Re: code signing strategies
Re: code signing strategies
- Subject: Re: code signing strategies
- From: Kevin Van Vechten <email@hidden>
- Date: Tue, 30 Mar 2010 09:23:17 -0700
The behavior you describe is the result of changes in recent Mac OS X releases to restrict the use of task_for_pid and related functions that present significant security risks. The goal is to limit use of such functions to the system administrator, and the policy is enforced by the taskgated process. Code signing is required in order to verify that the binary is not maliciously changed out from under any previous approval for use of these functions. Nothing about this policy is unique to gdb.
It's possible to generate "ad hoc" code signatures on binaries which generate all the usual checksums for the purposes of integrity checks but do not chain to a trusted authority. It's worth giving the following a try to see if it satisfies the basic requirements of taskgated (I haven't tried it myself):
$ sudo codesign -s - /path/to/gdb
Kevin
On Mar 30, 2010, at 7:18 AM, Jack Howarth wrote:
> I am trying to prepare fink packaging of the
> new FSF gdb 7.1 release on i386 and x86_64 fink.
> Unfortunately Apple's changes in 10.5.8 or later
> require that gdb binary be code signed (or run as root)
> in order to access the required Mach port for
> debugging code.
> Are their any code signing gurus here who
> could suggest the best approach to cope with this
> problem? I am hoping to implement something along
> these lines but am unsure if it is feasible.
>
> 1) Provide an openssl certificate bundled with the
> fsf-gdb fink package.
> 2) Provide a shell script which when run, guides
> the user through the steps of loading the provided
> certificate manually in the KeyChain application and then
> code signs the fsf-gdb binary from within the shell
> script using command line tools. My understanding is
> that only the creation and/or loading of the openssl
> certificates no longer have CLI tool access.
> 3) Have a postinstall script in the fsf-gdb that
> would check if the certificate exists in the Keychain
> when the fsf-gdb package is installed, reinstalled
> or upgraded and launch the shell script described in
> step 2 if not present. Otherwise it would just
> code sign the newly installed fsf gdb binary again.
>
> Thanks in advance for any advice on these issues.
> Needless to say, the FSF gdb developers were a
> tad miffed that this restriction popped up after
> all the effort to support intel darwin in the official
> FSF gdb releases.
> Jack
> ps It will be essential to have access to a working
> FSF gdb 7.1 debugger for users who want to use the
> upcoming FSF gcc 4.5 compiler release. There are
> changes in debug code generation which are incompatible
> with the older gdb releases.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden