Getting Data In

OSX - Unsigned library raises error for python3 modular input?

paolo_prigione1
New Member

Hi, I developed a modular input making use of Python Cryptodome library (https://pycryptodome.readthedocs.io). When executing it on a Mac OsX Ventura, it raises the error:

 

 

... _raw_ecb.abi3.so' not valid for use in process: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.

 

 

When executing the same code with a brew-installed python3.7, the code runs fine.

Minimal example

 

 

# create and activate a virtual environment:
python3.7 -m venv venv
source venv/bin/activate
# install necessary lib
python3.7 -m pip install pycryptodomex
# exit the virtual env
deactivate
# move to where the packages have been stored
cd venv/lib/python3.7/site-packages

 

 

Test #1

Execute "python3.7", and then type:

         from Cryptodome.Cipher import AES

---> no error is raised

Test #2

Start the python3 interpreter bundled in splunk

       splunk cmd python3

 

 

>>> from Cryptodome.Cipher import AES

OSError: Cannot load native module 'Cryptodome.Cipher._raw_ecb': Not found '_raw_ecb.cpython-37m-darwin.so', Cannot load '_raw_ecb.abi3.so'
...
.../_raw_ecb.abi3.so' not valid for use in process: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.), Not found '_raw_ecb.so'

 

 

 I found this interesting article about similar problems on Inkscape: https://gitlab.com/inkscape/inkscape/-/issues/2299 and then I executed:

    codesign -d --entitlements - /Applications/Splunk/bin/python3.7m

    Executable=/Applications/Splunk/bin/python3.7m
   [Dict]
   [Key] com.apple.security.cs.disable-executable-page-protection
   [Value] [Bool] true

There is no allowance for unsigned libraries, apparently.

 

I tried this with Splunk v8.2.7 and v9.0.2 on an Intel-based Mac OSx Ventura.

Do you have any suggestions?

Labels (1)
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Not sure if I have the answer to your question but I want to update you regarding one thing:

  • Splunk's Python built is not the same as what is published as Python build.
  • Splunk removes a lot of unused packages and adds more Splunk-related python packages.

 

I hope this helps!!!

0 Karma

paolo_prigione1
New Member

Thanks for pointing that out. It is known to me, and this is the first time I encounter such an issue. 

0 Karma

harry26
Observer

Having roughly the same issue with the cryptography dependancy. Did you ever find a solution?

0 Karma

paolo_prigione1
New Member

not really, I have to try other packages, or re-implement the modular input using golang and https://github.com/prigio/splunk-go-sdk

0 Karma
Get Updates on the Splunk Community!

Harnessing Splunk’s Federated Search for Amazon S3

Managing your data effectively often means balancing performance, costs, and compliance. Splunk’s Federated ...

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...