Python codesign error again

[kylelundstedt]

Hi all,

As you can see below, I'm trying to add a new profile to aws-jumpcloud, and I get a security authorization failure. I had a similar error back in November, but re-setting my Keychain password seemed to fix it. I tried that solution again, but to no avail.

klundstedt@klundstedt-mbp2 ~ % aws-jumpcloud add xxxxxxxx
Enter the JumpCloud SSO URL for "test": https://sso.jumpcloud.com/saml2/xxxxxxxx
Traceback (most recent call last):
  File "/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/lib/python3.7/site-packages/keyring/backends/OS_X.py", line 38, in set_password
    api.set_generic_password(self.keychain, service, username, password)
  File "/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/lib/python3.7/site-packages/keyring/backends/_OS_X_API.py", line 256, in set_generic_password
    Error.raise_for_status(status)
  File "/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/lib/python3.7/site-packages/keyring/backends/_OS_X_API.py", line 47, in raise_for_status
    "Security Auth Failure: make sure "
keyring.backends._OS_X_API.SecAuthFailure: (-67030, 'Security Auth Failure: make sure python is signed with codesign util')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/aws-jumpcloud", line 11, in <module>
    load_entry_point('aws-jumpcloud==2.1.5', 'console_scripts', 'aws-jumpcloud')()
  File "/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/lib/python3.7/site-packages/aws_jumpcloud/cli.py", line 18, in main
    args.func(args)
  File "/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/lib/python3.7/site-packages/aws_jumpcloud/commands.py", line 78, in add_profile
    keyring.store_profile(profile)
  File "/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/lib/python3.7/site-packages/aws_jumpcloud/keyring.py", line 68, in store_profile
    self._save()
  File "/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/lib/python3.7/site-packages/aws_jumpcloud/keyring.py", line 162, in _save
    keyring.set_password(self._keyring_service, self._keyring_username, json_data)
  File "/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/lib/python3.7/site-packages/keyring/core.py", line 62, in set_password
    _keyring_backend.set_password(service_name, username, password)
  File "/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/lib/python3.7/site-packages/keyring/backends/OS_X.py", line 42, in set_password
    raise PasswordSetError("Can't store password on keychain: " "{}".format(e))
keyring.errors.PasswordSetError: Can't store password on keychain: (-67030, 'Security Auth Failure: make sure python is signed with codesign util')

When I check the codesign for the Python version used by aws-jumpcloud, I get the following error:

klundstedt@klundstedt-mbp2 ~ % codesign -v $(which /usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/bin/python3.7)
/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/bin/python3.7: invalid Info.plist (plist or signature have been modified)
In architecture: x86_64

I'm not sure if that's the issue, or if there's something else that's preventing me from creating a new profile.

Thanks!
Kyle

[javs-perez]

@kylelundstedt could you share the version of aws-jumpcloud you are using?

[kylelundstedt]

Hi Javier!

aws-jumpcloud (2.1.5)
1Password CLI (0.9.2)

[kylelundstedt]

Javier,

I'm not a Python guy, but here's a thought. It looks like the Python executable used by aws-jumpcloud has a code signing error. When I self-sign the python3.7 executable, everything seems to work (see below).

Best
Kyle

➜  bin codesign -v ./python3.7
./python3.7: invalid Info.plist (plist or signature have been modified)
In architecture: x86_64
➜  bin pwd
/usr/local/Cellar/aws-jumpcloud/2.1.5/libexec/bin
➜  bin codesign -v ./python3.7
./python3.7: invalid Info.plist (plist or signature have been modified)
In architecture: x86_64
➜  bin codesign --force --deep --sign ./python3.7
error: The specified item could not be found in the keychain.
➜  bin codesign --force --deep --sign - ./python3.7
./python3.7: replacing existing signature
➜  bin codesign -v ./python3.7
➜  bin aws-jumpcloud list
No profiles found. Use "aws-jumpcloud add <profile>" to store a new profile.
➜  bin aws-jumpcloud add industryvault
Enter the JumpCloud SSO URL for "industryvault": https://xxxxxxxxxxxxx
Profile "industryvault" added.