I have built libcurl for Windows x64 with OpenSSL. If I specify the CA Info with the libcurl command as shown below I am able to post my data via https.
curl_easy_setopt(curl_handle, CURLOPT_CAINFO, "C:\\cacert.pem");
My question is regards to option 3 under the heading “Certificate Verification” found here: https://curl.haxx.se/docs/sslcerts.html
3) Add the CA cert for your server to the existing default CA certificate store. The default CA certificate store can changed at compile time with the following configure options:
--with-ca-bundle=FILE: use the specified file as CA certificate store. CA certificates need to be concatenated in PEM format into this file.
--with-ca-path=PATH: use the specified path as CA certificate store. CA certificates need to be stored as individual PEM files in this directory. You may need to run c_rehash after adding files there.
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
Thanks!
Do these settings only apply to command line or can libcurl be configured at compile time to always use the same CA info?
cURL has the same settings for compile time. More accurately, they are Autotools options.
curl-7.57.0$ ./configure --help
`configure' configures curl - to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
...
--with-ca-bundle=FILE Path to a file containing CA certificates (example:
/etc/ca-bundle.crt)
--without-ca-bundle Don't use a default CA bundle
--with-ca-path=DIRECTORY
Path to a directory containing CA certificates
stored individually, with their filenames in a hash
format. This option can be used with OpenSSL, GnuTLS
and PolarSSL backends. Refer to OpenSSL c_rehash for
details. (example: /etc/certificates)
--without-ca-path Don't use a default CA path
--with-ca-fallback Use the built in CA store of the SSL library
--without-ca-fallback Don't use the built in CA store of the SSL library
I build cURL on occasion for testing on older systems like CentOS 5. I find it is easiest to download an updated cacert.pem, and then use --with-ca-bundle.
If you want to use --with-ca-path, then that is the one where each certificate is hashed. So you will have a directory with 120 or 150 files in it. The files will have names like NNNNNNNN.0, NNNNNNNN.1 and so on. NNNNNNNN will be a hash, and collisions are resolved by incrementing the suffix.
I keep my script for building cURL online at Build-Scripts | build-curl.sh.
Related
I'm looking to set up a batch process using a github deploy key.
Registering a key using any of the following:
ssh-keygen
ssh-keygen -t rsa -b 4096
ssh-keygen -t rsa -b 4096 -E sha512
And running the following code:
%let dirOut = %sysfunc(pathname(work))/package;
data _null_;
rc=GITFN_CLONE(
"git#github.com:allanbowe/sasjscore.git",
"&dirOut",
"git",
"",
"/home/sasjssrv/.ssh/id_rsa.pub",
"/home/sasjssrv/.ssh/id_rsa"
);
put rc=;
run;
Results in:
ERROR: Return code from GIT is (23). ERROR: You're using an RSA key with SHA-1, which is no longer allowed. Please use a newer client or a different key type.
Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
The following algorithms:
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519
ssh-keygen -t ed25519 -C "mygithubemail#provider.com"
ssh-keygen -t rsa -b 2048 -E sha512
Return -3 from gitfn_clone() with the following message:
ERROR: Failed to authenticate with the remote repository.
A regular git clone works fine with ALL of the keys:
git clone git#github.com:allanbowe/sasjscore.git
Cloning into 'sasjscore'...
warning: You appear to have cloned an empty repository.
I also tried with git_clone() (after noticing gitfn_clone() was deprecated) but, same result.
Any ideas?
55 %put %sysfunc(GIT_VERSION()) &=sysvlong &=sysscp;
0.27 SYSVLONG=9.04.01M7P080520 SYSSCP=LIN X64
Running Centos 7 as described here.
The issue is the use of an older version of GIT in 9.4m7. This should be fixed in 9.4m8, and is already fixed in Viya 4.
Thanks to the support of several internal SAS employees (you know who you are!) I can document TWO steps to address.
The first - to fix in m7 - just apply the following two hotfixes:
I9R087
I9R088
Then, regenerate using an appropriate cypher, eg: ssh-keygen -t ecdsa -b 521 and add that public key to github.
The second approach, which I didn't get round to trying as it would have meant creating a new github account, was to use OpenAuth Access Tokens. More information on that here and here.
Many thanks, Danny / Alexey / David!
EDIT - further to #joe's comment, I provide the logs from the hotfixes (/opt/sas9/SASHome/InstallMisc/InstallLogs):
base_lax_9.4_M7_HFI9R087_en_Install_preexec.log:
Installation Date 17/10/22 15:36 / User ID sasinstaller / IP Address 44.44.44.44 / Host CentOS-79-64-minimal
Skipped Files
There were no files to be processed.
Added Files
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/libssh2.so.1.0.1
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/libssh2.so
Backup Files
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R087/SASHome/en/SASFoundation/9.4/sasexe/libssh2.so.1
Changed Files
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/libssh2.so.1
Removed Files
There were no files to be processed.
base_lax_9.4_M7_HFI9R087_en_Install_postexec.log:
Installation Date 17/10/22 15:37 / User ID sasinstaller / IP Address 44.44.44.44 / Host CentOS-79-64-minimal
Added Files
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/libssh2.so.1.0.1
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/libssh2.so
Backup Files
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R087/SASHome/en/SASFoundation/9.4/sasexe/libssh2.so.1
Changed Files
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/libssh2.so.1
/opt/sas9/SASHome/SASFoundation/9.4/sasv9.cfg
Removed Files
There were no files to be processed.
base_lax_9.4_M7_HFI9R088_en_Install_preexec.log :
Installation Date 17/10/22 15:36 / User ID sasinstaller / IP Address 44.44.44.44 / Host CentOS-79-64-minimal
Skipped Files
There were no files to be processed.
Added Files
There were no files to be processed.
Backup Files
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugitfn
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_f
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_v
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_i
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_c
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_s
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_b
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_r
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_d
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_p
Changed Files
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugitfn
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_f
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_v
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_i
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_c
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_s
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_b
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_r
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_d
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_p
Removed Files
There were no files to be processed.
And /opt/sas9/SASHome/InstallMisc/InstallLogs/base_lax_9.4_M7_HFI9R088_en_Install_postexec.log:
Installation Date 17/10/22 15:37 / User ID sasinstaller / IP Address 44.44.44.44 / Host CentOS-79-64-minimal
Added Files
There were no files to be processed.
Backup Files
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugitfn
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_f
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_v
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_i
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_c
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_s
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_b
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_r
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_d
/opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R088/SASHome/en/SASFoundation/9.4/sasexe/uwugit_p
Changed Files
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugitfn
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_f
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_v
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_i
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_c
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_s
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_b
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_r
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_d
/opt/sas9/SASHome/SASFoundation/9.4/sasexe/uwugit_p
/opt/sas9/SASHome/SASFoundation/9.4/sasv9.cfg
Removed Files
There were no files to be processed.
After searching a bit harder I found this (showing only the extract due to log size) in file IT_2022-10-17-16.17.52.log:
2022-10-17 16:22:43 Controller - Marshalling deployment.xml to /opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R005/Metadata/en/deployment.xml
2022-10-17 16:22:43 InstallationTask - All constrainBy tests met: true
2022-10-17 16:22:43 EntryData - backed up /opt/sas9/SASHome/SASFoundation/9.4/sasexe/libgit2.so to /opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R005/SASHome/en/SASFoundation/9.4/sasexe/libgit2.so
2022-10-17 16:22:43 InstallationTask - sasexe/libgit2.so (0 bytes) has been successfully Backed up
2022-10-17 16:22:43 InstallationTask - sasexe/libgit2.so (1180370 bytes) has been successfully Changed
2022-10-17 16:22:43 ExtractTask - Created uninstall zip metadata at /opt/sas9/SASHome/SASFoundation/9.4/installs/base_lax_9.4_M7_HFI9R005/Metadata/en/en_sasexe.xml
So - it would seem, the answer is yes!
