Macos – How to codesign gdb on OS X Mojave

code-signinggdbmacmacos-mojave

After installing gdb from homebrew (via $ brew install gdb), I followed these instructions to give gdb permissions to attach to a process.

When I got to the step that runs the command:

$ codesign --entitlements gdb-entitlement.xml -fs gdb-cert $(which gdb)

I get the following error, with an exit code of 1:

/usr/local/bin/gdb: errSecInternalComponent

I cannot figure out what is wrong, and therefore cannot proceed with installing a working version of gdb. Any help?

EXTRA INFO:

  • Mac OS X version 10.14.4

  • GDB version 8.3 (via homebrew)

  • Added my user to the _developer group; didn't help

  • Attempted restart of my machine and sudo killall taskgated to no avail

  • Attempted installing earlier version of GDB (8.0.1), but got same result

Best Answer

I found that if I first followed these instructions to create the certificate BEFORE attempting to complete the gdb signing instructions, I was able to get it to work. The only exception is that I had to keep the certificate in the System Keychain instead of moving it back into Login.

Here's a consolidated set of steps:

Creating the Certificate with the right permissions

  1. Launch /Applications/Utilities/Keychain Access.app
  2. In Keychain Access select the "login" keychain in the "Keychains" list in the upper left hand corner of the window.
  3. Select the following menu item:
    • Keychain Access->Certificate Assistant->Create a Certificate...
  4. Set the following settings:
    • Name = "gdb-cert"
    • Identity Type = Self Signed Root
    • Certificate Type = Code Signing
    • Click Create
    • Can customize the expiration date (3650 days = 10yrs)
    • Click Continue
    • Click Done
  5. Click on "My Certificates"
  6. Double click on your new "gdb-cert" certificate
  7. Turn down the "Trust" disclosure triangle, scroll to the "Code Signing" trust pulldown menu and select "Always Trust" and authenticate as needed using your username and password.
  8. Drag the new "gdb-cert" code signing certificate (not the public or private keys of the same name) from the "login" keychain to the "System" keychain in the Keychains pane on the left hand side of the main Keychain Access window. This will move this certificate to the "System" keychain. You'll have to authorize a few more times, set it to be "Always trusted" when asked.
  9. In the Keychain Access GUI, click and drag "gdb-cert" in the "System" keychain onto the desktop. The drag will create a "~/Desktop/gdb-cert.cer" file used in the next step.
  10. Switch to Terminal, and run the following:
    1. sudo security add-trust -d -r trustRoot -p basic -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/gdb-cert.cer
    2. rm -f ~/Desktop/gdb-cert.cer
  11. Drag the "gdb-cert" certificate from the "System" keychain back into the "login" keychain (and maybe back again...?) EDIT: apparently not necessary, per comments
  12. Quit Keychain Access
  13. Reboot

Checking the Certificate:

  1. security find-certificate -c gdb-cert -> should show some details about the cert, if it can be found
  2. security find-certificate -p -c gdb-cert | openssl x509 -checkend 0 -> should say the cert won't expire
  3. security dump-trust-settings -d -> should show that this cert has code signing trust setting enabled (may show other certs/permissions)

Creating the "entitlements.xml" File:

Copy the text below and save it in an "entitlements.xml" file in your current directory.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>

Signing the debugger binaries

Run the following commands in terminal:

  1. codesign --entitlements entitlements.xml -fs gdb-cert $(which gdb) -> codesign with entitlements
  2. codesign -vv $(which gdb) -> verify codesigning
  3. codesign -d --entitlements - $(which gdb) -> display details of code signature

Refresh System Certificates

Reboot the machine

Related Question