Creating a Certificate with Keychain Access

In order to use gdb to start and control a process, it is necessary to create a codesigning certificate and then use the codesigning tool to tell OS X you trust gdb. Following that it is necessary to restart the taskgated process. It should be possible for someone to improve the installation script to create the certificate, but so far I had failed to make the various openssl commands work properly.

I Hope You Never Use This

Ebe now uses lldb which comes ready to use with the Xcode command line tools and the universal install script takes care of everything. If you do need to generate and certificate and codesign gdb or some other program, as I searched for a solution I eventually wrote a shell script to do this (which I don't need anymore).

Script to Generate a Certificate and Codesign gdb.

#!/bin/sh

make_gdb_cert()
{
    printf '%s\n' \
        '[ req ]' \
        'default_bits            = 2048              # RSA key size' \
        'encrypt_key             = no                # Protect private key' \
        'default_md              = sha512            # MD to use' \
        'prompt                  = no                # Prompt for DN' \
        'distinguished_name      = codesign_dn       # DN template' \
        '' \
        '[ codesign_dn ]' \
        'commonName              = "gdb-cert"' \
        '' \
        '[ codesign_reqext ]' \
        'keyUsage                = critical,digitalSignature' \
        'extendedKeyUsage        = critical,codeSigning' > template

    printf '%s\n' \
        '<?xml version="1.0" encoding="UTF-8"?>' \
        '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">' \
        '<plist version="1.0">' \
        '<dict>' \
        '    <key>com.apple.security.cs.debugger</key>' \
        '    <true/>' \
        '</dict>' \
        '</plist>' \
        '</pre>' > gdb-entitlement.xml

    echo Generating gdb-cert.cer
    openssl req -new -newkey rsa:2048 -x509 -days 3650 -nodes -config template \
                -extensions codesign_reqext -batch -out gdb-cert.cer -keyout gdb-cert.key

    echo Deleting gdb-cert as root
    sudo security delete-certificate -c gdb-cert /Library/Keychains/System.keychain

    echo Installing gdb-cert.cer as root
    sudo security add-trusted-cert -d -r trustRoot -k \
                  /Library/Keychains/System.keychain gdb-cert.cer
    sudo security import gdb-cert.key -A -k /Library/Keychains/System.keychain

    echo Killing taskgated
    sudo pkill -f /usr/libexec/taskgated

    echo Signing gdb executable
    codesign --entitlements gdb-entitlement.xml -fs gdb-cert $1

    echo Removing generated files
    rm template gdb-cert.cer gdb-cert.key
}

make_gdb_cert /usr/local/bin

Just in Case

The simplest way to codesign gdb on OS X (other than the script) is to use the following commands (adapted from http://wiki.freepascal.org):

Starting Keychain Access

Use the Spotlight Search tool (magnifying glass icon in the upper right of your screen) and type in "key" in the search box. You should see Keychain Access highlighted in blue below the search box as in the image below.


Keychain Access

Below you can see the window for Keychain Access.


Starting the Certificate Creation

Now you need to click on the "Keychain Access" menu item at the top of the screen, then select "Certificate Assistant" and then "Create a Certificate". Click on "Create a Certificate". This will cause a series of forms to popup.


Naming the Certificate

Below you see the first of the series of popup forms. Here you need to name the certificate "gdb-cert" to match the ebe install script. You also need to change the certificate type to "Code Signing". Last you need to select "Let me override defaults". In truth the only default to override is the duration for the certificate which is 365 days. I would not wish to repeat this every year.


Warning about Self-Signing

Keychain Access will popup a warning that you are about to create a self-signed certificate. Just click on "Continue".


Setting Validity Period

The next popup allows you to change the length of time the certificate will be valid. I added a 0 to select 10 years.


Certificate Information

Having set the country code is sufficient. Just click on "Continue".


Keypair Information

2048 bit RSA seems sufficient for a key pair used on on only one computer. Just click on "Continue".


Key Usage Extension

I haven't studied what this means. Just click on "Continue".


Extended Key Usage Extension

I haven't studied what this means though "Code Signing" should be selected. Just click on "Continue".


Basic Constraints Extension

I haven't studied what this means. Just click on "Continue".


Subject Alternate Name Extension

I haven't studied what this means. Just click on "Continue".


Location for Certificate

It looks like you have a choice, but the system keychain always ends with an error. The default is "login" which will work. Just click on "Continue".


Conclusion of Certificate Creation

The certificate is created. Just click on "Done".


Changing Certificate Trust 1

You need to right-click on the gdb-cert certificate, then click on "Get Info". This will bring up information about it and will let you change some thins.


Changing Certificate Trust 2

Initially the trust options are hidden. Click on the triangle to the left of "Trust" to expand the trust options. Then you can change them all to "Always Trust" by clicking on the spinner for the "When using this certificate" option.


Changing Certificate Trust 3

Here we can see the result of changing the trust options. Next you need to close this form by clicking on the red circle in the upper left. This will popup a form for confirmation.


Changing Certificate Trust 4

In the confirmation form you must enter your password and click on "Update Settings" before the trust options are actually changed.


Moving the Certificate to the System Chain

I couldn't manage to capture an image of this action, so you will have to use your imagination. All you need to do is drag the gdb-cert item from the main pane of the Keychain Access window to the "System" chain in the left pane which is highlighted with a blue background below. Use a left-click and hold until the "gdb-cert" item is over the "System" keychain. Then it will popup a confirmation form. Enter your password and click on "Modify Keychain".


System Keychain

Next we see the System keychain is selected in the left pane and the gdb-cert certificate is in the System keychain.


Changing Certificate Trust 5

Now with the System keychain selected in the left pane, right-click on the gdb-cert certificate and select "Get Info". Click on "Get Info" and you will see the certificate information. After clicking on the triangle to the left of "Trust" you will see the trust options. Then you need to select "Always Trust" for "When using this certificate". You need to close the info window by clicking on the red circle in the upper left of the info window to force the changes to be made.


Changing Certificate Trust 6

Closing the info window will cause Keychain Access to popup a confirmation window. Enter your password and click "Update Settings".


Code Signing

If you run the ebe installation script without creating gdb-cert first, it will need to be done later and you will also need to do a couple more commands.

If you used brew:

codesign -s gdb-cert /usr/local/bin/gdb

If you used MacPorts:

codesign -s gdb-cert /opt/local/bin/ggdb

Restarting taskgated

Then you need to restart the taskgated process. Note that codesigning and restarting taskgated are both done by the ebe install script. Just in case:

sudo killall -9 taskgated