Thursday, January 16, 2020

Mac OS X Catalina and Oracle Instant Client

If you have upgraded to the most recent Mac OS X Catalina, you may be seeing some issues trying to install and run the Oracle instant client.  This is part of new security put into OS X in the past few versions.

You may also being seeing this if you are just upgrading your instant client, which maybe you haven't done in a year or two.

Developer Cannot be Verified

After downloading the ZIP files from Oracle and installing the client, you try to run SQLPlus from the command line and you get the following error:
You can go to the Control Panel -> Security & Privacy -> General tab, and you will see a prompt asking if you would like to approve this application:
The problem with this method, is that every library and additional file related to the instant client also has to be approved.  So after you approve this, and then re-run sqlplus; you will get prompted for another file, and then another, and so on.

Extra File Attributes

If you note in the message, the file is being flagged since it was downloaded from the internet.  If we look at the files extra attributes we can see that they have all been flagged with "com.apple.quarantine"

$ ls -lg@
total 484136
-r-xr-xr-x@ 1 staff       5780 Feb 22  2019 BASIC_LICENSE
com.apple.quarantine       57 
-rw-r--r--@ 1 staff       1670 Aug 19 05:57 BASIC_README
com.apple.quarantine       57 
-r-xr-xr-x@ 1 staff       5780 Feb 22  2019 SQLPLUS_LICENSE
com.apple.quarantine       57 
-rw-r--r--@ 1 staff       1676 Sep  6 04:11 SQLPLUS_README
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff       9888 Aug 19 05:57 adrci
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff      40368 Aug 19 05:57 genezi
com.apple.quarantine       57 
-r-xr-xr-x@ 1 staff        342 Apr 24  2015 glogin.sql
com.apple.quarantine       57 
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib -> libclntsh.dylib.19.1
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib.10.1 -> libclntsh.dylib.19.1
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib.11.1 -> libclntsh.dylib.19.1
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib.12.1 -> libclntsh.dylib.19.1
lrwxrwxrwx  1 staff         20 Jan 16 08:39 libclntsh.dylib.18.1 -> libclntsh.dylib.19.1
-rwxr-xr-x@ 1 staff   98137256 Aug 13 02:10 libclntsh.dylib.19.1
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff    4803832 Jul  7  2019 libclntshcore.dylib.19.1
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff    8349944 Aug  6 12:14 libnnz19.dylib
com.apple.quarantine       57 
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib -> libocci.dylib.19.1
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib.10.1 -> libocci.dylib.19.1
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib.11.1 -> libocci.dylib.19.1
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib.12.1 -> libocci.dylib.19.1
lrwxrwxrwx  1 staff         18 Jan 16 08:39 libocci.dylib.18.1 -> libocci.dylib.19.1
-rwxr-xr-x@ 1 staff    1594048 Jul  5  2019 libocci.dylib.19.1
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff  125518764 Aug 19 05:57 libociei.dylib
com.apple.quarantine       57 
-r-xr-xr-x@ 1 staff     151980 Jul  3  2019 libocijdbc19.dylib
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff     100492 Aug 13 02:32 liboramysql19.dylib
com.apple.quarantine       57 
-rwxrwxrwx@ 1 staff    1322588 Sep  6 04:05 libsqlplus.dylib
com.apple.quarantine       57 
-r-xr-xr-x@ 1 staff    1659868 Jul  5  2019 libsqlplusic.dylib
com.apple.quarantine       57 
drwxr-xr-x@ 3 staff         96 Aug 19 05:57 network
com.apple.quarantine       57 
-rw-r--r--@ 1 staff    4210510 May 10  2019 ojdbc8.jar
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff       8528 Sep  6 04:11 sqlplus
com.apple.quarantine       57 
-rw-r--r--@ 1 staff    1680080 May 10  2019 ucp.jar
com.apple.quarantine       57 
-rwxr-xr-x@ 1 staff     150080 Aug 19 05:57 uidrvci
com.apple.quarantine       57 
-rw-r--r--@ 1 staff      74263 Apr 16  2019 xstreams.jar
com.apple.quarantine       57 
The at sign "@" is telling us that there are extra attributes on the files, and the OS security layer is using those attributes to apply rules about what can be run or not.

Simple Fix

So the easier fix is to just remove this attribute that is causing the security system to kick in.
NOTE, make sure you know where you downloaded the files from and that you are absolutely sure you are not introducing malware, ransomware, etc...

  1. Some of the files ship without WRITE rights so we will need to fix that first:
    $ cd instantclient_19_3
    $ chmod u+w *
  2. Next we will remove the extra attribute:
    $ cd ..
    $ xattr -r -d -s com.apple.quarantine instantclient_19_3
  3. Now SQLPlus should run without any issues:
    $ cd instantclient_19_3/
    $ ./sqlplus /nolog

    SQL*Plus: Release 19.0.0.0.0 - Production on Thu Jan 16 09:01:29 2020
    Version 19.3.0.0.0

    Copyright (c) 1982, 2019, Oracle.  All rights reserved.

    SQL> 
Pretty simple fix as apposed to having to go into the control panel and approve every library or tool you want to use in the instant client set.

Gary