Skip to content

EnablingGDB

Jump to bottom
Simon Wright edited this page May 14, 2024 · 2 revisions

GDB doesn't work (yet?) on computers with Apple silicon, even for programs built for Intel silicon (x86_64) running under Rosetta.

Apple's software development policies require tools like debuggers to be treated carefully. You can see why a tool which is capable of interacting with running programs would have to be treated with caution.

From the security point of view, gdb has to be signed. The process is as described here, copied below:

Create a certificate

  • Start the Keychain Access application (in /Applications/Utilities)
  • Select the Keychain Access -> Certificate Assistant -> Create a Certificate... menu
    • Choose a name for the new certificate (this procedure will use "gdb-cert" as an example)
    • Set "Identity Type" to "Self Signed Root"
    • Set "Certificate Type" to "Code Signing"
    • Activate the "Let me override defaults" option
  • Click several times on "Continue" until the "Specify a Location For The Certificate" screen appears, then set "Keychain" to "System"
  • Click on "Continue" until the certificate is created
  • Finally, in the view, double-click on the new certificate, and set "When using this certificate" to "Always Trust" (you may prefer to choose the "Custom" option and allow just "Code Signing").
  • Exit the Keychain Access application. Mojave required you to restart the computer (or, if feeling brave, sudo killall taskgated), but Catalina appears not to require this (and wasn't running taskgated).

Create an "entitlements" file

The certificate created above says the signed program is to be always trusted, but to do what? This file (save in e.g. gdb.xml) says it's to be trusted to debug.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>

Signing

You need to specify the certificate, the entitlement, and the program to be signed. Note that it's the actual binary object that's signed, so you can use symbolic links if you want to have the same gdb on more than one path (e.g., for FSF GCC 12.2.0 as well as 13.2.0).

$ codesign                 \
  --force                  \
  --sign gdb-cert          \
  --entitlements gdb.xml   \
  /opt/gcc-13.2.0/bin/gdb

Clone this wiki locally