EDIT 2 - further feedback (thanks, Sundaresh) has shown that the -m PEM option can avoid the git (23) error, eg:
ssh-keygen -t ecdsa -b 256 -m PEM -C "you#mail.com"
In the example of doc/html/boost_asio/example/cpp03/ssl/client.cpp - 1.58.0, it loads a file named ca.pem, but where can I download it? I've tried to export one from Firefox, and also tried to use the one in my system such as /usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt, but the example program only returns message
Verifying /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Handshake failed: certificate verify failed
Any suggestion? Thanks a lot.
You can use Mozilla certificate pack converted to PEM format by the authors of cURL library. You can download it from cURL site.
I tried to run this boost.asio example using this pack and it ran successfully.
It's in the library source tree:
libs/asio/example/cpp03/ssl/server.pem
libs/asio/example/cpp03/ssl/dh512.pem
libs/asio/example/cpp03/ssl/ca.pem
When setting in the sample app: Travelocity.properties
#Specify if SAM LAssertion element is encrypted
SAML.EnableAssertionEncryption=true
And also tick the Identity server configuration option:
Enable Assertion Encryption [ticked]
Certificate Alias: wso2carbon
I receive the following error at the server log:
Error at Log: 2015-05-05 15:56:10,282 Error encrypting XMLObject
Without the encryption feature enabled, the SAML authentication flow with the Travelocity sample code starts working.
Hints are welcome how to fix this issue.
Regards,
Claude
It seems like you are working on the installed java runtime for the first time. I am using ubuntu 14. The same problem came to me. For me it worked in the following way.
1. Download the respective files according to your runtime from here.
http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
2. Extract the folder you downloaded. There will be two .jar files.
3. For ubuntu you can run echo $JAVA_HOME to find the java home. Copy above jar files into {JAVA_HOME}/jre/lib/security. You may need sudo access depending on you JAVA_HOME location. If so run the following from the location you extracted the zip file.
cp local_policy.jar /{JAVA_HOME}/jre/lib/security
cp US_export_policy.jar /{JAVA_HOME}/jre/lib/security
There should be only one slash (/) at /{JAVA_HOME}.
4. Restart wso2 identity server again and retry the procedure to login to travelocity.com
Hope this will fix your issue.
I'm working on a box that's running CentOS (Linux), and I'm running into the following error when try to access a particular subdomain for work:
Traceback (most recent call last):
... # My code, relevant call is requests.get(url)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 60, in get
return request('get', url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 49, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 457, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 569, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 420, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
According to https://www.digicert.com/help/, the subdomain "is not sending the required intermediate certificate" (and that's the only problem DigiCert found). However, my code handles this without problem when I run it from my Mac laptop, and so do both Chrome and Safari. I'm running Python 2.7.5 on both my laptop and the linux box. I was running requests 1.2.0 on the linux box and 2.2.1 on my laptop, but I upgraded both to 2.4.3 and they still don't have the same behavior.
Also possibly relevant - the same certificate is being used with some other subdomains where the intermediate certificate is being sent, and neither my laptop nor the linux box has any problems with those, so it shouldn't be that my laptop has a root CA that the linux box doesn't have.
Does anyone know why it isn't working from my linux box and how I can fix it?
I spent a day to understand and fix this issue completely, so I thought it will be nice to share my findings with everybody :-)! Here are my results:
It is a common flaw in SSL server configurations to provide an incomplete chain of certificates, often omitting intermediate certificates. For instance, a site I was working with did not include the common DigiCert "intermediate" certificate "DigiCert TLS RSA SHA256 2020 CA1" in the server's response.
