调试带有10.15的系统首选窗格和系统完整性保护 [英] Debug System Pref Pane w/10.15 and System Integrity Protection

问题描述

过去，通过自签名系统偏好设置"应用程序的副本并将其设置为Xcode中的运行目标，我能够在系统偏好设置"中运行/调试自开发的首选项窗格".

In the past, I have been able to run/debug a self-developed Preference Pane in System Preferences by self-signing a copy of the System Preferences app, and setting it as the run target in Xcode.

在〜/Library/PreferencePanes中放置一个符号链接，该链接指向Xcode构建的输出prefPane，一切正常……至少以前在10.11到10.14之间.

A symbolic link is placed in ~/Library/PreferencePanes that points to the output prefPane built by Xcode and everything works... at least it used to under 10.11 through 10.14.

请参阅:调试系统偏好设置带有10.11的窗格和系统完整性保护

在10.15下，此中断.当prefPane正确地加载了真实的(Apple签名)的系统偏好设置"应用程序时，当我尝试在系统偏好设置"的自签名副本中运行我的prefPane时，出现无法加载偏好设置窗格".当尝试加载任何Apple内置的首选窗格时，也会发生同样的事情.

Under 10.15 this breaks. While the prefPane properly loads with the real (Apple-Signed) System Preferences app, when I try to run my prefPane in the self-signed copy of System Preferences, I get "Could not load preference pane". The same thing happens when trying to load any of the Apple built-in pref panes as well.

我都尝试过:

codesign -s "My Developer ID" -f "/Applications/System Preferences Copy.app"

和

codesign -s - -f "/Applications/System Preferences Copy.app"

控制台中不会产生任何错误.

No errors are generated in the Console.

我的猜测是，在加载过程中的某个地方，它正在检查系统偏好设置宿主应用程序是否已由Apple签名.如果我尝试使用真正的系统偏好设置"应用程序作为调试目标，则会收到系统完整性保护错误.

My guess is that somewhere in the loading process, it is checking to see if the System Preferences host app is signed by Apple. If I try to use the real System Preferences app as a debug target, I get a System Integrity Protection error.

有没有办法像10.11到10.14那样禁用SIP?

Is there any way to do this without disabling SIP like there was in 10.11 to 10.14?

推荐答案

应用可能会受到强化运行时的限制.如果没有权利来减轻这些限制，则例如将无法加载代码并非由Apple签署，也不是来自同一团队的身份.

Probably, the app is subject to the restrictions of the hardened runtime. Without entitlements to ease those restrictions, it will be prevented from, for example, loading code that's not signed by Apple or an identity from the same team.

您将需要使用--options runtime --entitlements <path>选项对副本进行签名.该路径应指向字典的plist文件，该字典的键为授权，值通常为布尔值.例如:

You will need to sign your copy with the --options runtime --entitlements <path> options. The path should point to a plist file of a dictionary whose keys are entitlements and values are typically booleans. For example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
</dict>
</plist>

这篇关于调试带有10.15的系统首选窗格和系统完整性保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！