Skip to content

Instantly share code, notes, and snippets.

@talaviram
Last active September 11, 2023 09:56
  • Star 72 You must be signed in to star a gist
  • Fork 11 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Simple Utility Script for allowing debug of hardened macOS apps.
#! /bin/bash
# Simple Utility Script for allowing debug of hardened macOS apps.
# This is useful mostly for plug-in developer that would like keep developing without turning SIP off.
# Credit for idea goes to (McMartin): https://forum.juce.com/t/apple-gatekeeper-notarised-distributables/29952/57?u=ttg
# Update 2022-03-10: Based on Fabian's feedback, add capability to inject DYLD for sanitizers.
#
# Please note:
# - Modern Logic (on M1s) uses `AUHostingService` which resides within the system thus not patchable and REQUIRES to turn-off SIP.
# - Some hosts uses separate plug-in scanning or sandboxing.
# if that's the case, it's required to patch those (if needed) and attach debugger to them instead.
#
# If you see `operation not permitted`, make sure the calling process has Full Disk Access.
# For example Terminal.app is showing and has Full Disk Access under System Preferences -> Privacy & Security
#
app_path=$1
if [ -z "$app_path" ];
then
echo "You need to specify app to re-codesign!"
exit 0
fi
# This uses local codesign. so it'll be valid ONLY on the machine you've re-signed with.
entitlements_plist=/tmp/debug_entitlements.plist
echo "Grabbing entitlements from app..."
codesign -d --entitlements - "$app_path" --xml >> $entitlements_plist || { exit 1; }
echo "Patch entitlements (if missing)..."
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" $entitlements_plist
# allow custom dyld for sanitizers...
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-dyld-environment-variables bool true" $entitlements_plist
echo "Re-applying entitlements (if missing)..."
codesign --force --options runtime --sign - --entitlements $entitlements_plist "$app_path" || { echo "codesign failed!"; }
echo "Removing temporary plist..."
rm $entitlements_plist
@talaviram
Copy link
Author

Thanks @hogliux I've updated the script above.
Semantics, I guess it's not only AUs but any dylib (VST/VST3 included) :) but it's indeed useful.

@hogliux
Copy link

hogliux commented Mar 10, 2022

Semantics, I guess it's not only AUs but any dylib (VST/VST3 included) :) but it's indeed useful.

Yes you are totally right. I've updated my comment just now.

@hogliux
Copy link

hogliux commented Mar 10, 2022

@talaviram The update to your script is incorrect. It's missing the bool true at the end of the PListBuddy command.

@talaviram
Copy link
Author

ahh. sorry for that. fixed.

@mpielikis
Copy link

Thanks for creating this tool! Unfortunately it doesn't work for me. I have MacBook with M1, I've tried running the script on Sudio One 4 and disabling the SIP in order to Debug VST3 audio plugin. I see that entitlements are added, but it has no effect. Only when I build the Release version of audioplugin the Studio One sees it.

@talaviram
Copy link
Author

@mpielikis - I suspect your issue isn't related to script. Maybe release builds universal but debug only arm64? S1 v4 was never released as Apple silicon.
Also the script allow debug but isn't related to host scanning.

@BenLeadbetter
Copy link

BenLeadbetter commented Oct 28, 2022

Thanks! This worked nicely for me with the Steinberg VST3PluginTestHost, using my arm64 MacBook Pro on Monterey👌🏻

@phraemer
Copy link

Does anyone know if this works for auval?

I copied auval to a user dir and applied the script to it but running it just reports instantly it has been killed.

@talaviram
Copy link
Author

Does anyone know if this works for auval?

Sadly, auval archs are x86_64 and arm64e. The e in the arm64e is the tricky part... it means there is pointer authentication so re-applying codesign won't work.
So you can use auval but only under Rosetta. (or.. disable SIP sigh)

@phraemer
Copy link

Oof.... !
Thanks for the info.

Apple really don't want us to develop solid plugins do they?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment