How to get a "codesigned" gdb on OSX? - c++
Because I need a Python-enabled gdb, I installed another version via
brew tap homebrew/dupes
brew install gdb
I want to use this gdb with Eclipse CDT, where I entered the path to the binary in the Debugging settings. However, launching a program for debugging fails with the following message:
Error in final launch sequence
Failed to execute MI command:
-exec-run
Error message from debugger back end:
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))
Unable to find Mach task port for process-id 39847: (os/kern) failure (0x5).\n (please check gdb is codesigned - see taskgated(8))
What does "codesigned" mean in this context? How can I get this gdbrunning?
I.1 Codesigning the Debugger
The Darwin Kernel requires the debugger to have special permissions
before it is allowed to control other processes. These permissions are
granted by codesigning the GDB executable. Without these permissions,
the debugger will report error messages such as:
Starting program: /x/y/foo
Unable to find Mach task port for process-id 28885: (os/kern) failure (0x5).
(please check gdb is codesigned - see taskgated(8))
Codesigning requires a certificate. The following procedure explains how to create one:
Start the Keychain Access application (in /Applications/Utilities/Keychain Access.app)
Select the Keychain
Access -> Certificate Assistant -> Create a Certificate... menu
Then:
Choose a name for the new certificate (this procedure will use
"gdb-cert" as an example)
Set "Identity Type" to "Self Signed Root"
Set "Certificate Type" to "Code Signing"
Activate the "Let me override defaults" option
Click several times on "Continue" until the "Specify
a Location For The Certificate" screen appears, then set "Keychain" to "System"
Click on "Continue" until the certificate is created
Finally, in the view, double-click on the new certificate, and set "When using
this certificate" to "Always Trust"
Exit the Keychain Access application and restart the computer (this is unfortunately required)
Once a certificate has been created, the debugger can be codesigned as
follow. In a Terminal, run the following command...
codesign -f -s "gdb-cert" <gnat_install_prefix>/bin/gdb
... where "gdb-cert" should be replaced by the actual certificate name
chosen above, and should be replaced by the
location where you installed GNAT.
source: https://gcc.gnu.org/onlinedocs/gcc-4.8.1/gnat_ugn_unw/Codesigning-the-Debugger.html
UPDATE: High-Sierra (Certificate Assistant - Unknown Error)
https://apple.stackexchange.com/questions/309017/unknown-error-2-147-414-007-on-creating-certificate-with-certificate-assist
Check the trust of the cert, it must be trusted for code signing (on yosemite that is the third last in the trust section of the cert view in the keychain access).
At first the cert was not known for codesigning to the keychain, because there was the Extension purpose "Code Signing" missing, you can find this if you look into the keychain and double click on the certificate:
I fixed that:
Then I added the certificate to the trusted signing certificates, after I had drag&dropped the certificate from the keychain to my desktop, which created the ~/Desktop/gdb-cert.cer:
$ sudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/gdb-cert.cer
This was a bit tricky because I was mislead by some internet posts and did not look at the man page. Some said you should use add-trust (https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt). The terrible bit was that the command succeeded, but did not do what it "should" (well, it was the wrong command, but it should have told me it was wrong).
After that I found the new cert in the trusted certs like so:
$ security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) E7419032D4..... "Mac Developer: FirstName LastName (K2Q869SWUE)" (CSSMERR_TP_CERT_EXPIRED)
2) ACD43B6... "gdb-cert"
2 identities found
Valid identities only
1) ACD43... "gdb-cert"
1 valid identities found
In my case the apple cert is expired, but the one I was using to sign gdb was not (well, I just created it myself). Also be aware that the policy is named differently for the "security add-trusted-cert"(-p codeSign) and the "security find-identity" command (-p codesigning). I then went on to sign gdb and I also always got:
$ codesign --sign gdb-cert.cer --keychain ~/Library/Keychains/login.keychain `which gdb`
gdb-cert.cer: no identity found
because I was under the impression that I had to give the file name of the cert file to the --sign option, but that in fact was the CN of the certificate that I should have provided and should be in the trust store. You can find the CN here when double clicking on the cert in the keychain:
or in the above output of "security find-identity -p codesigning". Then I went on to sign and I had to give it the right keychain:
codesign -s gdb-cert --keychain /Library/Keychains/System.keychain `which gdb`
I had to enter the root password to allow access to the keychain.
That then gave me a working gdb and it should give you a signed application.
It would seem you need to sign the executable. See these links for more information. You should be able to get away with self signing if you don't plan on redistributing that version of gdb.
https://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
https://developer.apple.com/library/mac/#documentation/Darwin/Reference/Manpages/man1/codesign.1.html
Alternatively, you could disable code signing on your system, although this presents a security risk. To do so try running sudo spctl --master-disable in the Terminal.
I made gdb work on OSX 10.9 without codesigning this way (described here):
Install gdb with macports. (may be you can skip it)
sudo nano /System/Library/LaunchDaemons/com.apple.taskgated.plist
change option string from -s to -sp at line 22, col 27.
reboot the computer.
Use gdb
If using gdb isn't a hard requirement you can also use lldb as an alternative. It is already on your system and doesn't need to be code signed:
$ lldb stddev_bugged
(lldb) target create "stddev_bugged"
Current executable set to 'stddev_bugged' (x86_64).
(lldb) b mean_and_var
Breakpoint 1: where = stddev_bugged`mean_and_var + 17 at stddev_bugged.c:17, address = 0x0000000100000b11
(lldb) r
Process 1621 launched: '/Users/richardschneeman/Documents/projects/21stCentury/02/example-00/stddev_bugged' (x86_64)
Process 1621 stopped
* thread #1: tid = 0xc777, 0x0000000100000b11 stddev_bugged`mean_and_var(data=0x00007fff5fbff590) + 17 at stddev_bugged.c:17, queue = 'com.apple.main-thread', stop reason = breakpoint 1.1
frame #0: 0x0000000100000b11 stddev_bugged`mean_and_var(data=0x00007fff5fbff590) + 17 at stddev_bugged.c:17
14 typedef struct meanvar {double mean, var;} meanvar;
15
16 meanvar mean_and_var(const double *data){
-> 17 long double avg = 0,
18 avg2 = 0;
19 long double ratio;
20 size_t count= 0;
(lldb)
Here's a table converting gdb to lldb commands http://lldb.llvm.org/lldb-gdb.html
I ended up having to follow these directions instead of the directions suggested by others.
I'm still not sure if it was the act of killall taskgated or the process of enabling root user that made the difference.
Some have said rebooting is necessary. I find that with the above instructions, that may not be the case.
I did also make the change recommended by #klm123, so this may also have contributed.
Note that I use homebrew, not macports.
This is an older question but none of the solutions seemed to work for me (I was using Mojave). Converting to lldb isn't the solution to the question - its just a work around.
After trying several solutions, the one I found to work was located here: https://gist.github.com/gravitylow/fb595186ce6068537a6e9da6d8b5b96d#gistcomment-2891198
Which references this site: https://sourceware.org/gdb/wiki/PermissionsDarwin#Sign_and_entitle_the_gdb_binary
The solution involves a slightly modified version of the code signing. Essentially, the main difference is when signing the certificate, an entitlements XML file must be passed when codesigning. Below I copy/pasted the contents of the sourceware website for all of the steps from beginning to end.
1.1. Create a certificate in the System Keychain
Start Keychain Access application (/Applications/Utilities/Keychain
Access.app)
Open the menu item /Keychain Access/Certificate Assistant/Create a
Certificate...
Choose a name (gdb-cert in the example), set Identity Type to Self
Signed Root, set Certificate Type to Code Signing and select the Let
me override defaults. Click several times on Continue until you get to
the Specify a Location For The Certificate screen, then set Keychain
to System.
đź’ˇ If you cannot store the certificate in the System keychain: create
it in the login keychain instead, then export it. You can then import
it into the System keychain.
Finally, quit the Keychain Access application to refresh the
certificate store.
Control: in the terminal type
security find-certificate -c gdb-cert
This should display some details about your newly minted certificate,
e.g.
keychain: "/Library/Keychains/System.keychain" version: 256 class:
0x80001000 attributes:
"alis"="gdb-cert" [...]
Make sure that keychain: is the System keychain, as shown.
Also, make sure that your certificate is not expired yet:
security find-certificate -p -c gdb-cert | openssl x509 -checkend 0
đź’ˇIf you want to inspect the entire X509 data structure, you can type
security find-certificate -p -c gdb-cert |openssl x509 -noout -text
1.2. Trust the certificate for code signing
Start Keychain Access again. Using the contextual menu for the
certificate, select Get Info, open the Trust item, and set Code
Signing to Always Trust.
Finally, quit the Keychain Access application once more to refresh the
certificate store.
Control: in the terminal type
security dump-trust-settings -d
This should show the gdb-cert certificate (perhaps among others) and
its trust settings, including Code Signing.
1.3. Sign and entitle the gdb binary
(Mac OS X 10.14 and later) Create a gdb-entitlement.xml file containing the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.debugger</key>
<true/>
</dict>
</plist>
If the certificate you generated in the previous section is known as gdb-cert, use:
codesign --entitlements gdb-entitlement.xml -fs gdb-cert $(which gdb)
or before Mojave (10.14), just
codesign -fs gdb-cert $(which gdb)
đź’ˇ You may have to prepend this command with sudo if the gdb binary is
located in a place that is not writable by regular users.
If you plan to build gdb frequently, this step can be automated by
passing --enable-codesign=gdb-cert (assuming, again, that gdb-cert is
the name of the certificate) to configure.
Control: in the terminal type
codesign -vv $(which gdb)
And for 10.14 (Mojave) onwards, also check the entitlements:
codesign -d --entitlements - $(which gdb)
1.4. Refresh the system's certificates and code-signing data
The most reliable way is to reboot your system.
A less invasive way is to and restart taskgated service by killing the
current running taskgated process (at any time in the process, but no
later than before trying to run gdb again):
sudo killall taskgated
However, sometimes the taskgated service will not restart successfully
after killing it, so ensure that it is alive after this step by
checking e.g. ps $(pgrep -f taskgated). Or just reboot your system, as
mentioned above.
It's a very old topic, but I am adding a response, because out of many available instructions, only one contained just the right steps to make a self-signed debugger work.
You have to create a self-signed root certificate and then sign the gdb executable with it, but many people complained that it did not work for them. Neither did it for me until I stumbled upon this link.
The key point missing in other manuals is that you have to restart your computer for the changes to take effect. Once I did that, everything worked as intended.
I hope, this will help others.
I followed the instructions with codesigning, but gdb would still give me the same error. It turned out that it did work when gdb is run as root (sudo gdb). I'm using Sierra osx.
I know this is not a direct answer to the question, but I wish someone had mentioned it before I went to the effort of getting gdb to work.
You can build and debug C++ code with Apple's free IDE called Xcode. (Xcode is similar to "Visual Studio" or "Android Studio".). I was already an Xcode user, but I had no idea that it worked with c++ -- because the option is fairly well hidden. This youtube video walks you through it:
https://www.youtube.com/watch?v=-H_EyIqBNDA
Related
Permission Denied / Operation not permitted
I was having a issue while experimenting with my samsung android 6.0 Device. I have downloaded Termux( Linux terminal for android which has all linux terminal functionality ). And i have converted my phone into a ssh server using SSH Client app from playstore. So the main problem is that when i try to generate a ssh key pair using command ssh-keygen it works but it stores the ssh key into data/data/com.termux/files/home/.shh but i want it in sdcard/key/ ( I have created a directory name key ). But when i try to generate a key pair in sdcard/key it show permission denied. When i try to copy or move from data/data/com.termux/files/home/.shh/ using cp data/data/com.termux/files/home/.ssh/key_pair sdcard/key it show me permission denied so i tried to create another folder in sdcard/ and gave it permissions for read-write-execute using chmod 777 dir_name it shows me operation not permitted. So i done a bit research on this topic on google, i found that i have to root my device then i tried to root my device using KingoRoot, iRoot, adb but it showed that Your device is too strong to bee rooted in fact i gave those app all permission and there is no antivirus or in built security disabled on my device. Then i thought to directly place it in sdcard/key but then i got to know that i cannot move anything from data/data/com.termux/files/home/.shh. And when i tried to move files via ssh server or upload files on my ssh server via ssh admin#192.168.1.5 -p 2222 using scp command it showed me file not found but the file is in the correct directory and correct path. And please answer the following questions that i have regarding the issues above that 1> How to move files from localhost to ssh server 2> how to root device if it is too strong to be rooted(any method) Thanks !
Unable to sudo to Deep Learning Image
I installed the latest Google Cloud Deep Learning VM Image today, after VM was launched, I was able to do sudo -i successfully via SSH web. Once I login, I start my Tensorflow model training running in background (Using &). Few hours later I'm unable to login as root. I get the following message: We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for my_username: I tried: sudo -i su sudo -i su root I was able to replicate the issue. Any suggestions?
This issue was caused due to an internal Google side and removes the user from “Google-sudoers” group. For all affected instances, I suggest following the below workaround until the permanent fix has been rolled out. Use a different username: If using browser SSH window, click on the settings icon (top right), and click change Linux name in the drop down. Using the SDK $ gcloud compute ssh newusername#instance Enable OS Login on the instance (set "enable-oslogin=True" in metadata) and per this article You can track the permanent fix by following the Public Issue tracker.
The original answer: Maybe the solution will be to add a SSH Key for Google Cloud Console and log in with another SSH client. Additional answer: I do not know why, but sometime the user suddenly stopped being a member of the google-sudoers group... Then it's enough add your user to this group by some other user with administrator privileges to this group: # usermod -G google-sudoers your_user_name of course, if there is such a user...
CentOS7 ccollab with perforce CL update issue
I cant get codecollaborator to upload files to for code review. I suspect I am missing some config. I have been scouring perforce and smartbear and stackover flow pages for a couple hours now no luck CENTOS7 p4 (cant seem to find the version) Collaborator Enterprise v11.2.11200 My p4 works totally fine have been using for months now to create CLs and submit. But now i need to upload files for code reviews. command i ran to setup ccollab: wget https://s3.amazonaws.com/downloads.smartbear/collaborator/11.2.11200/ccollab_client_11_2_11200_unix.sh chmod +x ccollab_client_11_2_11200_unix.sh ./ccollab_client_11_2_11200_unix.sh (went through install accepting entering as prompted) ccollab login https://<codecollaborator_server> <username> the above logs in fine no errors ccollab --no-browser --scm perforce --server-proxy-host https://codecollaborator_server --p4user <username> --p4charset utf8 --p4client local_workspace_name --p4 /bin/p4 set the try to upload a file ccollab --debug addchangelist new 123456789 and get the following output: Connecting to server at https:// Connected to Collaborator Enterprise v11.2.11200 Connected as: Attaching changelists to review Auto-detecting SCM System for '/my/workspace/path' Checking client configuration for '/my/workspace/path'. ERROR: Could not configure SCM system: SCM system could not be auto-detected, but there was an error: Cannot run program "accurev" (in directory "/my/workspace/path"): error=2, No such file or directory I tried to find what the "accurev" package is or how to use it but no joy.
Accurev is a different source control system. Sounds like Code Collab doesn't know that it's supposed to be using Perforce?
Mac C++/Mars eclipse gdb debug hangs at Launching Test 96%
When I try to debug a simple c++ program in Eclipse Mars (4.5.2) on Mac El Capitan (10.11.5), it hangs on "Launching Test (96%)". I have gdb installed with homebrew. When I type "which gdb" in terminal it says, "/usr/local/bin/gdb". Here are screenshots of the problem and of my GDB settings: http://imgur.com/a/JrMjN This is the same problem as Mac C++/Mars eclipse gdb debug launching stuck at 96% but it was never solved there.
You have to sign gdb to be trusted to control the execution of another process. This is part of the security structures that are present in ElCapitan (have been like this since Mavericks). You can do this by following the instructions below (extract from the blog post http://ntraft.com/installing-gdb-on-os-x-mavericks/ which contains more information on the topic). Certifying GDB Open up the Keychain Access application (/Applications/Utilities/Keychain Access.app). Navigate via the menu to Keychain Access > Certificate Assistant > Create Certificate... Enter a name for the certificate. For this how-to, I'll call it "gdb-cert". Set the fields exactly as shown below. The maximum validity period is 999 days. I don't really want to deal with this again, so I'm going to max it out. /* Addendum: this means that you will have to do this again in 999 days, i.e. 2.7 years. You might want to bookmark this page. */ Keep clicking the "Continue" button until you are asked for a location. Set it to "System". If you are unable to save it to the System keychain, then save it to the login keychain. You can later export the cert, and then import it into the System keychain. I didn't have to do this, so comment if you have any problem. Success! Now make sure the cert is always trusted. Right-click the new certificate and select Get Info. Under the Trust section, set Code Signing to Always Trust. Now that we have a certificate, we need to use it to sign GDB. First, we'll restart the taskgated process to make sure it picks up the new certificate. Quit Keychain Access (you must quit Keychain Access!) and return to the Terminal for these final commands. Find the taskgated process. $ ps -e | grep taskgated 56822 ?? 0:03.11 /usr/libexec/taskgated -s 60944 ttys002 0:00.00 grep --color=auto taskgated The first number in the above output is the PID. Use this to kill the process (it will immediately restart itself). $ sudo kill -9 56822 Now you can finally code sign GDB. # If installed through MacPorts $ codesign -s gdb-cert $(which gdb-apple) # If installed through Homebrew $ codesign -s gdb-cert $(which gdb) # For the settings posted by OP $ codesign -s gdb-cert /usr/local/Cellar/gdb/7.11/bin/gdb Now you should be all set! The OS X Keychain may ask for your password the first time you attempt to debug a program, but it should work! /* Addendum: for me to be able to have full functionality I had to reboot the machine. */
Why could VirtualBox not find a registered machine named Windows_7?
I'm trying to change TCP/UDP of a virtual machine using VBoxManage setextradata. Whenever I type the command: sudo VBoxManage setextradata Windows_7 "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestEmule_TCP/Protocol" TCP I get the following error: VirtualBox Command Line Management Interface Version 2.1.4 (C) 2005-2009 Sun Microsystems, Inc. All rights reserved. [!] FAILED calling a->virtualBox->FindMachine(Bstr(a->argv[0]), machine.asOutParam()) at line 3688! [!] Primary RC = VBOX_E_OBJECT_NOT_FOUND (0x80BB0001) - Object corresponding to the supplied arguments does not exist [!] Full error info present: true , basic error info present: true [!] Result Code = VBOX_E_OBJECT_NOT_FOUND (0x80BB0001) - Object corresponding to the supplied arguments does not exist [!] Text = Could not find a registered machine named 'Windows_7' [!] Component = VirtualBox, Interface: IVirtualBox, {339abca2-f47a-4302-87f5-7bc324e6bbde} [!] Callee = IVirtualBox, {339abca2-f47a-4302-87f5-7bc324e6bbde} The virtual-machine has been created using GUI. Any idea? $ cd /Users/marco/Library/VirtualBox/Machines/Windows_7 $ ls Logs Windows_7.xml Windows 7.xml.1.5-macosx.bak $ sudo vboxmanage registervm Windows_7.xml VirtualBox Command Line Management Interface Version 2.1.4 (C) 2005-2009 Sun Microsystems, Inc. All rights reserved. [!] FAILED calling a->virtualBox->OpenMachine(Bstr(a->argv[0]), machine.asOutParam()) at line 762! [!] Primary RC = NS_ERROR_FAILURE (0x80004005) - Operation failed [!] Full error info present: true , basic error info present: true [!] Result Code = NS_ERROR_FAILURE (0x80004005) - Operation failed [!] Text = Could not lock the settings file '/var/root/Library/VirtualBox/Windows_7.xml' (VERR_FILE_NOT_FOUND) [!] Component = Machine, Interface: IMachine, {ea6fb7ea-1993-4642-b113-f29eb39e0df0} [!] Callee = IVirtualBox, {339abca2-f47a-4302-87f5-7bc324e6bbde}
