architecture: x86_64\\n\")"
> You have to sign the QEMU binary with the "com.apple.security.hypervisor" entitlement manually. See https://github.com/lima-vm/lima/issues/1742 .
> [hostagent] Starting QEMU (hint: to watch the boot progress, see "/Users/jan/.lima/colima/serial*.log")
> SSH Local Port: 51472
> [hostagent] Waiting for the essential requirement 1 of 5: "ssh"
> [hostagent] Waiting for the essential requirement 1 of 5: "ssh"

janvda on Aug 30, 2023

@janvda Using Lima without Colima may work as a workaround: limactl start template://docker

Removing ~/.colima/_wrapper may work too.

AkihiroSuda on Aug 30, 2023

Still seeing this when I run colima start after running brew reinstall -f --force-bottle qemu:

time=“2023-08-16T11:22:47-04:00” level=warning msg=“QEMU binary "/Users/mossity/.colima/_wrapper/3a9197e1ca3cd2da076da2b473d7a7eb118e2cca/bin/qemu-system-aarch64" is not properly signed with the "com.apple.security.hypervisor" entitlement” error=“binary "/Users/mossity/.colima/_wrapper/3a9197e1ca3cd2da076da2b473d7a7eb118e2cca/bin/qemu-system-aarch64" seems signed but lacking the "com.apple.security.hypervisor" entitlement” time=“2023-08-16T11:22:47-04:00” level=warning msg=“You have to sign the QEMU binary with the "com.apple.security.hypervisor" entitlement manually. See https://github.com/lima-vm/lima/issues/1742 .”

Not sure if this is a lima or a colima problem. The VM does seem to start fine in spite of the warning.

benmoss on Aug 16, 2023