macOS Mojave:如何实现代码签名以启用调试(gdb)? [英] macOS Mojave: How to achieve codesign to enable debugging (gdb)?

问题描述

从10.5版本开始，围绕MacOS的代码签名问题有很多话题. 我想要实现的是让Geany与GNU Debugger(gdb)一起工作.在geany中发现了调试器，但是(已经很清楚)错误消息是:

Error message from debugger back end:
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))

通常，有很多限制要考虑(应该)允许使用gdb，例如gdb 8.0.1可能有效，gdb 8.1根本不起作用-请参阅此处，这在Lazarus Wiki中也得到了确认. >

0)我根据各种说明中介绍的步骤创建了证书"gdb-cert".示例此处

1)我遵循了对gdb可执行文件进行代码签名的步骤(来源: gdb 和 Stackoverflow )，在我的案例中

/usr/local/Cellar/gdb/8.0.1/bin/gdb

(再次注意，某些语言存在8.1的问题-pascal也是如此).如果要确保代码已签名，请

$ codesign -vvvv  gdb

在相应目录中.我的是.

2)确保证书已实际分配，可以进行代码签名-就我而言.它也是受信任的-这是必需的.

3)我还尝试了另一种方法来使上述的gdb运行，​​在该处编辑了文件(请注意，必须首先在恢复中禁用SIP ！！！) 只有在恢复中使用csrutil disable时，修改才起作用.

sudo nano /System/Library/LaunchDaemons/com.apple.taskgated.plist

撤消操作，在此步骤之后，在取消此更改之前，不会再次启动代码编辑器(!!)(Geany，Atom，Text Editor，MS Visual Studio-在插入后全部损坏) -sp到文件)

4)在某些主题中，我发现只有在恢复中使用命令csrutil enable --withouth debug时，调试才能起作用.这什么都没改变.

最终我最终遇到了:

代码签名证书

根据我上面的声明签名的gdb可执行文件

未填充字符串-sp属性的com.apple.taskgated.plist文件

如果有人可以确认此行为，我将不胜感激，甚至可以进一步解决此问题:)

解决方案

这与代码签名权利有关.您必须在签名过程中添加"com.apple.security.cs.debugger"密钥.

例如，您必须将codesign -fs gdbcert /usr/local/bin/gdb更改为codesign --entitlements gdb.xml -fs gdbcert /usr/local/bin/gdb.

gdb.xml内容必须类似于以下代码.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>

There are many topics floating around covering codesign issues with macOS, from 10.5 onward. What I wanted to achieve is, to get Geany working with the GNU Debugger (gdb). Debugger is found in geany, but the (already quite known) error message is:

Error message from debugger back end:
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))

Generally there are many restrictions to consider that (should) allow the usage of gdb, e.g. gdb 8.0.1 may work, gdb 8.1 will not work at all - see here, also confirmed in Lazarus Wiki.

0) I created my certificate "gdb-cert" according to the steps covered by various instructions. Example here

1) I followed the steps of codesigning the gdb executable file (source: gdb, and Stackoverflow) which is in my case under

/usr/local/Cellar/gdb/8.0.1/bin/gdb

(note again, there are issues with 8.1 for some languages - pascal too). If you want to make sure that code is signed, go for

$ codesign -vvvv  gdb

in the respective directory. Mine is.

2) Make sure that the certificate was actually assigned to be eligible for code signing - it is in my case. It is also trusted - which is necessary.

3) I also tried the other way to get gdb running described above, where the file was edited (please note, that SIP has to be disabled in recovery first!!!!) Modifications only work if csrutil disable is used in the recovery.

sudo nano /System/Library/LaunchDaemons/com.apple.taskgated.plist

Devastating thing, after this step, no code editor would start up again (!!), until this change is undone (Geany, Atom, Text Editor, MS Visual Studio - all broken after inserting -sp to the file)

4) In some topics I found that debugging will only work if the command csrutil enable --withouth debug is used in the recovery. This hasn't changed anything.

Eventually I ended up having:

a certificate to code sign

a gdb exectuable file which is signed according to my statement above

a com.apple.taskgated.plist file not having populated the string -sp attribute

I would greatly appreciate if anyone could confirm this behavior, a solution to this even more :)

解决方案

This is related to codesign entitlements. you must add "com.apple.security.cs.debugger" key in signing process.

for example you must change codesign -fs gdbcert /usr/local/bin/gdb to codesign --entitlements gdb.xml -fs gdbcert /usr/local/bin/gdb .

gdb.xml content must something like following code.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>

这篇关于macOS Mojave:如何实现代码签名以启用调试(gdb)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！