Debugging notarized app not possible

Hi, my application can be extended with external plugins and therefore needs to be debugable. I notarized my application properly with the entitlements below. The most interesting entitlements are com.apple.security.cs.disable-library-validation and com.apple.security.get-task-allow (see explantation why below)


  com.apple.security.cs.disable-library-validation
  
  com.apple.security.cs.allow-jit
  
  com.apple.security.cs.allow-unsigned-executable-memory
  
  com.apple.security.cs.allow-unsigned-executable-memory
  
  com.apple.security.get-task-allow
 

According to this Apple documentation page get-task-allow is allowed in combination with disable-library-validation in order to make that happen:


To enable debugging a plug-in in the context of a host executable, the host can include the

com.apple.security.get-task-allow
entitlement if it also includes the
Disable Library Validation Entitlement
. Don’t disable library validation for executables that don’t host plug-ins because library validation protects them from loading untrusted code.


But Xcode is still not able to attach the process. Any ideas what could cause this?


error: attach by pid '27450' failed -- Error 1

Replies

Have you confirmed that

com.apple.security.get-task-allow
was correctly applied? My favourite trick for this is to use
codesign
to look at your running process:
  1. Launch your app.

  2. Find its pid:

    $ pgrep Finder
    671

    .

  3. Dump the entitlements of the running process like so:

    $ codesign -d --entitlements :- 671
    …
    <plist version="1.0">
    <dict>
        …
        <key>com.apple.application-identifier</key>
        <string>RD13622867.com.apple.finder</string>
        …
    </dict>
    </plist>

    .

Do this with your app and check that

com.apple.security.get-task-allow
is set as you expect.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi, thanks a lot for your answer! I checked the entitlements in the application binary and during runtime and can confirm they are present


sebastian$ cat foo.entitlements

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

<key>com.apple.security.cs.allow-jit</key>

<true/>

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>

<true/>

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>

<true/>

<key>com.apple.security.get-task-allow</key>

<true/>

</dict>

</plist>



sebastian$ codesign -d --entitlements - /Users/sebastian/Downloads/Foo.app

Executable=/Users/sebastian/Downloads/Downloads/Foo.app/Contents/MacOS/Foo

??qq<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

<key>com.apple.security.cs.allow-jit</key>

<true/>

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>

<true/>

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>

<true/>

<key>com.apple.security.get-task-allow</key>

<true/>

</dict>

</plist>


sebastian$ codesign -d --entitlements :- 36452

Executable=/Users/sebastian/Downloads/Foo.app/Contents/MacOS/Foo

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

<key>com.apple.security.cs.allow-jit</key>

<true/>

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>

<true/>

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>

<true/>

<key>com.apple.security.get-task-allow</key>

<true/>

</dict>

</plist>


I still receive the same error in Xcode:

Could not attach to pid : “36452”



Just to double check, here are some information. I use macOS 10.14.5 with Xcode 11.0 beta (11M336w). I added the entry com.apple.security.get-task-allow manually to my foo.entitlements file and sign it through my manual build chain with:


codesign -o runtime --entitlements foo.entitlements --force --sign "..." Foo.app



1) Is there any difference between <key>com.apple.security.get-task-allow</key> and <key>get-task-allow</key>? I can find examples for both.

2) Is there any difference between the foo.entitlements and an entitlement plist file? In several documentations I find a reference that the get-task-allow flag must be added to the entitlement plist

I use macOS 10.14.5 with Xcode 11.0 beta (11M336w).

I’m testing on 10.14.5 but with Xcode 10.2.1. I recommend you avoid pre-release software unless it’s necessary (which isn’t in the case).

1) Is there any difference between

com.apple.security.get-task-allow
and
get-task-allow
? I can find examples for both.

The first is for macOS, the second is for iOS. This entitlement originated on iOS, and when we ported it to macOS we decided to put it in a sensible namespace.

2) Is there any difference between the

foo.entitlements
and an entitlement plist file?

No. However, it’s important to realise that the entitlements property list is just an input to the code signing machinery. The actual entitlements, the ones that apply at runtime, are baked into the code signature, which is why it’s important that, when investigating problems like this, you look at the output of

codesign
rather than the property list.

As to your main issue, I prototyped this here in my office and it seems to work:

$ open Test118450.app
$ codesign -d -vvv --entitlements :- `pgrep Test118450`
…
CodeDirectory v=20500 size=435 flags=0x10000(runtime) hashes=4+5 location=embedded
…
Authority=Developer ID Application: Quinn Quinn (SKMME9E2Y8)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=24 Jun 2019 at 09:21:53
…
<dict>
    <key>com.apple.application-identifier</key>
    <string>SKMME9E2Y8.com.example.apple-samplecode.Test118450</string>
    <key>com.apple.developer.team-identifier</key>
    <string>SKMME9E2Y8</string>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>
$ lldb 
(lldb) process  attach -n Test118450 
Process 37873 stopped
…
(lldb)

I’m not sure why things are failing at your end.

Are you exporting your Developer ID app from Xcode’s Organizer? Or manually signing it?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi, the error indeed disappeared with an older version of Xcode and the latest Xcode 11 beta (2). Thanks a lot for your help!