-
-
Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
#! /bin/bash | |
# Simple Utility Script for allowing debug of hardened macOS apps. | |
# This is useful mostly for plug-in developer that would like keep developing without turning SIP off. | |
# Credit for idea goes to (McMartin): https://forum.juce.com/t/apple-gatekeeper-notarised-distributables/29952/57?u=ttg | |
# Update 2022-03-10: Based on Fabian's feedback, add capability to inject DYLD for sanitizers. | |
# | |
# Please note: | |
# - Modern Logic (on M1s) uses `AUHostingService` which resides within the system thus not patchable and REQUIRES to turn-off SIP. | |
# - Some hosts uses separate plug-in scanning or sandboxing. | |
# if that's the case, it's required to patch those (if needed) and attach debugger to them instead. | |
# | |
# If you see `operation not permitted`, make sure the calling process has Full Disk Access. | |
# For example Terminal.app is showing and has Full Disk Access under System Preferences -> Privacy & Security | |
# | |
app_path=$1 | |
if [ -z "$app_path" ]; | |
then | |
echo "You need to specify app to re-codesign!" | |
exit 0 | |
fi | |
# This uses local codesign. so it'll be valid ONLY on the machine you've re-signed with. | |
entitlements_plist=/tmp/debug_entitlements.plist | |
echo "Grabbing entitlements from app..." | |
codesign -d --entitlements - "$app_path" --xml >> $entitlements_plist || { exit 1; } | |
echo "Patch entitlements (if missing)..." | |
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" $entitlements_plist | |
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" $entitlements_plist | |
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" $entitlements_plist | |
# allow custom dyld for sanitizers... | |
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-dyld-environment-variables bool true" $entitlements_plist | |
echo "Re-applying entitlements (if missing)..." | |
codesign --force --options runtime --sign - --entitlements $entitlements_plist "$app_path" || { echo "codesign failed!"; } | |
echo "Removing temporary plist..." | |
rm $entitlements_plist |
Oof.... !
Thanks for the info.
Apple really don't want us to develop solid plugins do they?!
Signing fails on Ventura. /Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!
Signing fails on Ventura.
/Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!
Please see:
https://gist.github.com/talaviram/1f21e141a137744c89e81b58f73e23c3?permalink_comment_id=3222379#gistcomment-3222379
TL;DR - xattr -rc
totally missed that. It worked. Thanks!
Worked beautifully for me on an M1 mac. Thanks!
It doesn't seem to work anymore with Ableton Live 12 (release version) :'(
It doesn't seem to work anymore with Ableton Live 12 (release version) :'(
It'll be helpful to have more details.
Anyway, I don't have Live 12 but the trial version allows re-signing just fine...
Grabbing entitlements from app...
Executable=/Users/talaviram/Downloads/Ableton Live 12 Trial.app/Contents/MacOS/Live
Patch entitlements (if missing)...
Add: ":com.apple.security.cs.disable-library-validation" Entry Already Exists
Add: ":com.apple.security.cs.allow-unsigned-executable-memory" Entry Already Exists
Re-applying entitlements (if missing)...
/Users/talaviram/Downloads/Ableton Live 12 Trial.app: replacing existing signature
Removing temporary plist...
Ah sorry, I forgot.
sudo xattr -rc Ableton\ Live\ 12\ Suite.app
did the trick :)
Sadly, auval archs are x86_64 and arm64e. The
e
in the arm64e is the tricky part... it means there is pointer authentication so re-applying codesign won't work.So you can use auval but only under Rosetta. (or.. disable SIP sigh)