It fails because you are using sudo. VirtualBox is designed to be run by any user (in the vboxusers group), and sudo runs the command as the root user whose VirtualBox configuration is empty. You can check that by typing: sudo VBoxManage -nologo list vms # Should print only a newline VBoxManage -nologo list vms # Detailled information about all your VMs
!! WINDOWS ONLY!! If you are not on an admin account and are trying to modify your VM in a administrator cmd window, type these commands: cd "C:\Program Files\Oracle\VirtualBox" VboxManage registervm "C:\Users\Your Name Here\VirtualBox VMs\Your VM name here\Your VM name here.vbox" Now run your virtual box modify commands or what ever else you are doing and it should work!
Not a direct answer, but just to put it out there for other people searching for it: On Mac OS X, you can tell VirtualBox to load VMs from another user's home directory, provided the file permissions allow it, or if you are running VirtualBox as the root user using sudo (e.g. if you absolutely have to access your host's web server on port 80). The way to do this is to set VBOX_USER_HOME appropriately, e.g. VBOX_USER_HOME=/Users/the_other_user/Library/VirtualBox If you want to run VBoxHeadless under root, use: sudo VBOX_USER_HOME=/Users/your_user_id/Library/VirtualBox nohup \ VBoxHeadless -s "IE10 - Win7" </dev/null &>/dev/null &
I had a similar error message, whenever I used sudo to start VBoxSDL: Error: machine with the given name not found! Check if this VM has been corrupted and is now inaccessible. And similar to ypocat's answer, I solved it for Ubuntu using a small script like this: #!/bin/bash export VBOX_USER_HOME=/home/username/.config/VirtualBox VBoxSDL --startvm nameOfVM You can use it whenever you need to start your VM as root.
SOLUTION_1: Missing Virtual Technology might be the reason. For Intel systems they have Intel VT-x (for AMD they have AMD-V), so make sure it is enabled. You can enable it in the boot screen go to BIOS Setup in that look for System Configuration tab and enable Virtual Technology . SOLUTION_2: Open terminal or cmd (Run as admin) for Windows, and run SC START VBOXDRV. If it says the service is already running then try SC STOP VBOXDRV and then SC START VBOXDRV.
RealScar solution helped me in addition to other commands and it worked in Ubuntu 20.04, too. I had the problem initially indicated (VirtualBox unable to find a registered machine). I was getting no results after typing sudo VBoxManage -nologo list vms, so I manually registered the existing machine typing sudo vboxmanage registervm /home/user/VirtualBox\ VMs/machinenamefolder/machinename.vbox. It worked great. Note: I was creating a Cuckoo Malware Sandbox Analysis.
REASON: In the above case its uuid-mismatch (w.r.t. what is pointed to what is generated). Typically case of either improper edit of the vbox config files or accidentally deleted images/configs associated. SOLUTION: As FIRST Step: Correct the UUID-Mappings; So, for example, the uuids can be regenerated to correct the mappings. (1) Or otherwise, if attempted to edit .vbox/.vmdk/VirtualBox.xml files, the mappings should be corrected. (2) As SECOND Step: Re-register the virtual-machine to the UI. For example, if can't open the vm's from vbox gui or terminal. Remove the "inaccessible" entry from the GUI first". And then, open the folder of virtual machine and open file <machine name>.vbox with virtualbox and it will get registered. Provided, the uuid-mappings have been already resolved. Else follow the errors, while you attempt to register to make necessary changes in .vbox file.