How to codesign gdb on OS X Mojave?

mac code-signing gdb macos-mojave

I found that if I first followed these instructions to create the certificate BEFORE attempting to complete the gdb signing instructions, I was able to get it to work. The only exception is that I had to keep the certificate in the System Keychain instead of moving it back into Login.

Here's a consolidated set of steps:

Creating the Certificate with the right permissions

  1. Launch /Applications/Utilities/Keychain Access.app
  2. In Keychain Access select the "login" keychain in the "Keychains" list in the upper left hand corner of the window.
  3. Select the following menu item:
    • Keychain Access->Certificate Assistant->Create a Certificate...
  4. Set the following settings:
    • Name = "gdb-cert"
    • Identity Type = Self Signed Root
    • Certificate Type = Code Signing
    • Click Create
    • Can customize the expiration date (3650 days = 10yrs)
    • Click Continue
    • Click Done
  5. Click on "My Certificates"
  6. Double click on your new "gdb-cert" certificate
  7. Turn down the "Trust" disclosure triangle, scroll to the "Code Signing" trust pulldown menu and select "Always Trust" and authenticate as needed using your username and password.
  8. Drag the new "gdb-cert" code signing certificate (not the public or private keys of the same name) from the "login" keychain to the "System" keychain in the Keychains pane on the left hand side of the main Keychain Access window. This will move this certificate to the "System" keychain. You'll have to authorize a few more times, set it to be "Always trusted" when asked.
  9. In the Keychain Access GUI, click and drag "gdb-cert" in the "System" keychain onto the desktop. The drag will create a "~/Desktop/gdb-cert.cer" file used in the next step.
  10. Switch to Terminal, and run the following:
    1. sudo security add-trust -d -r trustRoot -p basic -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/gdb-cert.cer
    2. rm -f ~/Desktop/gdb-cert.cer
  11. Drag the "gdb-cert" certificate from the "System" keychain back into the "login" keychain (and maybe back again...?) EDIT: apparently not necessary, per comments
  12. Quit Keychain Access
  13. Reboot

Checking the Certificate:

  1. security find-certificate -c gdb-cert -> should show some details about the cert, if it can be found
  2. security find-certificate -p -c gdb-cert | openssl x509 -checkend 0 -> should say the cert won't expire
  3. security dump-trust-settings -d -> should show that this cert has code signing trust setting enabled (may show other certs/permissions)

Creating the "entitlements.xml" File:

Copy the text below and save it in an "entitlements.xml" file in your current directory.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>

Signing the debugger binaries

Run the following commands in terminal:

  1. codesign --entitlements entitlements.xml -fs gdb-cert $(which gdb) -> codesign with entitlements
  2. codesign -vv $(which gdb) -> verify codesigning
  3. codesign -d --entitlements - $(which gdb) -> display details of code signature

Refresh System Certificates

Reboot the machine

Related

Remove or reduce size of the search bar in Windows 10 Explorer
Ubuntu 18.04 to 20.04 - Unresolved issue occured while calculating upgrade
RJ45 doubler that allows 2 computers on one plug
Is it possible to upgrade the graphics card in modern laptops?
Idiots Guide to Setting Up Myth TV?
Version Control for MP3s?
Why do my speakers save me power?
Disable automatic termination of applications on shutdown
Is there any way to make Mac OS X Spotlight only index the file names and not the contents?
Forcibly break a for loop in sh
Installing pygame on Snow Leopard's system Python 2.6
What does the term "OS rot" refer to?