if homebrew openssl is linked, cryptography builds an unusable wheel #2138
Comments
|
Oops, the "by OpenStack developers" was supposed to be a link, like this: by OpenStack developers |
|
Apparently I misspoke, I also can't build a wheel against homebrew openssl manually; the error is: |
|
|
|
I beleive this si a dupe of #2006 |
|
I’m not sure it’s a dupe; 2006 is about how the cache confuses ppl. This sounds like a general build problem? |
|
Yeah this is a new thing, and actually a reasonably serious issue since it turns out homebrew no longer makes OpenSSL keg only as of two days ago (see: Homebrew/legacy-homebrew@9ca3c05#diff-5f8300a99f5c14b861dfa8eff2905a16) Apple's CLI tools for El Capitan do not ship OpenSSL headers any more. So, hopefully this is something we can control, although I'm not sure how. |
|
The only thing required to replicate this on my machine is homebrew (with linked openssl. This is the default behavior as of 1.0.2d) and running I believe that it's looking at the headers for /usr/local/include/openssl but then linking against /usr/lib/lib{crypto,ssl}. When running If I run I thought the linker default path in OS X was |
|
FWIW, |
|
I'm removing the milestone since the fix for this is not under our control (other than some potential documentation work). |
|
Worth noting: this happens with system python, python.org python, and pyenv python, but not, for some reason, with homebrew python. I still haven't figured out exactly why. |
|
I think that tweaks to |
We discussed this in IRC; after setting That makes me worried about whether bundling dynamic libraries in a wheel with e.g. delocate will work; if system Python's hashlib is linked against the system libssl, will that mask the wheel's libssl? |
|
Aah, thanks for the reference @tdsmith, I didn't appreciate the nuance of "because something's using hashlib" in that conversation. I am still at a bit of a loss for what the "right" answer really is here. Would it make sense to invoke the C compiler explicitly in |
|
GUISE STAHP YOU’RE BUILDING AUTOCONF ;) |
|
Those who do not understand autoconf are doomed to repeat it. On the other hand, those who do understand autoconf are doomed to use it. So... not really sure which side of that tradeoff we want to be on. |
|
Homebrew's openssl has been removed from /usr/local in Homebrew/legacy-homebrew@2e191b19b8e. I don't know if this is the place to ask, but are you expecting Python.org's python distribution to begin bundling openssl and matching headers, since the headers are going away in OS X 10.11? How will cryptography find them? |
|
(Or just resort to static linking, I guess.) |
|
/me updates brew and re-creates every single virtual environment again... |
|
Just to summarize the state here; this is covered a bit in Homebrew/legacy-homebrew#41613 -
Fundamentally, this appears to boil down to:
|
|
Speaking of re-inventing autoconf. Why don't we shell out to pkg-config if it's available? |
|
@public - that actually seems pretty reasonable to me. homebrew provides it, and on my system (which is now back to up-to-date homebrew, meaning, keg-only openssl): $ pkg-config openssl --cflags
-I/usr/local/Cellar/openssl/1.0.2d/include
$ pkg-config openssl --libs
-L/usr/local/Cellar/openssl/1.0.2d/lib -lssl -lcrypto Of course, I'm sure that there will be some times when |
|
|
I did see $ PKG_CONFIG_PATH=nope pkg-config openssl --libs
-L/usr/local/Cellar/openssl/1.0.2d/lib -lssl -lcrypto |
|
|
|
So, does anybody know how to install cryptography without home-brew under El Capitan? |
|
@fqx since Apple removed the OpenSSL headers it is not possible to install cryptography without homebrew. With homebrew you can install it using the instructions we have on https://cryptography.io |
|
Is it possible to publish statically linked wheels for OS X? |
|
@mrjefftang we'll be discussing that more seriously as El Capitan gets closer to release, but yes, we can. |
|
Remember that the statically linked wheels will need to come with a pile of trust roots, and then get updated for trust root changes :-). |
|
@reaperhulk - one of the problems with following those instructions, I believe, is that you'll still get a wheel dynamically linked against homebrew. In other words, a |
|
@fqx @reaperhulk also, to be clear, you don't need homebrew. You can just download the OpenSSL sources and build them yourself. It's just that homebrew is generally easier. |
|
Building your own static linking on OS X in a way that isn't super horrible is not a thing I know how to do. Right now the only way I know how to do it is to explicitly remove the dylibs from the path, which forces it to use the .a file. Hopefully there is a better way that I am not familiar with. |
|
I have seen some references to this but they all seem to mention gcc and not clang; specify the ".a" on the command line; possibly including the full path. I think the thing to try would be modifying |
|
Nope. It just goes on the command line as a ... thing, not as a diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index 6a5bf2d..b88bb6f 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -16,7 +16,7 @@ def _get_openssl_libraries(platform):
# specified on the linker command-line is significant;
# libssl must come before libcrypto
# (http://marc.info/?l=openssl-users&m=135361825921871)
- return ["ssl", "crypto"]
+ return []
else:
return ["libeay32", "ssleay32", "advapi32",
"crypt32", "gdi32", "user32", "ws2_32"]
@@ -79,5 +79,8 @@ ffi = build_ffi_for_binding(
pre_include=_OSX_PRE_INCLUDE,
post_include=_OSX_POST_INCLUDE,
libraries=_get_openssl_libraries(sys.platform),
- extra_link_args=extra_link_args(sys.platform),
+ extra_link_args=extra_link_args(sys.platform) + [
+ "/usr/local/opt/openssl/lib/libcrypto.a",
+ "/usr/local/opt/openssl/lib/libssl.a",
+ ]
)and it produced a vaguely usable library: |
|
and it doesn't dynamically link against homebrew: |
|
Since @tdsmith asked: |
|
One area of concern here is that all of the engines appear to be built only as dylibs: so I don't know what functionality will be missing on a system that doesn't have those files. |
|
Closing this since we now ship static wheels on OS X to handle most of this issue. |
|
Looks like wheel for OSX El Capitan (10.11) is missing? I am trying to do Then: |
|
Your Python is built against the 10.9 SDK and therefore pip doesn't think the wheel (which is built against 10.10) is compatible. In reality it is, but pip has no way to know that. |
|
@reaperhulk: Any way to force it to use the wheel? |
|
You can download the wheel for your python directly from pypi (https://pypi.python.org/pypi/cryptography), rename it from 10_10 to 10_9 and then pip install the wheel file directly and it will work. |
|
Perfect. Thank you! |
|
I got exactly the same issue in OSX El Capitan (10.11) but I'm using the 10.10 SDK. I am trying to execute Executing the steps in #2138 seems to work. |
|
@legovaer you should get a wheel there -- are you on an old pip? Upgrade pip to latest and try to install again and I would expect it to download a prebuilt binary. |
You can see the exception below:
http://asciinema.org/a/0n4rvtw727jfn5lhs981hjusx
Please enjoy real-time Cryptography wheel build times in that video, as I had to enjoy them about 50 times while regressing this.
In short, the error is
Symbol not found: _BIO_new_CMS. This has been seen before, by OpenStack developers, and apparently the folk wisdom in that community is "use a linux VM" which avoids this issue.However, I can properly build a homebrew OpenSSL wheel by exporting
LDFLAGS,CPPFLAGS,CFLAGS, and so on, without doing abrew link opensslfirst. I think that something is getting confused about the difference between/usr/local/lib/lib(crypto|ssl).dyliband/usr/lib/lib(crypto|ssl).dylibThe text was updated successfully, but these errors were encountered: