"please check gdb is codesigned - see taskgated(8)" - How to get gdb installed with homebrew code signed?

Question

I'm under osx 10.8.4 and have installed gdb 7.5.1 with homebrew (motivation get a new gdb with new features such as --with-python etc... )

Long story short when I run debug within a c++ Eclipse project I get :

Error in final launch sequence
Failed to execute MI command:
-exec-run
Error message from debugger back end:
Unable to find Mach task port for process-id 46234: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))
Unable to find Mach task port for process-id 46234: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))

I have followed various suggestions for code signing

• https://sourceware.org/gdb/wiki/BuildingOnDarwin
• partly http://www.noktec.be/archives/1251 with various adjusts

So I did:

1. Set up the certificate
2. Sign the gdb -> codesign -s gdb-cert /usr/local/bin/gdb

When I re-run debugging in Eclipse I get same error as above "(please check gdb is codesigned - see taskgated(8))".

If I set back the gdb to the older gdb (in the gdb preferences of Eclipse) /usr/libexec/gdb/gdb-i386-apple-darwin the debugging runs as expected.

Any solutions / hints out there ?

Thx

Pelle

Answer 1

This error occurs because OSX implements a pid access policy which requires a digital signature for binaries to access other processes pids. To enable gdb access to other processes, we must first code sign the binary. This signature depends on a particular certificate, which the user must create and register with the system.

To create a code signing certificate, open the Keychain Access application. Choose menu Keychain Access -> Certificate Assistant -> Create a Certificate…

Choose a name for the certificate (e.g., gdb-cert), set Identity Type to Self Signed Root, set Certificate Type to Code Signing and select the Let me override defaults. Click several times on Continue until you get to the Specify a Location For The Certificate screen, then set Keychain to System.

Double click on the certificate, open Trust section, and set Code Signing to Always Trust. Exit Keychain Access application.

Restart the taskgated service, and sign the binary.

$ sudo killall taskgated
$ codesign -fs gdb-cert "$(which gdb)"

source http://andresabino.com/2015/04/14/codesign-gdb-on-mac-os-x-yosemite-10-10-2/

On macOS 10.12 (Sierra) and later, you must also

Use gdb 7.12.1 or later Additionally prevent gdb from using a shell to start the program to be debugged. You can use the following command for this inside gdb:

set startup-with-shell off

You can also put this last command in a file called .gdbinit in your home directory, in which case it will be applied automatically every time you start gdb

echo "set startup-with-shell off" >> ~/.gdbinit

SOURCE: https://sourceware.org/gdb/wiki/BuildingOnDarwin

Answer 2

I upgraded to gdb 8.3 and was not able to make things working. This helped me:

codesign --entitlements gdb.xml -fs gdb-cert /usr/local/bin/gdb

Where content of gdb.xml is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.debugger</key>
    <true/>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>

I found this solution here: https://timnash.co.uk/getting-gdb-to-semi-reliably-work-on-mojave-macos/

Note: Without the entitlement I was able to run gdb only with sudo.

Answer 3

I experienced the same issue with GDB. I am running under Mac OS X 10.8.5 aka Mountain Lion. I am using GDB version 7.7.1.

I compiled my test program with following command:

g++ -o gdb-sample.out -g gdb-sample.cpp    

If I entered the command gdb sample.out, I get the same cryptic error message:

"Unable to find Mach task port for process-id 46234: (os/kern) failure (0x5). (please check gdb is codesigned - see taskgated(8))"

This error message however is a red herring.

The solution I found that worked for me was to simply invoke GDB using the superuser acct:

sudo gdb sample.out. 

That works fine for me.

And that from that point I could run GDB example.out without using sudo.

Hope this helps and works for others. RSVP if it doesn't.

Answer 4

I made gdb work on OSX 10.9 without codesigning this way (described here):

1. Install gdb with macports. (may be you can skip it)

2. sudo nano /System/Library/LaunchDaemons/com.apple.taskgated.plist

   change option string from -s to -sp at line 22, col 27.

3. Reboot the computer.

4. Use gdb. If you installed it with mac ports then you must use ggdb command. Or made an alias in your config file:

alias gdb='ggdb'

and use 'gdb' command then.

