Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Codesign gdb on macOS

If you are getting this in gdb on macOS while trying to run a program:

Unable to find Mach task port for process-id 57573: (os/kern) failure (0x5).
 (please check gdb is codesigned - see taskgated(8))
  1. Open Keychain Access
  2. In menu, open Keychain Access > Certificate Assistant > Create a certificate
  3. Give it a name (e.g. gdbc)
  • Identity type: Self Signed Root
  • Certificate type: Code Signing
  • Check: let me override defaults
  1. Continue until "specify a location for..."
  2. Set Keychain location to System
  3. Create certificate and close Certificate Assistant.
  4. Find certificate in System keychain.
  5. Double click certificate
  6. Expand Trust, set Code signing to always trust
  7. Restart taskgated in terminal: killall taskgated
  8. Codesign gdb using your certificate: codesign -fs gdbc /usr/local/bin/gdb
  9. Shut down your mac and restart in recovery mode (hold down command-R until apple logo appears)
  10. Open terminal window
  11. Modify System Integrity Protection to allow debugging: csrutil enable --without debug
  12. Reboot your Mac. Debugging with gdb should now work as expected.
@floswald

This comment has been minimized.

Copy link

floswald commented Sep 14, 2017

thanks!
what about the warning that this setting is unsupported, likely going to change and leave the machine in an unknown state? just asking.

@lenaten

This comment has been minimized.

Copy link

lenaten commented Sep 27, 2017

thanks!!

@vinc30

This comment has been minimized.

Copy link

vinc30 commented Sep 27, 2017

Works on Sierra! Thanks.

@AlexVejo92

This comment has been minimized.

Copy link

AlexVejo92 commented Oct 9, 2017

unknown error = -2.147.414.007 when I create cert
someone knows why Im getting this error here?
captura de pantalla 2017-10-09 a las 10 08 19

@sepideha

This comment has been minimized.

Copy link

sepideha commented Oct 13, 2017

Many thanks. I followed all the steps successfully in Mac Sierra. But when I start to debug in eclipse(C++) it complains about "No source available for "main() at 0x1003f4bf4"
I also edited my project's Makefile such that: CXXFLAGS += -O0 -g

@dtamayo

This comment has been minimized.

Copy link

dtamayo commented Oct 19, 2017

I get the same error as AlexVejo92

@fer0n

This comment has been minimized.

Copy link

fer0n commented Oct 27, 2017

I also get "unknown error = -2.147.414.007"

@ghost

This comment has been minimized.

Copy link

ghost commented Oct 27, 2017

same error here...

@docdmartin

This comment has been minimized.

Copy link

docdmartin commented Nov 1, 2017

same error "unknown error = -2,147,414,007" when creating in System. I can create in Login and apply codesign command followed by csrutil command in restore mode, but doesn't remove the original error when gdb is loaded with executable and "run" ... "Unable to find Mach task port for process-id ..." Back to square one. Unfortunately, lldb is looking like a more suitable option on mac.

@bvoq

This comment has been minimized.

Copy link

bvoq commented Nov 3, 2017

For all people getting the unknown error, try instead to make the certificate for login user and then click on the certificate and press File > Export. Then delete the certificate from login.
After doing this you can go to the System tab on the left and click on the + and then import your certificate into Systems.

@dnadlinger

This comment has been minimized.

Copy link

dnadlinger commented Nov 5, 2017

I am on 10.12, and followed the above instructions except for creating the certificate in the login keychain first and only then moving it over to System due to encountering the "unknown error" issue.

However, I still get the "(os/kern) failure (0x5)" error when trying to use GDB from Homebrew. Any ideas on how to further debug the certificate verification?

@MarcVillain

This comment has been minimized.

Copy link

MarcVillain commented Nov 18, 2017

Works perfectly on High Sierra (10.13.1) ! I used @bvoq instructions to handle the "unknown error = -2.147.414.007". Thanks !

@soheilmn

This comment has been minimized.

Copy link

soheilmn commented Dec 22, 2017

Thank you very much for saving me! It perfectly works on High Sierra (10.13.1) with Eclipse Oxygen.2 Release (4.7.2). Also, I used @bvoq instructions to get rid of the "unknown error" message. Thanks, again!

@RameshSippy

This comment has been minimized.

Copy link

RameshSippy commented Jan 13, 2018

After running killall taskgated, I get the following message:

No matching processes belonging to you were found

Could you kindly let me know what the issue might be? Because of this, I keep getting the original error message (os/kern) failure (0x5) even after following all the steps.

@shaunhyp57

This comment has been minimized.

Copy link

shaunhyp57 commented Jan 17, 2018

I am also having the same issue as @RameshSippy

@ElisabeteCoelho

This comment has been minimized.

Copy link

ElisabeteCoelho commented Jan 22, 2018

@RameshSippy and @shaunhyp57
I got to disable taskgated by running ps aux | grep taskgated in the terminal to find the PID number of taskgated, and then killed it with sudo kill -9 <insert here your PID number>.

Additionally, at that point I noticed I had also a lot of copies of the same certificate, so I deleted them all, went through all the process again, and instead of csrutil enable --without debug I used csrutil disable (I realise this is more insecure, but I this point I really need to use gdb -- I can always enable it back later).

@reefloretto

This comment has been minimized.

Copy link

reefloretto commented Feb 3, 2018

I have the same question as @floswald -- shouldn't this be of concern?

@astergu

This comment has been minimized.

Copy link

astergu commented Feb 5, 2018

I followed the instructions, but still couldn't make it work on High Sierra. Any suggestions?

@ghost

This comment has been minimized.

Copy link

ghost commented Feb 8, 2018

same here (still does not work in high sierra)
During startup program terminated with signal SIGTRAP, Trace/breakpoint trap.
after b main and r

@timedumper

This comment has been minimized.

Copy link

timedumper commented Feb 9, 2018

No matter what I do - it doesn't work for me. MacOS 10.13.3. I completely disable SIP (csurtil disable). I also get During startup program terminated with signal SIGTRAP, Trace/breakpoint trap. error.

This shit makes me wanna switch back to Linux again...

@lokoum

This comment has been minimized.

Copy link

lokoum commented Feb 13, 2018

same as @timedumper. Any update on this ?
after the update (10.13.3) I am getting this:

During startup program terminated with signal SIGTRAP, Trace/breakpoint trap.

@marcoparente

This comment has been minimized.

Copy link

marcoparente commented Feb 14, 2018

use brew to install gdb 8.0.1
Version 8.1 is giving me the same error...

@lokoum

This comment has been minimized.

Copy link

lokoum commented Feb 14, 2018

OK I got it. Thank you @marcoparente !!
$brew uninstall --force gdb
$brew install https://raw.githubusercontent.com/Homebrew/homebrew-core/c3128a5c335bd2fa75ffba9d721e9910134e4644/Formula/gdb.rb
$gdb --version
This should show 8.0.1
$codesign -fs [cert-name] /usr/local/bin/gdb
and add
'set startup-with-shell off' in ~/.gdbinit

That's it !!!

@dvaldivia

This comment has been minimized.

Copy link

dvaldivia commented Feb 17, 2018

@lokoum did you disable csrutil?

@eagle8625

This comment has been minimized.

Copy link

eagle8625 commented Feb 24, 2018

@lokoum, I did completely same as your steps, but when debug, gdb just hung on...
(gdb) break 23 Breakpoint 1 at 0x100000f29: file tst.c, line 23. (gdb) run Starting program: /Users/.../Desktop/tst print i
maybe gdb didn't load .gdbinit. I killed all gdb processes and set startup-with-shell off on shell, now is OK!!!
Thanks a lot @lokoum.

@dvaldivia, I did disable csrutil:
`
➜ Desktop csrutil status
System Integrity Protection status: enabled (Custom Configuration).

Configuration:
Apple Internal: disabled
Kext Signing: enabled
Filesystem Protections: enabled
Debugging Restrictions: disabled
DTrace Restrictions: enabled
NVRAM Protections: enabled
BaseSystem Verification: enabled

`

@lokoum

This comment has been minimized.

Copy link

lokoum commented Feb 26, 2018

Yeah I disabled csrutil (not just the debug). I know that's more insecure but anyway I needed GDB ....
I tried lldb with Voltron (plugin) but not that smooth :/

@mattstersplat

This comment has been minimized.

Copy link

mattstersplat commented Feb 27, 2018

@lokoum Finally! I've been going insane over this. Reverting back to 8.0.1 fixed it for me. Thanks!

@btzo

This comment has been minimized.

Copy link

btzo commented Mar 1, 2018

I used csrutil enable --without debug to modify the SIP rather than completely disable it, but it doesn't work with gdb 8.1.

The only way I managed to make it work was by using gdb 8.0.1 as described by @lokoum and @marcoparente.

I'm in a MacOS Sierra (10.12.6).

@amelialdrew

This comment has been minimized.

Copy link

amelialdrew commented Mar 4, 2018

I have reverted to gdb 8.0.1 and still getting the same error, have followed all steps above. Can it be caused by anything else?

@sonvirgo

This comment has been minimized.

Copy link

sonvirgo commented Mar 11, 2018

great

@xdavidliu

This comment has been minimized.

Copy link

xdavidliu commented Mar 13, 2018

I didn't need to disable csrutil; am using 8.0.1 with latest High Sierra, and got it to work. Just had to create the certificate in Login, then drag the certificate as well as the two keys (the keys may not be necessary but I did it to be safe) into System. Exporting and Importing probably also works. Also had to right-click the certificate, go to info, and select Always Trust, or else the signing doesn't do anything.

I'm still getting a warning: unhandled dyld version (15) though, which is explained in another issue.

@rafaelcalero

This comment has been minimized.

Copy link

rafaelcalero commented Mar 16, 2018

@xdavidliu I have tried everything, and the most functional is version 8.0.1 as you say.

I get that warning, and breakpoints do not work for me, any known solution to fix breakpoints?

Edit: in some projects breakpoints work and in others these do not work, I don't know why.

Thanks

@mozosjean

This comment has been minimized.

Copy link

mozosjean commented Mar 18, 2018

Those who keep getting error while creating the certificate is because you certificate system is lock you have to unlock it first.

@IngInx747

This comment has been minimized.

Copy link

IngInx747 commented Mar 29, 2018

Thanks! After I executed > ps aux | grep taskgated and then > killed it with sudo kill -9 xxx just after step 11, gdb worked for me on Sierra 10.12.6, without restarting Mac. Seemed like taskgated was not shut properly by simply typing > killall taskgated.

@m1013923728

This comment has been minimized.

Copy link

m1013923728 commented Mar 30, 2018

@lokoum Thanks! You are right!

@IanS4t1qbit

This comment has been minimized.

Copy link

IanS4t1qbit commented Apr 5, 2018

For those getting unknown error = -2,147,414,007 when creating the cert. The System folder needs to be unlocked before starting the certificate creation process. That should be obvious from the precisely descriptive "unknown error = -2,147,414,007"

@inoperable

This comment has been minimized.

Copy link

inoperable commented Apr 8, 2018

It is totally obvious! I mean what else could -2,147,414,007 mean? It's not that it's just some ****** random number without any meaningful information, right? Btw, just wanted to be sure that I understood it the first time so I checked in here just in case

@steve-the-bayesian

This comment has been minimized.

Copy link

steve-the-bayesian commented Apr 20, 2018

@lokoum Your solution works for me. Thanks! I've been struggling with this since January.

@NBrouard

This comment has been minimized.

Copy link

NBrouard commented Apr 20, 2018

@lokum 14 Feb On High Sierra 10.13.4 (17E199) your solution works. My csrutil is debug disabled. I have difficulties to make it back to enable. In rescue mode (and Terminal) the command csrutil enable hanged! Halting and rebooting in rescue mode, terminal, no keyboard?. Rebooting in normal mode, everything works, including gdb but I can't certify that csrutil enable --without debug was useful.
I think that keeping the GPL license of a debugger is important.

@felixpie

This comment has been minimized.

Copy link

felixpie commented Apr 22, 2018

Thanks. Downgrading to 8.0.1 worked for me.

@paac80

This comment has been minimized.

Copy link

paac80 commented May 21, 2018

Hi,
I skipped the step 12 to 15 and it works for me.

Instead step 10 I did what @ElisabeteCoelho says:
find PID number -> $ps aux | grep taskgated
Kill the specific PID sudo kill -9
Then I follow step 11.

I think my problem was, because I could not successfully sign with codesign my certificate, after remove the taskgated I works fine.

I have mac OS High Sierra 10.13.4, Eclipse 4.7.3a
Now I can debug in Eclipse as usual in C language.
Thanks a lot

@ChrisCharrison

This comment has been minimized.

Copy link

ChrisCharrison commented May 24, 2018

I'm on 10.13.4. I have tried disabling csrutil completely and used both macports and brew to install GDB 8.0.1. I'm trying to debug on CLion; GDB starts but freezes right after it starts and eventually I get the message 'command timed out'.

