[RFA] Add --enable-codesign to gdb's configure
Commit Message
macOS requires that the gdb executable be signed in order to be able
to successfully use ptrace. This must be done after each link.
This patch adds a new --enable-codesign configure option so that this
step can be automated.
gdb/ChangeLog
2018-06-28 Tom Tromey <tom@tromey.com>
* NEWS: Mention --enable-codesign.
* silent-rules.mk (ECHO_SIGN): New variable.
* configure.ac: Add --enable-codesign.
* configure: Rebuild.
* Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
(gdb$(EXEEXT)): Optionally invoke codesign.
---
gdb/ChangeLog | 9 +++++++++
gdb/Makefile.in | 7 +++++++
gdb/NEWS | 7 +++++++
gdb/configure | 11 +++++++++++
gdb/configure.ac | 7 +++++++
gdb/silent-rules.mk | 1 +
6 files changed, 42 insertions(+)
Comments
Hi Tom,
On Thu, Jun 28, 2018 at 10:37:45AM -0600, Tom Tromey wrote:
> macOS requires that the gdb executable be signed in order to be able
> to successfully use ptrace. This must be done after each link.
>
> This patch adds a new --enable-codesign configure option so that this
> step can be automated.
>
> gdb/ChangeLog
> 2018-06-28 Tom Tromey <tom@tromey.com>
>
> * NEWS: Mention --enable-codesign.
> * silent-rules.mk (ECHO_SIGN): New variable.
> * configure.ac: Add --enable-codesign.
> * configure: Rebuild.
> * Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
> (gdb$(EXEEXT)): Optionally invoke codesign.
Good idea! The NEWS portion needs to wait for Eli's feedback.
But the rest looks good to me (the NEWS entry too, FWIW).
Thank you!
> From: Tom Tromey <tom@tromey.com>
> Cc: Tom Tromey <tom@tromey.com>
> Date: Thu, 28 Jun 2018 10:37:45 -0600
>
> macOS requires that the gdb executable be signed in order to be able
> to successfully use ptrace. This must be done after each link.
>
> This patch adds a new --enable-codesign configure option so that this
> step can be automated.
>
> gdb/ChangeLog
> 2018-06-28 Tom Tromey <tom@tromey.com>
>
> * NEWS: Mention --enable-codesign.
> * silent-rules.mk (ECHO_SIGN): New variable.
> * configure.ac: Add --enable-codesign.
> * configure: Rebuild.
> * Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
> (gdb$(EXEEXT)): Optionally invoke codesign.
> ---
> gdb/ChangeLog | 9 +++++++++
> gdb/Makefile.in | 7 +++++++
> gdb/NEWS | 7 +++++++
> gdb/configure | 11 +++++++++++
> gdb/configure.ac | 7 +++++++
> gdb/silent-rules.mk | 1 +
> 6 files changed, 42 insertions(+)
>
> diff --git a/gdb/ChangeLog b/gdb/ChangeLog
> index a125b72e420..08271641370 100644
> --- a/gdb/ChangeLog
> +++ b/gdb/ChangeLog
> @@ -1,3 +1,12 @@
> +2018-06-28 Tom Tromey <tom@tromey.com>
> +
> + * NEWS: Mention --enable-codesign.
> + * silent-rules.mk (ECHO_SIGN): New variable.
> + * configure.ac: Add --enable-codesign.
> + * configure: Rebuild.
> + * Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
> + (gdb$(EXEEXT)): Optionally invoke codesign.
> +
> 2018-06-27 Tom Tromey <tom@tromey.com>
OK for the NEWS part, but I think we should reflect this option in the
output of "gdb --configure", because users will want to know whether
their GDB was configured that way.
Thanks.
Hi Eli,
> OK for the NEWS part, but I think we should reflect this option in the
> output of "gdb --configure", because users will want to know whether
> their GDB was configured that way.
The new option actually influences the build, not whether GDB provides
a given feature or not.
On MacOS X, GDB needs to be codesigned in order to be allowed debug
privileges. What Tom's configuration option does is that it automates
that during the build so that it gets automatically done each time
the user types "make". Users who do not use the new option already
achieve the same effect by running the codesign command by hand
each time after running "make".
If a user wants to know whether his binary has been codesigned or
not, and if yes, using which certificate, he can also use the codesign
command.
http://osxdaily.com/2016/03/14/verify-code-sign-apps-mac-os-x/
>> OK for the NEWS part, but I think we should reflect this option in the
>> output of "gdb --configure", because users will want to know whether
>> their GDB was configured that way.
Joel> The new option actually influences the build, not whether GDB provides
Joel> a given feature or not.
I'm not sure there's a way for gdb to know whether it's been signed, I
guess other than invoking codesign itself. I'm going to check this in,
but if it still needs the change, let me know and I will see if I can
implement it.
Tom
> I'm not sure there's a way for gdb to know whether it's been signed, I
> guess other than invoking codesign itself. I'm going to check this in,
> but if it still needs the change, let me know and I will see if I can
> implement it.
