"please check gdb is codesigned - see taskgated(8)" - How to get gdb installed with homebrew code signed?

Question

This error occurs because OSX implements a pid access policy which requires a digital signature for binaries to access other processes pids. To enable gdb access to other processes, we must first code sign the binary. This signature depends on a particular certificate, which the user must create and register with the system.

To create a code signing certificate, open the Keychain Access application. Choose menu Keychain Access -> Certificate Assistant -> Create a Certificate…

Choose a name for the certificate (e.g., gdb-cert), set Identity Type to Self Signed Root, set Certificate Type to Code Signing and select the Let me override defaults. Click several times on Continue until you get to the Specify a Location For The Certificate screen, then set Keychain to System.

Double click on the certificate, open Trust section, and set Code Signing to Always Trust. Exit Keychain Access application.

Restart the taskgated service, and sign the binary.

$ sudo killall taskgated
$ codesign -fs gdb-cert "$(which gdb)"

source http://andresabino.com/2015/04/14/codesign-gdb-on-mac-os-x-yosemite-10-10-2/

On macOS 10.12 (Sierra) and later, you must also

Use gdb 7.12.1 or later Additionally prevent gdb from using a shell to start the program to be debugged. You can use the following command for this inside gdb:

set startup-with-shell off

You can also put this last command in a file called .gdbinit in your home directory, in which case it will be applied automatically every time you start gdb

echo "set startup-with-shell off" >> ~/.gdbinit

SOURCE: https://sourceware.org/gdb/wiki/BuildingOnDarwin

I upgraded to gdb 8.3 and was not able to make things working. This helped me:

codesign --entitlements gdb.xml -fs gdb-cert /usr/local/bin/gdb

Where content of gdb.xml is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.debugger</key>
    <true/>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>

I found this solution here: https://timnash.co.uk/getting-gdb-to-semi-reliably-work-on-mojave-macos/

Note: Without the entitlement I was able to run gdb only with sudo.

I made gdb work on OSX 10.9 without codesigning this way (described here):

1. Install gdb with macports. (may be you can skip it)

2. sudo nano /System/Library/LaunchDaemons/com.apple.taskgated.plist

   change option string from -s to -sp at line 22, col 27.

3. Reboot the computer.

4. Use gdb. If you installed it with mac ports then you must use ggdb command. Or made an alias in your config file:

alias gdb='ggdb'

and use 'gdb' command then.

I experienced the same issue with GDB. I am running under Mac OS X 10.8.5 aka Mountain Lion. I am using GDB version 7.7.1.

I compiled my test program with following command:

g++ -o gdb-sample.out -g gdb-sample.cpp    

If I entered the command gdb sample.out, I get the same cryptic error message:

"Unable to find Mach task port for process-id 46234: (os/kern) failure (0x5). (please check gdb is codesigned - see taskgated(8))"

This error message however is a red herring.

The solution I found that worked for me was to simply invoke GDB using the superuser acct:

sudo gdb sample.out. 

That works fine for me.

And that from that point I could run GDB example.out without using sudo.

Hope this helps and works for others. RSVP if it doesn't.

None of this worked for me and I had to go with a long run. Here is a full list of steps I've done to get it working.

1. Create a certificate to sign the gdb.

Unfortunately, system certificate gave me Unknown Error = -2,147,414,007 which is very helpful, so I had to go with a workaround. KeyChain Assistant -> Create certificate ->

Pick login, gdb-cert, Code Signing

Copy/move certificate to the System keychain (enter password)

2. Select certificate (gdb-cert) click Get info -> Trust Always
3. Disable startup-with-shell

Enter in console: set startup-with-shell off

Remember configuration: echo "set startup-with-shell off" >> ~/. gdbinit

4. Enable Root User

Go to System Preferences -> Users & Groups -> Unlock it -> Login Options -> Network Account Server -> Join -> Unlock it -> Edit (menu) -> Enable Root User

5. sudo killall taskgated
6. Finally sign gdb

codesign -fs gdb-cert "$(which gdb)"

7. Disable Root User (Step 4)
8. Reboot if still does not work. (if nothing else works, most likely it works already)

PS. I ended up using lldb because it just works (tutorial)

For anyone who using Sierra 10.12.6 (and above) and Homebrew, /usr/local/bin/gdb is a symbolic link to /usr/local/Cellar/gdb/8.0/bin/gdb (or whatever version, e.g. 8.0.1).

You need to codesign both link and target:

codesign -fs gdb-cert /usr/local/bin/gdb
codesign -fs gdb-cert "/usr/local/Cellar/gdb/8.0/bin/gdb"

Or, if you have greadlink (installed via brew install coreutils):

codesign -fs gdb-cert $(which gdb)
codesign -fs gdb-cert $(greadlink -f $(which gdb))

This may not be related. You can use lldb on macos instead of gdb. You don't need this hassle to install gdb.

lldb(http://lldb.llvm.org) is already installed by default in High Sierra