ImportError on Ubuntu 18.04 and CentOS 7

[keonakhon]

Describe the bug The package was installed successfully, but an error occurred when trying to import it:

root:~# python3
Python 3.6.9 (default, Mar 10 2023, 16:46:00) 
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import yara
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ImportError: /usr/local/lib/python3.6/dist-packages/yara.cpython-36m-x86_64-linux-gnu.so: undefined symbol: TS_VERIFY_CTX_set_imprint

• OS: Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-197-generic x86_64), CentOS Linux release 7.9.2009 (Core)
• Python: 3.6.9, 3.7, 3.8
• Pip: 9.0.1 from /usr/lib/python3/dist-packages (python 3.6)
• YARA version: 4.3.1
• python sys.path: ['', '/usr/lib/python36.zip', '/usr/lib/python3.6', '/usr/lib/python3.6/lib-dynload', '/root/.local/lib/python3.6/site-packages', '/usr/local/lib/python3.6/dist-packages', '/usr/lib/python3/dist-packages']

I managed to install it successfully on various types of Linux(on VM, Physical Machine, VPS, and Docker): Ubuntu 20.04 & 22.04, CentOS Stream 8 & 9, and Debian 12. However, I only encountered this error on Ubuntu 18.04 and CentOS 7. I had to reinstall CentOS 7, python3, and pip3 just to get it to work. On the other hand, I solved the issue on Ubuntu 18.04 by downgrading the yara-python version to 4.2.*.

[packplusplus]

This is also an issue on Amazon Linux 2.

Amazon linux 2 ships with OpenSSL 1.0.2. Which, and if you look at ts_verify_ctx.c, doesn't have TS_VERIFY_CTX_set_imprint 😱

The PR that re-wrote Authenticode requires that symbol / function which was introduced in OpenSSL 1.1.0.

For amazon linux 2, the work around was compiling yara myself against openssl11

• Install openssl11 packages yum install openssl11 openssl11-devel
• compile yara from source pip3 install --no-cache --no-binary :all: yara-python

Depending on those other distro's have for openssl libraries you may or may not be able to follow the same path. I'm not sure, but maybe there's a way to put a requirement on the version for crypto.

Edit: More information Second edit: work around

[liukoo]

In CentOS 7 Install openssl 11 cd /usr/local/src wget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1q.tar.gz tar zxvf openssl-1.1.1q.tar.gz cd openssl-1.1.1q ./config -fPIC shared zlib --prefix=/usr/local/openssl make make install echo "/usr/local/lib64/" >> /etc/ld.so.conf ldconfig

replace old openssl if need

mv /usr/bin/openssl /usr/bin/openssl.old ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/include/openssl /usr/include/openssl echo "/usr/local/openssl/lib" >> /etc/ld.so.conf ldconfig -v openssl version