Answer 5

None of this worked for me and I had to go with a long run. Here is a full list of steps I've done to get it working.

1. Create a certificate to sign the gdb.

Unfortunately, system certificate gave me Unknown Error = -2,147,414,007 which is very helpful, so I had to go with a workaround. Keychain Access -> Create certificate ->

Pick login, gdb-cert, Code Signing

Copy/move certificate to the System keychain (enter password)

2. Select certificate (gdb-cert) click Get info -> Trust Always
3. Disable startup-with-shell

Enter in console: set startup-with-shell off

Remember configuration: echo "set startup-with-shell off" >>~/.gdbinit

4. Enable Root User

Go to System Preferences -> Users & Groups -> Unlock it -> Login Options -> Network Account Server -> Join -> Unlock it -> Edit (menu) -> Enable Root User

5. sudo killall taskgated
6. Finally sign gdb

codesign -fs gdb-cert "$(which gdb)"

7. Disable Root User (Step 4)
8. Reboot if still does not work. (if nothing else works, most likely it works already)

PS. I ended up using lldb because it just works (tutorial)

Answer 6

For anyone who using Sierra 10.12.6 (and above) and Homebrew, /usr/local/bin/gdb is a symbolic link to /usr/local/Cellar/gdb/8.0/bin/gdb (or whatever version, e.g. 8.0.1).

You need to codesign both link and target:

codesign -fs gdb-cert /usr/local/bin/gdb
codesign -fs gdb-cert "/usr/local/Cellar/gdb/8.0/bin/gdb"

Or, if you have greadlink (installed via brew install coreutils):

codesign -fs gdb-cert $(which gdb)
codesign -fs gdb-cert $(greadlink -f $(which gdb))

Answer 7

This may not be related. You can use lldb on macos instead of gdb. You don't need this hassle to install gdb.

lldb(http://lldb.llvm.org) is already installed by default in High Sierra

Answer 8

This is what worked for me on Big Sur: https://dev.to/jasonelwood/setup-gdb-on-macos-in-2020-489k. The crucial missing step from other guides was the --entitlements gdb-entitlement.xml option for codesigning:

I am copying here the file gdb-entitlement.xml for reference in case the linked site disappears: codesign --entitlements gdb-entitlement.xml -fs

where <gdb-cert> is the name of the certificate and is the path to the gdb executable

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.cs.allow-jit</key><true/><key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/><key>com.apple.security.cs.allow-dyld-environment-variables</key><true/><key>com.apple.security.cs.disable-library-validation</key><true/><key>com.apple.security.cs.disable-executable-page-protection</key><true/><key>com.apple.security.cs.debugger</key><true/><key>com.apple.security.get-task-allow</key><true/></dict></plist>

Answer 9

I wonder if the global change in the highest voted answer here has some unintended consequences.

Rather than enabling the old Tiger convention, taskgated does allow signed code to run. So it might be better to just get a signed cert for gdb, similar to the answer here.

After this I was able to sudo use gdb. If you need to use gdb w/o sudo then perhaps this link will help though, disclaimer, I haven't tried it yet because using sudo is an ok solution for now`.

Answer 10

I can recommend to follow this gist: https://gist.github.com/gravitylow/fb595186ce6068537a6e9da6d8b5b96d#file-codesign_gdb-md

With trick to overcome: unknown error = -2,147,414,007 during Certificate Creation described here: https://apple.stackexchange.com/a/309123

Notes:

Path for gdb installed as homebrew package should be something like: /usr/local/Cellar/gdb/9.2/bin/gdb

And csrutil enable --without debug will cause a message about requesting unsupported configuration, like here: https://totalfinder.binaryage.com/system-integrity-protection

Test:

○ → sw_vers -productVersion
10.13.6

○ → gdb ./a.out
GNU gdb (GDB) 9.2
...
Thread 3 hit Breakpoint 1, main () at main.c:14
14          data_t d = {0};

Answer 11

gdb 8.3;

My problem is the same as the guy above, solved by

codesign --entitlements gdb.xml -fs gdb-cert /usr/local/bin/gdb