Instruments: why? “Failed to gain authorization”

I have a swift 5.4 package manager project with an executable target I want to profile in Instruments.

I Cmd+I to profile which launches instruments. I pick allocations.

then push the record button.

im asked to authorise and doesn’t matter whether I use fingerprint or password I always get the error:

(before run started) Failed to gain authorization

any ideas?

instruments 12.5 xcode 11.5 swift 5.4 2020 M1 MBP 13”

Answered by Developer Tools Engineer in 677562022

Hi there!

This is most likely due to your application not being signed with a debugging entitlement. If you run: codesign -dvvv --entitlements=- <path-to-app> — do you see get-task-allow entitlement listed in there?

If not — there are a few things you should check for: — Are you signing your Release scheme build with a developer certificate? — Make sure you're not overriding CODE_SIGN_INJECT_BASE_ENTITLEMENTS build setting, it should be set to YES by default.

Please let us know what's the outcome and we'll continue our investigation based on the codesign output.

Kacper

Note I get the same if I try to profile any arbitrary running process.

Accepted Answer

Hi there!

This is most likely due to your application not being signed with a debugging entitlement. If you run: codesign -dvvv --entitlements=- <path-to-app> — do you see get-task-allow entitlement listed in there?

If not — there are a few things you should check for: — Are you signing your Release scheme build with a developer certificate? — Make sure you're not overriding CODE_SIGN_INJECT_BASE_ENTITLEMENTS build setting, it should be set to YES by default.

Please let us know what's the outcome and we'll continue our investigation based on the codesign output.

Kacper

I suspect the answer here is that Instruments can't attach to unsigned code and executable targets build by the Swift Package Manager tooling doesn't sign code.

This makes sense because it's meant to be open source and cross platform, yet code signing is a Apple thing.

As a workaround, I created a simple Command Line Tool Xcode project and added my Swift Package as a dependency, with the tool's main.swift just calling into the package. Xcode will happily code sign everything and Instruments runs just fine.

I suppose an open/related question is: can Instruments/macOS be persuaded to instrument unsigned code?

I get the same error using the Xojo IDE (url not permitted). The debugged app has an ad-hoc code certificate. Shouldn't this be enough for Instruments?

macOS 11.2 and Instruments 12.5.

Problem solved: was missing the correct entitlement.

I'm also encountering this error while trying to profile an executable compiled with Rust (Xcode isn't involved). I know that's not a super-common workflow, but Instruments has been very helpful for profiling Rust code in the past. I have yet to find a workaround.

I'm getting the same error for a C++ code that I compile with the system's clang. If instruments cannot profile code that I compile myself on my system it becomes entirely useless. In this case I really should not have to worry about code signing as is suggested below.

Workaround:

Create a file called debug.plist. Put the following text in the new file:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.get-task-allow</key><true/></dict></plist>

Then, sign your app (or re-sign it) with the following shell (Terminal.app) command:

$ codesign -s - -v -f --entitlements /path/to/debug.plist /path/to/your/executable

I have the same problem with versions of Xcode 12.5.1 to 14.0. At least Xcode 125.1 puts out a useful error. Xcode 13 and newer puts out the very unhelpful error message "Required kernel recording resources are in use by another document.". I was able to get around the issue by editing my target's scheme and temporarily changing the Profile > Build Configuration from Release to Debug.

To automate @stragerneds's workaround, you can add the following script to the Pre-action for Profiling:

# Make sure to set the shell to zsh, not bash
#
# For Instruments, re-sign binary with get-task-allow entitlement
codesign -s - -v -f --entitlements =(echo -n '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"\>
<plist version="1.0">
    <dict>
        <key>com.apple.security.get-task-allow</key>
        <true/>
    </dict>
</plist>') ${TARGET_BUILD_DIR}/${PRODUCT_NAME}

I've written up a more complete discussion at https://cocoaphony.micro.blog/2022/10/29/solving-required-kernel.html.

The solution from @Developer Tools Engineer, @robnapier and @stragerneds did not work for me. I'm still getting "Failed to gain authorization", even after adding the entitlement. I'm debugging a plain executable.

codesign -dvvv --entitlements=- /Users/ccleve/.pgrx/16.0/pgrx-install/bin/psq``` l

Executable=/Users/ccleve/.pgrx/16.0/pgrx-install/bin/psql Identifier=psql-55554944e8e26ef3f50637679e1c2d5ded7430a8 Format=Mach-O thin (arm64) CodeDirectory v=20400 size=6342 flags=0x2(adhoc) hashes=187+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=1b033acfe360f3efe957c00c5b0436bb2e686d61 CandidateCDHashFull sha256=1b033acfe360f3efe957c00c5b0436bb2e686d61c71347c05bc36fb2c653fae2 Hash choices=sha256 CMSDigest=1b033acfe360f3efe957c00c5b0436bb2e686d61c71347c05bc36fb2c653fae2 CMSDigestType=2 Launch Constraints: None CDHash=1b033acfe360f3efe957c00c5b0436bb2e686d61 Signature=adhoc Info.plist=not bound TeamIdentifier=not set Sealed Resources=none Internal requirements count=0 size=12 [Dict] [Key] com.apple.security.get-task-allow [Value] [Bool] true


(Not sure how to get the above output to format correctly.)
Instruments: why? “Failed to gain authorization”
 
 
Q