From patchwork Wed Jan  9 19:20:53 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom Tromey <tom@tromey.com>
X-Patchwork-Id: 31019
Received: (qmail 79707 invoked by alias); 9 Jan 2019 19:20:59 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Unsubscribe: <mailto:gdb-patches-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Delivered-To: mailing list gdb-patches@sourceware.org
Received: (qmail 79675 invoked by uid 89); 9 Jan 2019 19:20:58 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE,
	SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=dict,
	Hx-languages-length:2645
X-HELO: gateway23.websitewelcome.com
Received: from gateway23.websitewelcome.com (HELO
	gateway23.websitewelcome.com) (192.185.47.80) by
	sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP;
	Wed, 09 Jan 2019 19:20:56 +0000
Received: from cm17.websitewelcome.com (cm17.websitewelcome.com
	[100.42.49.20])	by gateway23.websitewelcome.com (Postfix)
	with ESMTP id 0D85258DDC	for <gdb-patches@sourceware.org>;
	Wed,  9 Jan 2019 13:20:55 -0600 (CST)
Received: from box5379.bluehost.com ([162.241.216.53])	by cmsmtp with
	SMTP	id hJPLgsQaE90onhJPLgMQTF; Wed, 09 Jan 2019 13:20:55 -0600
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tromey.com;
	s=default;
	h=Content-Type:MIME-Version:Message-ID:In-Reply-To:Date:
	References:Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:
	Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
	Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=xQYL8VOdCkEI2UAOVr6Xg3q+AmsFjMYSfzWJHmHDsjg=;
	b=OvRCxYa2Wm015ZWhuycGgE/llz
	odPkIPXhTCtpOsjyGKk2v45rcEZznjq99iCyxlCbZtx167FKskKz0OrHQW8lX14Xok3DQBVkJWxxE
	DaBMgTjYYUGjQNYFwpz+7Ym18;
Received: from 75-166-72-210.hlrn.qwest.net ([75.166.72.210]:42396
	helo=murgatroyd)	by box5379.bluehost.com with esmtpsa
	(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)	(Exim
	4.91)	(envelope-from <tom@tromey.com>)	id 1ghJPK-0040BS-Qd;
	Wed, 09 Jan 2019 13:20:54 -0600
From: Tom Tromey <tom@tromey.com>
To: Dominique Quatravaux <dominique@quatravaux.org>
Cc: Tom Tromey <tom@tromey.com>,  gdb-patches@sourceware.org
Subject: Re: Request Wiki access to document new "entitlement" code-signing
	step on Mojave
References: 
 <CA+tDuRzJWV3HaKtCONyWuFMmKa8wwzQLb7EyeA_4Zj20tXAmdA@mail.gmail.com>
	<8736qawmw8.fsf@tromey.com>
	<CA+tDuRyLkfcK8Fyu928GBa+J5TjT--CfToSu8b9Q2GYMp7x0Og@mail.gmail.com>
Date: Wed, 09 Jan 2019 12:20:53 -0700
In-Reply-To: 
 <CA+tDuRyLkfcK8Fyu928GBa+J5TjT--CfToSu8b9Q2GYMp7x0Og@mail.gmail.com>
	(Dominique
	Quatravaux's message of "Sun, 6 Jan 2019 22:49:56 +0100")
Message-ID: <87r2dlprhm.fsf@tromey.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1.90 (gnu/linux)
MIME-Version: 1.0

>>>>> "Dominique" == Dominique Quatravaux <dominique@quatravaux.org> writes:

Dominique>  [...] the --entitlements flag to codesign 

Tom>  Is this something that will work on earlier versions?

Dominique> That is a great question! I am unfortunately not in a
Dominique> position to answer it, since I am not in command of a fleet
Dominique> of idle Macs to juggle older versions of OS X for tests.

Dominique> If you (or anyone on the list) can report success with the
Dominique> --entitlement flag on any version of OS X prior to Mojave,
Dominique> I'll update the wiki and (as day job permits) consider a
Dominique> patch to configure --enable-codesign .

Can you try this patch?

I tried it on High Sierra and it worked fine there.

Also I think the wiki has an extra trailing "</pre>" in the xml file.

thanks,
Tom

commit 54e3bf53ab7400942d872b156dad650dfa55c6e6
Author: Tom Tromey <tom@tromey.com>
Date:   Wed Jan 9 12:16:17 2019 -0700

    Use --entitlements when code-signing gdb
    
    Dominique Quatravaux pointed out that macOS Mojave requires the
    --entitlements option to codesign.  This patch automates this process.
    I tested it on High Sierra (I don't have Mojave), where it also works
    fine.

diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index c89c86be4e7..17a8947a706 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,9 @@
+2019-01-09  Tom Tromey  <tom@tromey.com>
+
+	* Makefile.in (gdb$(EXEEXT)): Use --entitlements when
+	code-signing.
+	* gdb-entitlement.xml: New file.
+
 2019-01-09  Andrew Burgess  <andrew.burgess@embecosm.com>
 
 	* cli/cli-cmds.c (list_command): Pass a source_lines_range to
diff --git a/gdb/Makefile.in b/gdb/Makefile.in
index 215ef7933cb..a4a82b4e3ef 100644
--- a/gdb/Makefile.in
+++ b/gdb/Makefile.in
@@ -1891,7 +1891,8 @@ gdb$(EXEEXT): gdb.o $(LIBGDB_OBS) $(CDEPS) $(TDEPLIBS)
 		-o gdb$(EXEEXT) gdb.o $(LIBGDB_OBS) \
 		$(TDEPLIBS) $(TUI_LIBRARY) $(CLIBS) $(LOADLIBES)
 ifneq ($(CODESIGN_CERT),)
-	$(ECHO_SIGN) $(CODESIGN) -s $(CODESIGN_CERT) gdb$(EXEEXT)
+	$(ECHO_SIGN) $(CODESIGN) --entitlements $(srcdir)/gdb-entitlement.xml \
+		-s $(CODESIGN_CERT) gdb$(EXEEXT)
 endif
 
 # Convenience rule to handle recursion.
diff --git a/gdb/gdb-entitlement.xml b/gdb/gdb-entitlement.xml
new file mode 100644
index 00000000000..3d60e8bd0b9
--- /dev/null
+++ b/gdb/gdb-entitlement.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+</dict>
+</plist>