How to get a "codesigned" gdb on OSX?

I.1 Codesigning the Debugger

The Darwin Kernel requires the debugger to have special permissions before it is allowed to control other processes. These permissions are granted by codesigning the GDB executable. Without these permissions, the debugger will report error messages such as:

Starting program: /x/y/foo
Unable to find Mach task port for process-id 28885: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))

Codesigning requires a certificate. The following procedure explains how to create one:

  • Start the Keychain Access application (in /Applications/Utilities/Keychain Access.app)
  • Select the Keychain Access -> Certificate Assistant -> Create a Certificate... menu
  • Then:
    • Choose a name for the new certificate (this procedure will use "gdb-cert" as an example)
    • Set "Identity Type" to "Self Signed Root"
    • Set "Certificate Type" to "Code Signing"
    • Activate the "Let me override defaults" option
  • Click several times on "Continue" until the "Specify a Location For The Certificate" screen appears, then set "Keychain" to "System"
  • Click on "Continue" until the certificate is created
  • Finally, in the view, double-click on the new certificate, and set "When using this certificate" to "Always Trust"
  • Exit the Keychain Access application and restart the computer (this is unfortunately required)

Once a certificate has been created, the debugger can be codesigned as follow. In a Terminal, run the following command...

codesign -f -s  "gdb-cert"  <gnat_install_prefix>/bin/gdb

... where "gdb-cert" should be replaced by the actual certificate name chosen above, and should be replaced by the location where you installed GNAT.

source: https://gcc.gnu.org/onlinedocs/gcc-4.8.1/gnat_ugn_unw/Codesigning-the-Debugger.html

UPDATE: High-Sierra (Certificate Assistant - Unknown Error) https://apple.stackexchange.com/questions/309017/unknown-error-2-147-414-007-on-creating-certificate-with-certificate-assist


Check the trust of the cert, it must be trusted for code signing (on yosemite that is the third last in the trust section of the cert view in the keychain access).

At first the cert was not known for codesigning to the keychain, because there was the Extension purpose "Code Signing" missing, you can find this if you look into the keychain and double click on the certificate:

enter image description here

I fixed that:

enter image description here

Then I added the certificate to the trusted signing certificates, after I had drag&dropped the certificate from the keychain to my desktop, which created the ~/Desktop/gdb-cert.cer:

$ sudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/gdb-cert.cer

This was a bit tricky because I was mislead by some internet posts and did not look at the man page. Some said you should use add-trust (https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt). The terrible bit was that the command succeeded, but did not do what it "should" (well, it was the wrong command, but it should have told me it was wrong).

After that I found the new cert in the trusted certs like so:

$ security find-identity -p codesigning

Policy: Code Signing
  Matching identities
      1) E7419032D4..... "Mac Developer: FirstName LastName (K2Q869SWUE)"    (CSSMERR_TP_CERT_EXPIRED)
      2) ACD43B6... "gdb-cert"
  2 identities found

  Valid identities only
      1) ACD43... "gdb-cert"
  1 valid identities found

In my case the apple cert is expired, but the one I was using to sign gdb was not (well, I just created it myself). Also be aware that the policy is named differently for the "security add-trusted-cert"(-p codeSign) and the "security find-identity" command (-p codesigning). I then went on to sign gdb and I also always got:

$ codesign --sign gdb-cert.cer --keychain ~/Library/Keychains/login.keychain `which gdb`
  gdb-cert.cer: no identity found

because I was under the impression that I had to give the file name of the cert file to the --sign option, but that in fact was the CN of the certificate that I should have provided and should be in the trust store. You can find the CN here when double clicking on the cert in the keychain:

enter image description here

or in the above output of "security find-identity -p codesigning". Then I went on to sign and I had to give it the right keychain:

 codesign -s gdb-cert --keychain /Library/Keychains/System.keychain `which gdb`

I had to enter the root password to allow access to the keychain.

That then gave me a working gdb and it should give you a signed application.


I made gdb work on OSX 10.9 without codesigning this way (described here):

  1. Install gdb with macports. (may be you can skip it)

  2. sudo nano /System/Library/LaunchDaemons/com.apple.taskgated.plist

    change option string from -s to -sp at line 22, col 27.

  3. reboot the computer.

  4. Use gdb


It would seem you need to sign the executable. See these links for more information. You should be able to get away with self signing if you don't plan on redistributing that version of gdb.

https://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html

https://developer.apple.com/library/mac/#documentation/Darwin/Reference/Manpages/man1/codesign.1.html

Alternatively, you could disable code signing on your system, although this presents a security risk. To do so try running sudo spctl --master-disable in the Terminal.

Tags:

C++

Macos

Debugging

Gdb

Code Signing

Recent Posts