Skip to content

Instantly share code, notes, and snippets.

@talaviram
Last active November 19, 2024 09:14
Show Gist options
  • Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
Simple Utility Script for allowing debug of hardened macOS apps.
#! /bin/bash
# Simple Utility Script for allowing debug of hardened macOS apps.
# This is useful mostly for plug-in developer that would like keep developing without turning SIP off.
# Credit for idea goes to (McMartin): https://forum.juce.com/t/apple-gatekeeper-notarised-distributables/29952/57?u=ttg
# Update 2022-03-10: Based on Fabian's feedback, add capability to inject DYLD for sanitizers.
#
# Please note:
# - Modern Logic (on M1s) uses `AUHostingService` which resides within the system thus not patchable and REQUIRES to turn-off SIP.
# - Some hosts uses separate plug-in scanning or sandboxing.
# if that's the case, it's required to patch those (if needed) and attach debugger to them instead.
#
# If you see `operation not permitted`, make sure the calling process has Full Disk Access.
# For example Terminal.app is showing and has Full Disk Access under System Preferences -> Privacy & Security
#
app_path=$1
if [ -z "$app_path" ];
then
echo "You need to specify app to re-codesign!"
exit 0
fi
# This uses local codesign. so it'll be valid ONLY on the machine you've re-signed with.
entitlements_plist=/tmp/debug_entitlements.plist
echo "Grabbing entitlements from app..."
codesign -d --entitlements - "$app_path" --xml >> $entitlements_plist || { exit 1; }
echo "Patch entitlements (if missing)..."
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" $entitlements_plist
# allow custom dyld for sanitizers...
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-dyld-environment-variables bool true" $entitlements_plist
echo "Re-applying entitlements (if missing)..."
codesign --force --options runtime --sign - --entitlements $entitlements_plist "$app_path" || { echo "codesign failed!"; }
echo "Removing temporary plist..."
rm $entitlements_plist
@hogliux
Copy link

hogliux commented Mar 10, 2022

Semantics, I guess it's not only AUs but any dylib (VST/VST3 included) :) but it's indeed useful.

Yes you are totally right. I've updated my comment just now.

@hogliux
Copy link

hogliux commented Mar 10, 2022

@talaviram The update to your script is incorrect. It's missing the bool true at the end of the PListBuddy command.

@talaviram
Copy link
Author

ahh. sorry for that. fixed.

@mpielikis
Copy link

Thanks for creating this tool! Unfortunately it doesn't work for me. I have MacBook with M1, I've tried running the script on Sudio One 4 and disabling the SIP in order to Debug VST3 audio plugin. I see that entitlements are added, but it has no effect. Only when I build the Release version of audioplugin the Studio One sees it.

@talaviram
Copy link
Author

@mpielikis - I suspect your issue isn't related to script. Maybe release builds universal but debug only arm64? S1 v4 was never released as Apple silicon.
Also the script allow debug but isn't related to host scanning.

@BenLeadbetter
Copy link

BenLeadbetter commented Oct 28, 2022

Thanks! This worked nicely for me with the Steinberg VST3PluginTestHost, using my arm64 MacBook Pro on Monterey👌🏻

@phraemer
Copy link

Does anyone know if this works for auval?

I copied auval to a user dir and applied the script to it but running it just reports instantly it has been killed.

@talaviram
Copy link
Author

Does anyone know if this works for auval?

Sadly, auval archs are x86_64 and arm64e. The e in the arm64e is the tricky part... it means there is pointer authentication so re-applying codesign won't work.
So you can use auval but only under Rosetta. (or.. disable SIP sigh)

@phraemer
Copy link

Oof.... !
Thanks for the info.

Apple really don't want us to develop solid plugins do they?!

@audiority
Copy link

Signing fails on Ventura. /Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!

@talaviram
Copy link
Author

Signing fails on Ventura. /Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!

Please see:
https://gist.github.com/talaviram/1f21e141a137744c89e81b58f73e23c3?permalink_comment_id=3222379#gistcomment-3222379
TL;DR - xattr -rc

@audiority
Copy link

totally missed that. It worked. Thanks!

@PWhiddy
Copy link

PWhiddy commented Jan 24, 2024

Worked beautifully for me on an M1 mac. Thanks!

@faqteur
Copy link

faqteur commented Mar 11, 2024

It doesn't seem to work anymore with Ableton Live 12 (release version) :'(

@talaviram
Copy link
Author

It doesn't seem to work anymore with Ableton Live 12 (release version) :'(

It'll be helpful to have more details.
Anyway, I don't have Live 12 but the trial version allows re-signing just fine...

Grabbing entitlements from app...
Executable=/Users/talaviram/Downloads/Ableton Live 12 Trial.app/Contents/MacOS/Live
Patch entitlements (if missing)...
Add: ":com.apple.security.cs.disable-library-validation" Entry Already Exists
Add: ":com.apple.security.cs.allow-unsigned-executable-memory" Entry Already Exists
Re-applying entitlements (if missing)...
/Users/talaviram/Downloads/Ableton Live 12 Trial.app: replacing existing signature
Removing temporary plist...

@faqteur
Copy link

faqteur commented Mar 11, 2024

Ah sorry, I forgot.
sudo xattr -rc Ableton\ Live\ 12\ Suite.app did the trick :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment