QEMU binary /Users/<USER>/.colima/_wrapper/<HASH>/bin/qemu-system-x86_64 is not properly signed is confusing #796
Description
Note
This warning is negligible if the VM is working.
If the VM is not working, you have to sign the actual QEMU binary (e.g.,
/usr/local/bin), not the wrapper in~/.colima/_wrapper/.The warning should not be shown if you run Lima directly without Colima.
Lima (since v0.17.2 lima-vm/lima#1743) prints a confusing warning for colima, as colima injects a custom QEMU wrapper binary:
$ colima start
...
INFO[0000] starting ... context=vm
> "QEMU binary \"/Users/<USER>/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64\" is not properly signed with the \"com.apple.security.hypervisor\" entitlement" error="failed to run [codesign --verify /Users/<USER>/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64]: exit status 1 (out=\"/Users/<USER>/.colima/_wrapper/4e1b408f843d1c63afbbdcf80c40e4c88d33509f/bin/qemu-system-x86_64: code object is not signed at all\\nIn architecture: x86_64\\n\")"
> You have to sign the QEMU binary with the "com.apple.security.hypervisor" entitlement manually. See https://github.com/lima-vm/lima/issues/1742 .I'd suggest to do one of:
- Eliminate the QEMU wrapper binary. Custom qemu args can be still injected with
$QEMU_SYSTEM_<ARCH>(discouraged though). If something is missing in Lima, please feel free to open an issue or PR in the Lima repo. - Sign the QEMU wrapper binary to silence the warning.
- Change the default driver to VZ (Lima is also likely to switch to VZ soon).