macOS Mojave:如何实现协同设计以启用调试(gdb)? [英] macOS Mojave: How to achieve codesign to enable debugging (gdb)?

问题描述

从 10.5 开始，围绕 macOS 的协同设计问题有很多主题.我想要实现的是，让 Geany 使用 GNU 调试器 (gdb).在 geany 中可以找到调试器，但(已经非常清楚)错误消息是:

来自调试器后端的错误消息:无法找到进程 ID 39847 的 Mach 任务端口:(os/kern) 失败 (0x5).
(请检查 gdb 是否经过代码签名 - 请参阅 taskgated(8))无法找到进程 ID 39847 的 Mach 任务端口:(os/kern) 失败 (0x5).
(请检查 gdb 是否经过代码签名 - 请参阅 taskgated(8))

通常有很多限制要考虑(应该)允许使用 gdb，例如gdb 8.0.1 可能工作，gdb 8.1 根本不能工作 - 见这里，Lazarus Wiki 也证实了这一点.p>

0) 我根据各种说明中的步骤创建了我的证书gdb-cert".示例这里

1) 我遵循了对 gdb 可执行文件进行代码设计的步骤(来源:gdb 和 Stackoverflow) 在我的情况下是

<块引用>

/usr/local/Cellar/gdb/8.0.1/bin/gdb

(再次注意，某些语言的 8.1 存在问题 - 帕斯卡也是).如果您想确保该代码已签名，请前往

$ codesign -vvvv gdb

在相应的目录中.我的是.

2) 确保证书实际上被分配为有资格进行代码签名 - 就我而言.它也是受信任的 - 这是必要的.

3) 我还尝试了另一种方法让 gdb 运行上面描述的文件被编辑的地方(请注意，必须首先在恢复中禁用 SIP！！！！)仅当在恢复中使用 csrutil disable 时，修改才有效.

sudo nano/System/Library/LaunchDaemons/com.apple.taskgated.plist

毁灭性的事情，在这一步之后，没有代码编辑器会再次启动(！！)，直到这个更改被撤消(Geany，Atom，文本编辑器，MS Visual Studio - 插入后都坏了-sp 到文件)

4) 在某些主题中，我发现只有在恢复中使用命令 csrutil enable --withouth debug 时，调试才会起作用.这并没有改变任何东西.

最终我得到了:

代码签名证书

根据我上面的声明签名的 gdb 可执行文件

com.apple.taskgated.plist 文件没有填充字符串 -sp 属性

如果有人能确认这种行为，我将不胜感激，这是一个解决方案，甚至更多:)

解决方案

这与协同设计权利有关.您必须在签名过程中添加com.apple.security.cs.debugger"密钥.

例如，您必须将 codesign -fs gdbcert/usr/local/bin/gdb 更改为 codesign --entitlements gdb.xml -fs gdbcert/usr/local/bin/gdb .

gdb.xml 内容必须类似于以下代码.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist 版本="1.0"><字典><key>com.apple.security.cs.debugger</key><真的/></dict></plist>

There are many topics floating around covering codesign issues with macOS, from 10.5 onward. What I wanted to achieve is, to get Geany working with the GNU Debugger (gdb). Debugger is found in geany, but the (already quite known) error message is:

Error message from debugger back end:
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))

Generally there are many restrictions to consider that (should) allow the usage of gdb, e.g. gdb 8.0.1 may work, gdb 8.1 will not work at all - see here, also confirmed in Lazarus Wiki.

0) I created my certificate "gdb-cert" according to the steps covered by various instructions. Example here

1) I followed the steps of codesigning the gdb executable file (source: gdb, and Stackoverflow) which is in my case under

/usr/local/Cellar/gdb/8.0.1/bin/gdb

(note again, there are issues with 8.1 for some languages - pascal too). If you want to make sure that code is signed, go for

$ codesign -vvvv  gdb

in the respective directory. Mine is.

2) Make sure that the certificate was actually assigned to be eligible for code signing - it is in my case. It is also trusted - which is necessary.

3) I also tried the other way to get gdb running described above, where the file was edited (please note, that SIP has to be disabled in recovery first!!!!) Modifications only work if csrutil disable is used in the recovery.

sudo nano /System/Library/LaunchDaemons/com.apple.taskgated.plist

Devastating thing, after this step, no code editor would start up again (!!), until this change is undone (Geany, Atom, Text Editor, MS Visual Studio - all broken after inserting -sp to the file)

4) In some topics I found that debugging will only work if the command csrutil enable --withouth debug is used in the recovery. This hasn't changed anything.

Eventually I ended up having:

a certificate to code sign

a gdb exectuable file which is signed according to my statement above

a com.apple.taskgated.plist file not having populated the string -sp attribute

I would greatly appreciate if anyone could confirm this behavior, a solution to this even more :)

解决方案

This is related to codesign entitlements. you must add "com.apple.security.cs.debugger" key in signing process.

for example you must change codesign -fs gdbcert /usr/local/bin/gdb to codesign --entitlements gdb.xml -fs gdbcert /usr/local/bin/gdb .

gdb.xml content must something like following code.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>

这篇关于macOS Mojave:如何实现协同设计以启用调试(gdb)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！