Mac OSX: "terraform" or "packer" will damage your computer. You should move it to the trash. Hashicorp tooling security errors.
A customer asked: > I"ve just tried to run a Terraform command and got the following error on Mac OSX. What does this mean and how do I fix it?  --- <ins datetime="2023-04-27T13:43:09Z"> <p><a href="https://support.gruntwork.io/hc/requests/110126">Tracked in ticket #110126</a></p> </ins>
## `tldr` What happened? HashiCorp intentionally invalidated several released binaries (Terraform, Packer, etc) in response to a CircleCI security incident. This means that the versions of the binaries that HashiCorp invalidated will not run properly on Mac OSX. This is expected to affect all HashiCorp projects (terraform, packer, nomad, etc). ## `tldr` To fix this issue You need to delete your current `terraform` or `packer` binary and re-install it again. Terraform, Packer and other HashiCorp binaries that were downloaded before January 23rd are now intended to not work properly. ## To fix the issue when using `terraform` directly Delete your current `terraform` installation. [Re-install Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli) ## To fix the issue when using `tfenv` Users report that it is possible to resolve the issue via `tfenv` by installing the latest version of Terraform. You may receive some errors on `STDOUT`: ``` $ tfenv install 1.2.6 Installing Terraform v1.2.6 Downloading release tarball from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_darwin_amd64.zip ######################################################################################################################################################################################################################################################### 100.0% Downloading SHA hash file from https://releases.hashicorp.com/terraform/1.2.6/terraform_1.2.6_SHA256SUMS ▶ ERROR No UID given but one was expected Unable to verify OpenPGP signature unless logged into keybase and following hashicorp Archive: /var/folders/qr/fqg8j0f50p96ss1yl436ls100000gn/T/tfenv_download.XXXXXX.jvmuCTni/terraform_1.2.6_darwin_amd64.zip inflating: /usr/local/Cellar/tfenv/3.0.0/versions/1.2.6/terraform Installation of terraform v1.2.6 successful. To make this your default version, run 'tfenv use 1.2.6' ``` # Understanding why this issue is occuring On January 3, 2023, CircleCI issued a security alert that they had discovered an unauthorized third party leveraged malware deployed to a CircleCI engineer’s laptop in order to steal a valid, 2FA-backed SSO session. Out of an abundance of caution, they began rotating all API token secrets for all customers. Recently, HashiCorp took their own action to rotate the signing key for their RPM packages. As a result, users must now re-download binaries that have been signed with the updated key. https://support.hashicorp.com/hc/en-us/articles/13177506317203