Skip to content

Instantly share code, notes, and snippets.

@talaviram
Last active April 8, 2024 21:42
Show Gist options
  • Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
Simple Utility Script for allowing debug of hardened macOS apps.
#! /bin/bash
# Simple Utility Script for allowing debug of hardened macOS apps.
# This is useful mostly for plug-in developer that would like keep developing without turning SIP off.
# Credit for idea goes to (McMartin): https://forum.juce.com/t/apple-gatekeeper-notarised-distributables/29952/57?u=ttg
# Update 2022-03-10: Based on Fabian's feedback, add capability to inject DYLD for sanitizers.
#
# Please note:
# - Modern Logic (on M1s) uses `AUHostingService` which resides within the system thus not patchable and REQUIRES to turn-off SIP.
# - Some hosts uses separate plug-in scanning or sandboxing.
# if that's the case, it's required to patch those (if needed) and attach debugger to them instead.
#
# If you see `operation not permitted`, make sure the calling process has Full Disk Access.
# For example Terminal.app is showing and has Full Disk Access under System Preferences -> Privacy & Security
#
app_path=$1
if [ -z "$app_path" ];
then
echo "You need to specify app to re-codesign!"
exit 0
fi
# This uses local codesign. so it'll be valid ONLY on the machine you've re-signed with.
entitlements_plist=/tmp/debug_entitlements.plist
echo "Grabbing entitlements from app..."
codesign -d --entitlements - "$app_path" --xml >> $entitlements_plist || { exit 1; }
echo "Patch entitlements (if missing)..."
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" $entitlements_plist
# allow custom dyld for sanitizers...
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-dyld-environment-variables bool true" $entitlements_plist
echo "Re-applying entitlements (if missing)..."
codesign --force --options runtime --sign - --entitlements $entitlements_plist "$app_path" || { echo "codesign failed!"; }
echo "Removing temporary plist..."
rm $entitlements_plist
@blues3
Copy link

blues3 commented May 17, 2020 via email

@prefergui
Copy link

Thanks.
For further improvement, if original app does not have entitlement,
a file $entitlements_plist is empty.
In this case, template need to be written.

codesign -d --entitlements :- "$app_path" >> $entitlements_plist || { exit 1; }

if ! test -s $entitlements_plist ; then
cat > $entitlements_plist << EOT
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
</dict>
</plist>
EOT
fi

@talaviram
Copy link
Author

thanks @prefergui but would be nice to understand why you need this scenario.
As far as I know, there's no hardened and notarized app without entitlements.
So if it doesn't exists then why would you want to add it?

@prefergui
Copy link

Quartz Composer v4.6.2

@laurentNoudohounsi
Copy link

Thank you very much for sharing!
However, is it me or the dev_id doesn't seem to be used in this script?

@talaviram
Copy link
Author

However, is it me or the dev_id doesn't seem to be used in this script?

Thanks. I've removed this unused dev_id and add a comment related to current signing.

@laurentNoudohounsi
Copy link

You're welcome!
Also, is it the only step to do? It doesn't seem to work on my side 🤔

@meverett
Copy link

meverett commented Jun 13, 2021

First of all, thanks for making this. However, it fails for me with the following error when trying to resign Ableton Live 11 on macOS 10.15.7:

Re-applying entitlements (if missing)...
/Applications/Ableton Live 11 Suite.app: replacing existing signature
/Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed
codesign failed!

Has anyone encountered this error before? Any insights?

UPDATE:
It turned out to be some extended attributes that needed to be removed first:

xattr -rc "/Applications/Ableton Live 11 Suite.app"

@bogre
Copy link

bogre commented Oct 7, 2021

Thanksssssssss!

@da-maestro
Copy link

Hi thanks for a great tool.
When I run it for Ableton Live 10 I get this error:
/Applications/Ableton Live 10 Suite.app: replacing existing signature /Applications/Ableton Live 10 Suite.app: invalid or unsupported format for signature In subcomponent: /Applications/Ableton Live 10 Suite.app/Contents/MacOS/Live.cstemp codesign failed! Removing temporary plist...

What do I do?

@adaskar
Copy link

adaskar commented Nov 26, 2021

Hi,
After applying this script one of the app installed on my system, it says application damaged, any idea what should i do now?

@talaviram
Copy link
Author

After applying this script one of the app installed on my system

What system app you've used it on??

It's intended for allowing debugging on DAWs. System shouldn't even be possible since Catalina iirc.

Some apps kept some additional system attributes by mistake (xattr -rc )

See this post as an example:
https://gist.github.com/talaviram/1f21e141a137744c89e81b58f73e23c3#gistcomment-3778228

@adaskar
Copy link

adaskar commented Nov 29, 2021

After applying this script one of the app installed on my system

What system app you've used it on??

It's intended for allowing debugging on DAWs. System shouldn't even be possible since Catalina iirc.

Some apps kept some additional system attributes by mistake (xattr -rc )

See this post as an example: https://gist.github.com/talaviram/1f21e141a137744c89e81b58f73e23c3#gistcomment-3778228

it's not a systema app, it's an app downloaded from internet.
i have tried xattr -rc either, even if the code signing process not gives an error though. still getting application crashed.
i'm missing something but what?

@hogliux
Copy link

hogliux commented Mar 10, 2022

May I suggest also adding the com.apple.security.cs.allow-dyld-environment-variables entitlement. This way you can also debug plug-ins built with address sanitizer by adding

export DYLD_INSERT_LIBRARIES=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib

to your environment variables. Without this entitlement, any environment variables starting with DYLD_ are ignored.

@talaviram
Copy link
Author

Thanks @hogliux I've updated the script above.
Semantics, I guess it's not only AUs but any dylib (VST/VST3 included) :) but it's indeed useful.

@hogliux
Copy link

hogliux commented Mar 10, 2022

Semantics, I guess it's not only AUs but any dylib (VST/VST3 included) :) but it's indeed useful.

Yes you are totally right. I've updated my comment just now.

@hogliux
Copy link

hogliux commented Mar 10, 2022

@talaviram The update to your script is incorrect. It's missing the bool true at the end of the PListBuddy command.

@talaviram
Copy link
Author

ahh. sorry for that. fixed.

@mpielikis
Copy link

Thanks for creating this tool! Unfortunately it doesn't work for me. I have MacBook with M1, I've tried running the script on Sudio One 4 and disabling the SIP in order to Debug VST3 audio plugin. I see that entitlements are added, but it has no effect. Only when I build the Release version of audioplugin the Studio One sees it.

@talaviram
Copy link
Author

@mpielikis - I suspect your issue isn't related to script. Maybe release builds universal but debug only arm64? S1 v4 was never released as Apple silicon.
Also the script allow debug but isn't related to host scanning.

@BenLeadbetter
Copy link

BenLeadbetter commented Oct 28, 2022

Thanks! This worked nicely for me with the Steinberg VST3PluginTestHost, using my arm64 MacBook Pro on Monterey👌🏻

@phraemer
Copy link

Does anyone know if this works for auval?

I copied auval to a user dir and applied the script to it but running it just reports instantly it has been killed.

@talaviram
Copy link
Author

Does anyone know if this works for auval?

Sadly, auval archs are x86_64 and arm64e. The e in the arm64e is the tricky part... it means there is pointer authentication so re-applying codesign won't work.
So you can use auval but only under Rosetta. (or.. disable SIP sigh)

@phraemer
Copy link

Oof.... !
Thanks for the info.

Apple really don't want us to develop solid plugins do they?!

@audiority
Copy link

Signing fails on Ventura. /Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!

@talaviram
Copy link
Author

Signing fails on Ventura. /Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!

Please see:
https://gist.github.com/talaviram/1f21e141a137744c89e81b58f73e23c3?permalink_comment_id=3222379#gistcomment-3222379
TL;DR - xattr -rc

@audiority
Copy link

totally missed that. It worked. Thanks!

@PWhiddy
Copy link

PWhiddy commented Jan 24, 2024

Worked beautifully for me on an M1 mac. Thanks!

@faqteur
Copy link

faqteur commented Mar 11, 2024

It doesn't seem to work anymore with Ableton Live 12 (release version) :'(

@talaviram
Copy link
Author

It doesn't seem to work anymore with Ableton Live 12 (release version) :'(

It'll be helpful to have more details.
Anyway, I don't have Live 12 but the trial version allows re-signing just fine...

Grabbing entitlements from app...
Executable=/Users/talaviram/Downloads/Ableton Live 12 Trial.app/Contents/MacOS/Live
Patch entitlements (if missing)...
Add: ":com.apple.security.cs.disable-library-validation" Entry Already Exists
Add: ":com.apple.security.cs.allow-unsigned-executable-memory" Entry Already Exists
Re-applying entitlements (if missing)...
/Users/talaviram/Downloads/Ableton Live 12 Trial.app: replacing existing signature
Removing temporary plist...

@faqteur
Copy link

faqteur commented Mar 11, 2024

Ah sorry, I forgot.
sudo xattr -rc Ableton\ Live\ 12\ Suite.app did the trick :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment