主题：无法在Mac OS X High Sierra的keychain访问中为gdb授予系统证书 [英] subject: cannot codesign system certificate for gdb in keychain access in Mac OS X High Sierra

问题描述

我试图在Mac OSX High Sierra上使用gdb。我使用brew安装8.01版本（最新版本8.1实际上是

例如证书和密钥都在 System 钥匙串下，而不是 login 。 （甚至没有必要把钥匙拖入系统，但我只是为了安全起见）。

然后，一个非常重要的步骤：右键单击证书，转到信息，信任，然后选择始终信任每个类别。如果你不这样做，那么代码签名将不会有效，即使你进行密码签名，仍然会在gdb中得到机器端口错误信息。

上面链接的两个主题中的答案表示暂时启用Directory Utilities中的root帐户，但我不确定这是否真的有必要）。然后，重新启动计算机或执行 sudo killall taskgated 。然后 codesign -fs gdb-cert $（which gdb）。

然后，我不再有马特港gdb中的错误消息。我第一次跑，我得到了弹出询问密码。要禁用它以备将来运行，请按照该线程执行 sudo / usr / sbin / DevToolsSecurity - 启用。

<请注意，8.0.1存在一个小问题：您将收到有关未处理的dlyd版本的警告。这在此主题中有解释。注意该线程中的一些帖子说断点不起作用，但我没有看到发生。

I'm trying to use gdb on Mac OSX High Sierra. I installed version 8.01 using brew (the latest version 8.1 actually has a separate, unrelated error), and am having trouble with the codesign step. I'm following the instructions at the page suggested by brew.

In Keychain Access, I create a certificate, using the "codesign" option, and overriding defaults, and click through until it asks for the location of the certificate, for which I select "keychain: system". However, immediately afterwards I get a mysterious message:

An Error Occurred
Unknown Error = -2,147,414,007

This message also occurred in a previous thread, but the sole answer was of low quality, didn't work, and the question didn't seem to be getting much activity/attention. I also tried going into recovery mode and doing csrutil disable, but I'm still getting the -2,147,414,007 error. Back in the Keychain Access window, under "System", I get the public and private RSA keys of the certificate I just created, but the certificate itself is not there.

If I repeat all that but create under "Login" instead of "System", and this time the certificate gets created. I then export to a .cer file to my desktop, then import back into Keychains, but under the "System" category. I then restart my computer, then do

codesign -s gdb-cert /usr/local/Cellar/gdb/8.0.1/bin/gdb

but I get error: The specified item could not be found in the keychain..

I can of course just do sudo gdb or lldb with no problem, but I would like to use gdb with emacs, so those are not options (of course, technically I can just do sudo emacs and it will work, but for obvious reasons I prefer not to use sudo). How can I codesign gdb so that I can use it without getting mach port complaints?

edit: it appears another thread elsewhere has many people with the same problem. There doesn't appear to be a definitive fix there; I tried some of the suggestions and am continuing to get

Unable to find Mach task port for process-id 575: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))

解决方案

I finally got it to work. I'm using the latest High Sierra as of the date of this post. First, I installed an older version of gdb, 8.0.1, instead of the latest 8.1, which seems to be broken:

brew install https://raw.githubusercontent.com/Homebrew/homebrew-core/9ec9fb27a33698fc7636afce5c1c16787e9ce3f3/Formula/gdb.rb

then brew pin gdb.

For the next steps, I found this thread, and this other thread useful. Also, this page.

Make the certificate in Login instead of System in order to avoid the -2,147,414,007 error. Then, click the padlock to unlock the System category, and drag the certificate and keys into System. If anything goes wrong here, you can try File->Import and File->Export instead. The goal is to get the following:

e.g. the certificate and the keys all under the System keychain, not login. (It may not even be necessary to drag the keys into system, but I did it just to be safe).

Then, a very important step: right click the certificate, go to Info, Trust, and select Always trust for every category. If you don't do this, the codesigning will not be effective, and will still get the mach port error message in gdb, even if you codesign.

(One of the answers in the two threads linked above says to temporarily enable the root account in Directory Utilities, but I'm not sure if that's actually necessary). Then, either restart your computer or do sudo killall taskgated. Then codesign -fs gdb-cert $(which gdb).

Then, I no longer got the mach port error message in gdb. The first time I ran, I got a popup asking for a password. To disable it for future runs, I did sudo /usr/sbin/DevToolsSecurity --enable as per that thread.

Note also that 8.0.1 has a minor issue: you will get warnings about unhandled dlyd version. That's explained in this thread. Note some posts in that thread say breakpoints don't work, but I didn't see that happening.

这篇关于主题：无法在Mac OS X High Sierra的keychain访问中为gdb授予系统证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！