I just gave it a try, and basically, you do it using the -d option
of codesign. I also added -v, to get a bit more information about
the signature -- otherwise, you either get "not signed", or the name
of the executable. Here is an example of both situations:
| $ codesign -dv simple_main
| simple_main: code object is not signed at all
| $ codesign -dv gdb
| Executable=/[...]/gdb
| Identifier=org.gnu.gdb
| Format=Mach-O thin (x86_64)
| CodeDirectory v=20100 size=82012 flags=0x0(none) hashes=2559+2 location=embedded
| Signature size=1572
| Signed Time=23 Feb 2017 09:29:17
| [...]
@@ -1,3 +1,12 @@
+2018-06-28 Tom Tromey <tom@tromey.com>
+
+ * NEWS: Mention --enable-codesign.
+ * silent-rules.mk (ECHO_SIGN): New variable.
+ * configure.ac: Add --enable-codesign.
+ * configure: Rebuild.
+ * Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
+ (gdb$(EXEEXT)): Optionally invoke codesign.
+
2018-06-27 Tom Tromey <tom@tromey.com>
* machoread.c (macho_symfile_read): Define "symbol_table" earlier.
@@ -222,6 +222,10 @@ LIBICONV = @LIBICONV@
# Did the user give us a --with-gdb-datadir option?
GDB_DATADIR = @GDB_DATADIR@
+# Code signing.
+CODESIGN = codesign
+CODESIGN_CERT = @CODESIGN_CERT@
+
# Flags to pass to gdb when invoked with "make run".
GDBFLAGS =
@@ -1916,6 +1920,9 @@ gdb$(EXEEXT): gdb.o $(LIBGDB_OBS) $(ADD_DEPS) $(CDEPS) $(TDEPLIBS)
$(ECHO_CXXLD) $(CC_LD) $(INTERNAL_LDFLAGS) $(WIN32LDAPP) \
-o gdb$(EXEEXT) gdb.o $(LIBGDB_OBS) \
$(TDEPLIBS) $(TUI_LIBRARY) $(CLIBS) $(LOADLIBES)
+ifneq ($(CODESIGN_CERT),)
+ $(ECHO_SIGN) $(CODESIGN) -s $(CODESIGN_CERT) gdb$(EXEEXT)
+endif
# Convenience rule to handle recursion.
$(LIBGNU) $(GNULIB_H): all-lib
@@ -84,6 +84,13 @@ SH-5/SH64 running OpenBSD SH-5/SH64 support in sh*-*-openbsd*
the tradeoff that there is a possibility of false hits being
reported.
+* New configure options
+
+--enable-codesign=CERT
+ This can be used to invoke "codesign -s CERT" after building gdb.
+ This option is useful on macOS, where code signing is required for
+ gdb to work properly.
+
*** Changes in GDB 8.1
* GDB now supports dynamically creating arbitrary register groups specified
@@ -745,6 +745,7 @@ AWK
REPORT_BUGS_TEXI
REPORT_BUGS_TO
PKGVERSION
+CODESIGN_CERT
HAVE_NATIVE_GCORE_TARGET
TARGET_OBS
subdirs
@@ -861,6 +862,7 @@ enable_gdbtk
with_libunwind_ia64
with_curses
enable_profiling
+enable_codesign
with_pkgversion
with_bugurl
with_system_zlib
@@ -1550,6 +1552,7 @@ Optional Features:
--enable-tui enable full-screen terminal user interface (TUI)
--enable-gdbtk enable gdbtk graphical user interface (GUI)
--enable-profiling enable profiling of GDB
+ --enable-codesign=CERT sign gdb with 'codesign -s CERT'
--disable-rpath do not hardcode runtime library paths
--enable-libmcheck Try linking with -lmcheck if available
--enable-werror treat compile warnings as errors
@@ -7050,6 +7053,14 @@ $as_echo "$ac_cv_cc_supports_pg" >&6; }
CFLAGS="$OLD_CFLAGS"
fi
+CODESIGN_CERT=
+# Check whether --enable-codesign was given.
+if test "${enable_codesign+set}" = set; then :
+ enableval=$enable_codesign; CODESIGN_CERT=$enableval
+fi
+
+
+
# Check whether --with-pkgversion was given.
@@ -471,6 +471,13 @@ if test "$enable_profiling" = yes ; then
CFLAGS="$OLD_CFLAGS"
fi
+CODESIGN_CERT=
+AC_ARG_ENABLE([codesign],
+ AS_HELP_STRING([--enable-codesign=CERT],
+ [sign gdb with 'codesign -s CERT']),
+ [CODESIGN_CERT=$enableval])
+AC_SUBST([CODESIGN_CERT])
+
ACX_PKGVERSION([GDB])
ACX_BUGURL([http://www.gnu.org/software/gdb/bugs/])
AC_DEFINE_UNQUOTED([PKGVERSION], ["$PKGVERSION"], [Additional package description])
@@ -10,5 +10,6 @@ ECHO_GEN_XML_BUILTIN = \
ECHO_GEN_XML_BUILTIN_GENERATED = \
@echo " GEN xml-builtin-generated.c";
ECHO_INIT_C = echo " GEN init.c" ||
+ECHO_SIGN = @echo " SIGN gdb";
SILENCE = @
endif