@OUCHUNYU

This comment has been minimized.

Copy link

OUCHUNYU commented Jun 20, 2018

Same here

@lokoum

This comment has been minimized.

Copy link

lokoum commented Jun 21, 2018

@ChrisCharrison @OUCHUNYU

I am on 10.13.5 an can fully debug using GDB :

➜  /tmp gdb --version
GNU gdb (GDB) 8.0.1
[...]

Did you try to use GDB without CLion ? because I can read from intelliJ :

As for the debugger, CLion includes bundled GDB 8.1 for Linux and Windows (note, no GDB is bundled for Cygwin on Windows)
and GDB 8.0 for macOS, bundled LLDB 5.0 on macOS and Linux. 
Custom GDB 7.8.x-8.1.x can be selected in CLion settings as well.

(https://intellij-support.jetbrains.com/hc/en-us/articles/206556469-What-compiler-debugger-can-I-use-within-CLion-)

so are you certain that you are using the GDB you installed from brew ?

Did you try to re-install it following my steps ? (see my comment on top)

EDIT:

The GDB 8.2 branch has been created : https://www.gnu.org/software/gdb/news/
So may be we will be able to update our gdb, I will update this thread after some tests.

@kgbook

This comment has been minimized.

Copy link

kgbook commented Jul 26, 2018

degrade to gdb 8.0.1, it works for me.

@schemacs

This comment has been minimized.

Copy link

schemacs commented Apr 17, 2019

codesign -fs gdbc /usr/local/bin/gdb should be changed to codesign --entitlements gdb-entitlement.xml -fs gdb-cert /usr/local/bin/gdb on 10.14 according to Sign and entitle the gdb binary

gdb-entitlement.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>
</pre>
@Sergey1983

This comment has been minimized.

Copy link

Sergey1983 commented May 31, 2019

Mac OS Sierra 10.13.6
gdb 8.0.1

I discovered that I already had gdbcert1 in my System.
Followed everything from 7.
Works!

@V3rochka

This comment has been minimized.

Copy link

V3rochka commented Oct 19, 2019

Mac OS Mojave
gdb 8.3

Works after following @ElisabeteCoelho 's suggestion and add entitlements as @schemacs had described

(Skipped 12 - 15)
Thanks!

@DmytroStepanenko

This comment has been minimized.

Copy link

DmytroStepanenko commented Nov 16, 2019

Thanks!!!!

@sarnobat

This comment has been minimized.

Copy link

sarnobat commented Dec 19, 2019

codesign -fs gdbc /usr/local/bin/gdb should be changed to codesign --entitlements gdb-entitlement.xml -fs gdb-cert /usr/local/bin/gdb on 10.14 according to Sign and entitle the gdb binary

gdb-entitlement.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>
</pre>

This worked for me, after a lot of frustration with the more common answer. Thank you.

@tcwan

This comment has been minimized.

Copy link

tcwan commented Mar 18, 2020

codesign -fs gdbc /usr/local/bin/gdb should be changed to codesign --entitlements gdb-entitlement.xml -fs gdb-cert /usr/local/bin/gdb on 10.14 according to Sign and entitle the gdb binary
gdb-entitlement.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.debugger</key>
    <true/>
</dict>
</plist>
</pre>

This worked for me, after a lot of frustration with the more common answer. Thank you.

I found that I need to do the codesigning from the administrator account (my user account is not administrator). Otherwise I get a errSecInternalComponent error.

Relevant hint

@niepiekm

This comment has been minimized.

Copy link

niepiekm commented Apr 16, 2020

I just followed the steps to codesign gdb 9.1 but I had to make sure I called codesign with sudo. Similarly, I need to run sudo gdb to be able to debug an app.

@zhenni

This comment has been minimized.

Copy link

zhenni commented May 14, 2020

Cannot use gdb after all the steps... But I found lldb works fine now.
macOS Mojave 10.14.6
GDB 9.1

@hemulens

This comment has been minimized.

Copy link

hemulens commented May 16, 2020

Cannot use gdb after all the steps... But I found lldb works fine now.
macOS Mojave 10.14.6
GDB 9.1

@zhenni, same for me. I have been using these guidelines, but I don't know where to put the entitlement XML file. Do you know it by any chance?

@fantasyczl

This comment has been minimized.

Copy link

fantasyczl commented May 17, 2020

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.