macOS Mojave: How to achieve codesign to enable debugging (gdb)?

Question

There are many topics floating around covering codesign issues with macOS, from 10.5 onward. What I wanted to achieve is, to get Geany working with the GNU Debugger (gdb). Debugger is found in geany, but the (already quite known) error message is:

Error message from debugger back end:
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))

Generally there are many restrictions to consider that (should) allow the usage of gdb, e.g. gdb 8.0.1 may work, gdb 8.1 will not work at all - see here, also confirmed in Lazarus Wiki.

0) I created my certificate "gdb-cert" according to the steps covered by various instructions. Example here

1) I followed the steps of codesigning the gdb executable file (source: gdb, and Stackoverflow) which is in my case under

/usr/local/Cellar/gdb/8.0.1/bin/gdb

(note again, there are issues with 8.1 for some languages - pascal too). If you want to make sure that code is signed, go for

$ codesign -vvvv  gdb

in the respective directory. Mine is.

2) Make sure that the certificate was actually assigned to be eligible for code signing - it is in my case. It is also trusted - which is necessary.

3) I also tried the other way to get gdb running described above, where the file was edited (please note, that SIP has to be disabled in recovery first!!!!) Modifications only work if csrutil disable is used in the recovery.

sudo nano /System/Library/LaunchDaemons/com.apple.taskgated.plist

Devastating thing, after this step, no code editor would start up again (!!), until this change is undone (Geany, Atom, Text Editor, MS Visual Studio - all broken after inserting -sp to the file)

4) In some topics I found that debugging will only work if the command csrutil enable --withouth debug is used in the recovery. This hasn't changed anything.

Eventually I ended up having:

a certificate to code sign

a gdb exectuable file which is signed according to my statement above

a com.apple.taskgated.plist file not having populated the string -sp attribute

I would greatly appreciate if anyone could confirm this behavior, a solution to this even more :)

Answer 1

This is related to codesign entitlements. you must add "com.apple.security.cs.debugger" key in signing process.

for example you must change codesign -fs gdbcert /usr/local/bin/gdb to codesign --entitlements gdb.xml -fs gdbcert /usr/local/bin/gdb .

gdb.xml content must something like following code.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>

Answer 2

The log command is helpful for troubleshooting code signing issues. Here is what I used (on Mojave):

log stream --predicate 'process == "taskgated" OR (process == "kernel" AND eventMessage CONTAINS "macOSTaskPolicy")' --info

Answer 3

I didn't modify com.apple.taskgated.plist so no issues with any of the text editors you listed. The fix I'm using though, unfortunately does require me to run gdb with sudo (which I didn't need for the fix I had on High Sierra). Not using Geany, but these are the slightly modified steps I used for gdb on Mac Mojave (with thanks to the original author who published instructions for High Sierra):

1. Run brew install https://raw.githubusercontent.com/Homebrew/homebrew-core/9ec9fb27a33698fc7636afce5c1c16787e9ce3f3/Formula/gdb.rb.
2. Follow with brew pin gdb
3. Open Keychain Access
4. In menu, open Keychain Access > Certificate Assistant > Create a Certificate
5. Give it a name (e.g. gdbcert)
6. Identity type: Self Signed Root
7. Certificate type: Code Signing
8. Check: Let Me Override Defaults
9. Continue with default options until Specify a Location For
10. Set Keychain location to System. If this yields the following error: Certificate Error: Unknown Error =-2,147,414,007 Set Location to Login, Unlock System by click on the lock at the top left corner and drag and drop the certificate gdbcert to the System Keychain.
11. Find the certificate in System keychain.
12. Double click certificate.
13. Expand Trust, set Code signing to Always Trust
14. Restart taskgated in terminal: sudo killall taskgated or possibly ps aux | grep taskgated then kill -9 <pid>
15. Enable root account by following the steps given below:
16. Open System Preferences
17. Go to User & Groups > Unlock
18. Login Options > Join (next to Network Account Server)
19. Click Open Directory Utility
20. Go up to Edit > Enable Root User
21. Codesign gdb using your certificate: codesign -fs gdbcert /usr/local/bin/gdb I ended up using sudo killall taskgated && codesign -fs gdbcert /usr/local/bin/gdb
22. Codesign authenticate as root user
23. Shut down your mac and restart in recovery mode (hold down command-R until Apple logo appears)
24. Open terminal window
25. Modify System Integrity Protection to allow debugging: csrutil enable --without debug
26. Reboot your Mac. Debugging with gdb should now work as expected.
27. Run gdb with sudo; for example sudo gdb -q ./a.out