4 Replies
      Latest reply on Jul 3, 2019 7:29 PM by sebastian41
      sebastian41 Level 1 Level 1 (0 points)

        Hi, my application can be extended with external plugins and therefore needs to be debugable. I notarized my application properly with the  entitlements below. The most interesting entitlements are com.apple.security.cs.disable-library-validation and com.apple.security.get-task-allow (see explantation why below)

         

        
          com.apple.security.cs.disable-library-validation
          
          com.apple.security.cs.allow-jit
          
          com.apple.security.cs.allow-unsigned-executable-memory
          
          com.apple.security.cs.allow-unsigned-executable-memory
          
          com.apple.security.get-task-allow
          

        According to this Apple documentation page get-task-allow is allowed in combination with disable-library-validation in order to make that happen:

         

        To enable debugging a plug-in in the context of a host executable, the host can include the com.apple.security.get-task-allow entitlement if it also includes the Disable Library Validation Entitlement. Don’t disable library validation for executables that don’t host plug-ins because library validation protects them from loading untrusted code.

         

        But Xcode is still not able to attach the process. Any ideas what could cause this?

         

        error: attach by pid '27450' failed -- Error 1

        • Re: Debugging notarized app not possible
          eskimo Apple Staff Apple Staff (11,955 points)

          Have you confirmed that com.apple.security.get-task-allow was correctly applied?  My favourite trick for this is to use codesign to look at your running process:

          1. Launch your app.

          2. Find its pid:

            $ pgrep Finder
            671

            .

          3. Dump the entitlements of the running process like so:

            $ codesign -d --entitlements :- 671
            …
            <plist version="1.0">
            <dict>
                …
                <key>com.apple.application-identifier</key>
                <string>RD13622867.com.apple.finder</string>
                …
            </dict>
            </plist>

            .

          Do this with your app and check that com.apple.security.get-task-allow is set as you expect.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Debugging notarized app not possible
              sebastian41 Level 1 Level 1 (0 points)

              Hi, thanks a lot for your answer! I checked the entitlements in the application binary and during runtime and can confirm they are present

               

              sebastian$ cat foo.entitlements

              <?xml version="1.0" encoding="UTF-8"?>

              <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

              <plist version="1.0">

              <dict>

              <key>com.apple.security.cs.disable-library-validation</key>

              <true/>

              <key>com.apple.security.cs.allow-jit</key>

              <true/>

              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>

              <true/>

              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>

              <true/>

              <key>com.apple.security.get-task-allow</key>

              <true/>

              </dict>

              </plist>

               

               

              sebastian$ codesign -d --entitlements - /Users/sebastian/Downloads/Foo.app

              Executable=/Users/sebastian/Downloads/Downloads/Foo.app/Contents/MacOS/Foo

              ??qq<?xml version="1.0" encoding="UTF-8"?>

              <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

              <plist version="1.0">

              <dict>

              <key>com.apple.security.cs.disable-library-validation</key>

              <true/>

              <key>com.apple.security.cs.allow-jit</key>

              <true/>

              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>

              <true/>

              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>

              <true/>

              <key>com.apple.security.get-task-allow</key>

              <true/>

              </dict>

              </plist>

               

              sebastian$ codesign -d --entitlements :- 36452

              Executable=/Users/sebastian/Downloads/Foo.app/Contents/MacOS/Foo

              <?xml version="1.0" encoding="UTF-8"?>

              <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

              <plist version="1.0">

              <dict>

              <key>com.apple.security.cs.disable-library-validation</key>

              <true/>

              <key>com.apple.security.cs.allow-jit</key>

              <true/>

              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>

              <true/>

              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>

              <true/>

              <key>com.apple.security.get-task-allow</key>

              <true/>

              </dict>

              </plist>

               

              I still receive the same error in Xcode:

              Could not attach to pid : “36452”

               

               

              Just to double check, here are some information. I use macOS 10.14.5 with Xcode 11.0 beta (11M336w). I added the entry com.apple.security.get-task-allow manually to my foo.entitlements file and sign it through my manual build chain with:

               

              codesign -o runtime --entitlements foo.entitlements --force --sign "..." Foo.app

               

               

              1) Is there any difference between <key>com.apple.security.get-task-allow</key> and <key>get-task-allow</key>? I can find examples for both.

              2) Is there any difference between the foo.entitlements and an entitlement plist file? In several documentations I find a reference that the get-task-allow flag must be added to the entitlement plist

                • Re: Debugging notarized app not possible
                  eskimo Apple Staff Apple Staff (11,955 points)

                  I use macOS 10.14.5 with Xcode 11.0 beta (11M336w).

                  I’m testing on 10.14.5 but with Xcode 10.2.1.  I recommend you avoid pre-release software unless it’s necessary (which isn’t in the case).

                  1) Is there any difference between com.apple.security.get-task-allowand get-task-allow? I can find examples for both.

                  The first is for macOS, the second is for iOS.  This entitlement originated on iOS, and when we ported it to macOS we decided to put it in a sensible namespace.

                  2) Is there any difference between the foo.entitlements and an entitlement plist file?

                  No.  However, it’s important to realise that the entitlements property list is just an input to the code signing machinery.  The actual entitlements, the ones that apply at runtime, are baked into the code signature, which is why it’s important that, when investigating problems like this, you look at the output of codesign rather than the property list.


                  As to your main issue, I prototyped this here in my office and it seems to work:

                  $ open Test118450.app
                  $ codesign -d -vvv --entitlements :- `pgrep Test118450`
                  …
                  CodeDirectory v=20500 size=435 flags=0x10000(runtime) hashes=4+5 location=embedded
                  …
                  Authority=Developer ID Application: Quinn Quinn (SKMME9E2Y8)
                  Authority=Developer ID Certification Authority
                  Authority=Apple Root CA
                  Timestamp=24 Jun 2019 at 09:21:53
                  …
                  <dict>
                      <key>com.apple.application-identifier</key>
                      <string>SKMME9E2Y8.com.example.apple-samplecode.Test118450</string>
                      <key>com.apple.developer.team-identifier</key>
                      <string>SKMME9E2Y8</string>
                      <key>com.apple.security.cs.disable-library-validation</key>
                      <true/>
                      <key>com.apple.security.get-task-allow</key>
                      <true/>
                  </dict>
                  </plist>
                  $ lldb 
                  (lldb) process  attach -n Test118450 
                  Process 37873 stopped
                  …
                  (lldb)

                  I’m not sure why things are failing at your end.

                  Are you exporting your Developer ID app from Xcode’s Organizer?  Or manually signing it?

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"