主题：在Mac OS X High Sierra的钥匙串访问中无法为gdb的系统证书进行代码签名

Question

I'm trying to use gdb on Mac OSX High Sierra. I installed version 8.01 using brew (the latest version 8.1 actually has a separate, unrelated error ), and am having trouble with the codesign step. I'm following the instructions at the page suggested by brew .

In Keychain Access, I create a certificate, using the "codesign" option, and overriding defaults, and click through until it asks for the location of the certificate, for which I select "keychain: system". However, immediately afterwards I get a mysterious message:

An Error Occurred
Unknown Error = -2,147,414,007

This message also occurred in a previous thread , but the sole answer was of low quality, didn't work, and the question didn't seem to be getting much activity/attention. I also tried going into recovery mode and doing csrutil disable , but I'm still getting the -2,147,414,007 error. Back in the Keychain Access window, under "System", I get the public and private RSA keys of the certificate I just created, but the certificate itself is not there.

If I repeat all that but create under "Login" instead of "System", and this time the certificate gets created. I then export to a .cer file to my desktop, then import back into Keychains, but under the "System" category. I then restart my computer, then do

codesign -s gdb-cert /usr/local/Cellar/gdb/8.0.1/bin/gdb

but I get error: The specified item could not be found in the keychain. .

I can of course just do sudo gdb or lldb with no problem, but I would like to use gdb with emacs , so those are not options (of course, technically I can just do sudo emacs and it will work, but for obvious reasons I prefer not to use sudo ). How can I codesign gdb so that I can use it without getting mach port complaints?

edit: it appears another thread elsewhere has many people with the same problem. There doesn't appear to be a definitive fix there; I tried some of the suggestions and am continuing to get

Unable to find Mach task port for process-id 575: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))

Answer 1

I finally got it to work. I'm using the latest High Sierra as of the date of this post. First, I installed an older version of gdb, 8.0.1, instead of the latest 8.1, which seems to be broken :

brew install https://raw.githubusercontent.com/Homebrew/homebrew-core/9ec9fb27a33698fc7636afce5c1c16787e9ce3f3/Formula/gdb.rb

then brew pin gdb .

For the next steps, I found this thread , and this other thread useful. Also, this page .

Make the certificate in Login instead of System in order to avoid the -2,147,414,007 error. Then, click the padlock to unlock the System category, and drag the certificate and keys into System. If anything goes wrong here, you can try File->Import and File->Export instead. The goal is to get the following:

eg the certificate and the keys all under the System keychain, not login . (It may not even be necessary to drag the keys into system, but I did it just to be safe).

Then, a very important step: right click the certificate, go to Info, Trust, and select Always trust for every category. If you don't do this, the codesigning will not be effective, and will still get the mach port error message in gdb, even if you codesign.

(One of the answers in the two threads linked above says to temporarily enable the root account in Directory Utilities, but I'm not sure if that's actually necessary). Then, either restart your computer or do sudo killall taskgated . Then codesign -fs gdb-cert $(which gdb) .

Then, I no longer got the mach port error message in gdb. The first time I ran, I got a popup asking for a password . To disable it for future runs, I did sudo /usr/sbin/DevToolsSecurity --enable as per that thread.

Note also that 8.0.1 has a minor issue: you will get warnings about unhandled dlyd version . That's explained in this thread . Note some posts in that thread say breakpoints don't work, but I didn't see that happening.