Because this configuration flaw is common, most but not all modern browsers implement a technique called "AIA Fetching" to fix this on the fly (see e.g. https://www.thesslstore.com/blog/aia-fetching/).
Python's SSL support does not support AIA Fetching and depends on a complete chain of certificates from the server; otherwise it throws an exception, like so
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1124)')))
There is an ongoing discussion about whether AIA Fetching should be added to Python, e.g. in this thread: https://bugs.python.org/issue18617#msg293894.
My impression is that this will remain an open issue for the foreseeable future.
Now, how can we fix that?
Install certifi, if you have not done so, or update it
pip install certifi
or
pip install certifi --upgrade
Many (but not all) Python modules can use the certificates from certifi, and certifi takes them from the Mozilla CA Certificate initiative (https://wiki.mozilla.org/CA). Basically, certifi creates a clean *.pem file from the Mozilla site and provides a lightweight Python interface for accessing that file.
Download the missing certificate as a file in PEM syntax, e.g. from https://www.digicert.com/kb/digicert-root-certificates.htm, or from a trusted browser.
Locate the certifi *.PEM certificate file with
import certifi
print(certifi.where())
Note: I recommend to first activate the virtual environment (e.g. conda activate <envname>) you want to use the certificate with. The file path will differ. If you apply this to your base environment, any potential flawed certificate will put the entire SSL mechanism for all your code at risk.
Example:
/Users/username/anaconda3/envs/environment_name/lib/python3.8/site-packages/certifi/cacert.pem
Take a simple text editor, open that file, and insert the missing certificate at the beginning right after the header, like so
##
## Bundle of CA Root Certificates
##
...
-----BEGIN CERTIFICATE-----
+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6J
---> This is the additional certificate.
+I2tIJLYrVJmuzHZ9bjPvXj1hJeRPG/cUJ9WIQDgLGB
Afr5yjK7tI4nhyfFK3TUqNaX3sNk+crOU6J
-----END CERTIFICATE-----
It is important to include the begin and end markers.
Save the file and you should be all set!.
You can test that it works with the following few lines:
# Python 3
import urllib.request import certifi import requests
URL = 'https://www.the_url_that_caused_the_trouble.org'
print('Trying urllib.request.urlopen().')
r = urllib.request.urlopen(URL)
print(f'urllib.request.urlopen\n================\n {r.read()[:80]}')
print('Trying requests.get().')
r = requests.get(URL)
print(f'requests.get()\n================\n {r.text[:80]}')
Note: The general SSL certificates, e.g. for openssl, might be located elsewhere, so you may have to try the same approach there:
/Users/username/anaconda3/envs/environment_name/ssl
Voila!
Notes:
When you update certifi or create a new virtual environment, the changes will likely be lost, but I think that is actually good design, because it does not perpetuate a temporary security tweak to your entire system.
Naturally, the process of downloading the certificate is a potential security risk - if that download is compromised, your entire SSL chain might be, too.
The maintenance of certifi lags behind the Mozilla releases of certificates. If you want to use the most current version of the Mozilla CA bundles with certifi, you can use my script from https://github.com/mfhepp/update_certifi_certificates.
I still don't understand why it's working one place but not another, but I did find a somewhat acceptable workaround that's much better than turning off certificate verification.
According to the requests library documentation, it will use certifi if it is installed on the system. So I installed certifi
sudo pip install certifi
and then modified the .pem file it uses. You can find the file location using certifi.where():
>>> import certifi
>>> certifi.where()
'/usr/local/lib/python2.7/site-packages/certifi/cacert.pem'
I added the intermediate key to that .pem file, and it works now. FYI, the .pem file expects certificates to show up like
-----BEGIN CERTIFICATE-----
<certificate here>
-----END CERTIFICATE-----
WARNING: This is not really a solution, only a workaround. Telling your system to trust a certificate can be dangerous from a security point of view. If you don't understand certificates then don't use this workaround unless your other option is to turn off certificate verification entirely.
Also, from the requests documentation:
For the sake of security we recommend upgrading certifi frequently!
I assume that when you upgrade certifi you'll have to redo any changes you made to the file. I haven't looked at it enough to see how to make a change that won't be overwritten when certifi gets updated.
If you are on *nix and your intermediate or self-signed certificate is installed in SSL (i.e. you can hit the URL successfully from CURL but not from Python), you can set the environment variable REQUESTS_CA_BUNDLE to where your ca-certificates are stored (ex. /etc/ssl/certs/ca-certificates.crt).
Credit here.
Because I need a Python-enabled gdb, I installed another version via
brew tap homebrew/dupes
brew install gdb
I want to use this gdb with Eclipse CDT, where I entered the path to the binary in the Debugging settings. However, launching a program for debugging fails with the following message:
Error in final launch sequence
Failed to execute MI command:
-exec-run
Error message from debugger back end:
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))
What does "codesigned" mean in this context? How can I get this gdbrunning?
I.1 Codesigning the Debugger
The Darwin Kernel requires the debugger to have special permissions
before it is allowed to control other processes. These permissions are
granted by codesigning the GDB executable. Without these permissions,
the debugger will report error messages such as:
Starting program: /x/y/foo
Unable to find Mach task port for process-id 28885: (os/kern) failure (0x5).
(please check gdb is codesigned - see taskgated(8))
Codesigning requires a certificate. The following procedure explains how to create one:
Start the Keychain Access application (in /Applications/Utilities/Keychain Access.app)
Select the Keychain
Access -> Certificate Assistant -> Create a Certificate... menu
Then:
Choose a name for the new certificate (this procedure will use
"gdb-cert" as an example)
Set "Identity Type" to "Self Signed Root"
Set "Certificate Type" to "Code Signing"
Activate the "Let me override defaults" option
Click several times on "Continue" until the "Specify
a Location For The Certificate" screen appears, then set "Keychain" to "System"
Click on "Continue" until the certificate is created
Finally, in the view, double-click on the new certificate, and set "When using
this certificate" to "Always Trust"
Exit the Keychain Access application and restart the computer (this is unfortunately required)
Once a certificate has been created, the debugger can be codesigned as
follow. In a Terminal, run the following command...
codesign -f -s "gdb-cert" <gnat_install_prefix>/bin/gdb
... where "gdb-cert" should be replaced by the actual certificate name
chosen above, and should be replaced by the
location where you installed GNAT.
source: https://gcc.gnu.org/onlinedocs/gcc-4.8.1/gnat_ugn_unw/Codesigning-the-Debugger.html
UPDATE: High-Sierra (Certificate Assistant - Unknown Error)
https://apple.stackexchange.com/questions/309017/unknown-error-2-147-414-007-on-creating-certificate-with-certificate-assist
Check the trust of the cert, it must be trusted for code signing (on yosemite that is the third last in the trust section of the cert view in the keychain access).
At first the cert was not known for codesigning to the keychain, because there was the Extension purpose "Code Signing" missing, you can find this if you look into the keychain and double click on the certificate:
I fixed that:
Then I added the certificate to the trusted signing certificates, after I had drag&dropped the certificate from the keychain to my desktop, which created the ~/Desktop/gdb-cert.cer:
$ sudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/gdb-cert.cer
This was a bit tricky because I was mislead by some internet posts and did not look at the man page. Some said you should use add-trust (https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt). The terrible bit was that the command succeeded, but did not do what it "should" (well, it was the wrong command, but it should have told me it was wrong).
After that I found the new cert in the trusted certs like so:
$ security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) E7419032D4..... "Mac Developer: FirstName LastName (K2Q869SWUE)" (CSSMERR_TP_CERT_EXPIRED)
2) ACD43B6... "gdb-cert"
2 identities found
Valid identities only
1) ACD43... "gdb-cert"
1 valid identities found
In my case the apple cert is expired, but the one I was using to sign gdb was not (well, I just created it myself). Also be aware that the policy is named differently for the "security add-trusted-cert"(-p codeSign) and the "security find-identity" command (-p codesigning). I then went on to sign gdb and I also always got:
$ codesign --sign gdb-cert.cer --keychain ~/Library/Keychains/login.keychain `which gdb`
gdb-cert.cer: no identity found
because I was under the impression that I had to give the file name of the cert file to the --sign option, but that in fact was the CN of the certificate that I should have provided and should be in the trust store. You can find the CN here when double clicking on the cert in the keychain:
or in the above output of "security find-identity -p codesigning". Then I went on to sign and I had to give it the right keychain:
codesign -s gdb-cert --keychain /Library/Keychains/System.keychain `which gdb`
I had to enter the root password to allow access to the keychain.
That then gave me a working gdb and it should give you a signed application.
It would seem you need to sign the executable. See these links for more information. You should be able to get away with self signing if you don't plan on redistributing that version of gdb.
https://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
https://developer.apple.com/library/mac/#documentation/Darwin/Reference/Manpages/man1/codesign.1.html
Alternatively, you could disable code signing on your system, although this presents a security risk. To do so try running sudo spctl --master-disable in the Terminal.
I made gdb work on OSX 10.9 without codesigning this way (described here):
Install gdb with macports. (may be you can skip it)
sudo nano /System/Library/LaunchDaemons/com.apple.taskgated.plist
change option string from -s to -sp at line 22, col 27.
reboot the computer.
Use gdb
If using gdb isn't a hard requirement you can also use lldb as an alternative. It is already on your system and doesn't need to be code signed:
$ lldb stddev_bugged
(lldb) target create "stddev_bugged"
Current executable set to 'stddev_bugged' (x86_64).
(lldb) b mean_and_var
Breakpoint 1: where = stddev_bugged`mean_and_var + 17 at stddev_bugged.c:17, address = 0x0000000100000b11
(lldb) r
Process 1621 launched: '/Users/richardschneeman/Documents/projects/21stCentury/02/example-00/stddev_bugged' (x86_64)
Process 1621 stopped
* thread #1: tid = 0xc777, 0x0000000100000b11 stddev_bugged`mean_and_var(data=0x00007fff5fbff590) + 17 at stddev_bugged.c:17, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000100000b11 stddev_bugged`mean_and_var(data=0x00007fff5fbff590) + 17 at stddev_bugged.c:17
14 typedef struct meanvar {double mean, var;} meanvar;
15
16 meanvar mean_and_var(const double *data){
-> 17 long double avg = 0,
18 avg2 = 0;
19 long double ratio;
20 size_t count= 0;
(lldb)
Here's a table converting gdb to lldb commands http://lldb.llvm.org/lldb-gdb.html
I ended up having to follow these directions instead of the directions suggested by others.
I'm still not sure if it was the act of killall taskgated or the process of enabling root user that made the difference.
Some have said rebooting is necessary. I find that with the above instructions, that may not be the case.
I did also make the change recommended by #klm123, so this may also have contributed.
Note that I use homebrew, not macports.
This is an older question but none of the solutions seemed to work for me (I was using Mojave). Converting to lldb isn't the solution to the question - its just a work around.
After trying several solutions, the one I found to work was located here: https://gist.github.com/gravitylow/fb595186ce6068537a6e9da6d8b5b96d#gistcomment-2891198
Which references this site: https://sourceware.org/gdb/wiki/PermissionsDarwin#Sign_and_entitle_the_gdb_binary
The solution involves a slightly modified version of the code signing. Essentially, the main difference is when signing the certificate, an entitlements XML file must be passed when codesigning. Below I copy/pasted the contents of the sourceware website for all of the steps from beginning to end.
1.1. Create a certificate in the System Keychain
Start Keychain Access application (/Applications/Utilities/Keychain
Access.app)
Open the menu item /Keychain Access/Certificate Assistant/Create a
Certificate...
Choose a name (gdb-cert in the example), set Identity Type to Self
Signed Root, set Certificate Type to Code Signing and select the Let
me override defaults. Click several times on Continue until you get to
the Specify a Location For The Certificate screen, then set Keychain
to System.
💡 If you cannot store the certificate in the System keychain: create
it in the login keychain instead, then export it. You can then import
it into the System keychain.
Finally, quit the Keychain Access application to refresh the
certificate store.
Control: in the terminal type
security find-certificate -c gdb-cert
This should display some details about your newly minted certificate,
e.g.
keychain: "/Library/Keychains/System.keychain" version: 256 class:
0x80001000 attributes:
"alis"="gdb-cert" [...]
Make sure that keychain: is the System keychain, as shown.
Also, make sure that your certificate is not expired yet:
security find-certificate -p -c gdb-cert | openssl x509 -checkend 0
💡If you want to inspect the entire X509 data structure, you can type
security find-certificate -p -c gdb-cert |openssl x509 -noout -text
1.2. Trust the certificate for code signing
Start Keychain Access again. Using the contextual menu for the
certificate, select Get Info, open the Trust item, and set Code
Signing to Always Trust.
Finally, quit the Keychain Access application once more to refresh the
certificate store.
Control: in the terminal type
security dump-trust-settings -d
This should show the gdb-cert certificate (perhaps among others) and
its trust settings, including Code Signing.
1.3. Sign and entitle the gdb binary
(Mac OS X 10.14 and later) Create a gdb-entitlement.xml file containing the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.debugger</key>
<true/>
</dict>
</plist>
If the certificate you generated in the previous section is known as gdb-cert, use:
codesign --entitlements gdb-entitlement.xml -fs gdb-cert $(which gdb)
or before Mojave (10.14), just
codesign -fs gdb-cert $(which gdb)
💡 You may have to prepend this command with sudo if the gdb binary is
located in a place that is not writable by regular users.
If you plan to build gdb frequently, this step can be automated by
passing --enable-codesign=gdb-cert (assuming, again, that gdb-cert is
the name of the certificate) to configure.
Control: in the terminal type
codesign -vv $(which gdb)
And for 10.14 (Mojave) onwards, also check the entitlements:
codesign -d --entitlements - $(which gdb)
1.4. Refresh the system's certificates and code-signing data
The most reliable way is to reboot your system.
A less invasive way is to and restart taskgated service by killing the
current running taskgated process (at any time in the process, but no
later than before trying to run gdb again):
sudo killall taskgated
However, sometimes the taskgated service will not restart successfully
after killing it, so ensure that it is alive after this step by
checking e.g. ps $(pgrep -f taskgated). Or just reboot your system, as
mentioned above.
It's a very old topic, but I am adding a response, because out of many available instructions, only one contained just the right steps to make a self-signed debugger work.
You have to create a self-signed root certificate and then sign the gdb executable with it, but many people complained that it did not work for them. Neither did it for me until I stumbled upon this link.
The key point missing in other manuals is that you have to restart your computer for the changes to take effect. Once I did that, everything worked as intended.
I hope, this will help others.
I followed the instructions with codesigning, but gdb would still give me the same error. It turned out that it did work when gdb is run as root (sudo gdb). I'm using Sierra osx.
I know this is not a direct answer to the question, but I wish someone had mentioned it before I went to the effort of getting gdb to work.
You can build and debug C++ code with Apple's free IDE called Xcode. (Xcode is similar to "Visual Studio" or "Android Studio".). I was already an Xcode user, but I had no idea that it worked with c++ -- because the option is fairly well hidden. This youtube video walks you through it:
https://www.youtube.com/watch?v=-H_EyIqBNDA