Skip to content

Instantly share code, notes, and snippets.

@talaviram
Last active November 28, 2024 17:06
Show Gist options
  • Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
Simple Utility Script for allowing debug of hardened macOS apps.
#! /bin/bash
# Simple Utility Script for allowing debug of hardened macOS apps.
# This is useful mostly for plug-in developer that would like keep developing without turning SIP off.
# Credit for idea goes to (McMartin): https://forum.juce.com/t/apple-gatekeeper-notarised-distributables/29952/57?u=ttg
# Update 2022-03-10: Based on Fabian's feedback, add capability to inject DYLD for sanitizers.
#
# Please note:
# - Modern Logic (on M1s) uses `AUHostingService` which resides within the system thus not patchable and REQUIRES to turn-off SIP.
# - Some hosts uses separate plug-in scanning or sandboxing.
# if that's the case, it's required to patch those (if needed) and attach debugger to them instead.
#
# If you see `operation not permitted`, make sure the calling process has Full Disk Access.
# For example Terminal.app is showing and has Full Disk Access under System Preferences -> Privacy & Security
#
app_path=$1
if [ -z "$app_path" ];
then
echo "You need to specify app to re-codesign!"
exit 0
fi
# This uses local codesign. so it'll be valid ONLY on the machine you've re-signed with.
entitlements_plist=/tmp/debug_entitlements.plist
echo "Grabbing entitlements from app..."
codesign -d --entitlements - "$app_path" --xml >> $entitlements_plist || { exit 1; }
echo "Patch entitlements (if missing)..."
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" $entitlements_plist
# allow custom dyld for sanitizers...
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-dyld-environment-variables bool true" $entitlements_plist
echo "Re-applying entitlements (if missing)..."
codesign --force --options runtime --sign - --entitlements $entitlements_plist "$app_path" || { echo "codesign failed!"; }
echo "Removing temporary plist..."
rm $entitlements_plist
@audiority
Copy link

Signing fails on Ventura. /Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!

@talaviram
Copy link
Author

Signing fails on Ventura. /Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!

Please see:
https://gist.github.com/talaviram/1f21e141a137744c89e81b58f73e23c3?permalink_comment_id=3222379#gistcomment-3222379
TL;DR - xattr -rc

@audiority
Copy link

totally missed that. It worked. Thanks!

@PWhiddy
Copy link

PWhiddy commented Jan 24, 2024

Worked beautifully for me on an M1 mac. Thanks!

@faqteur
Copy link

faqteur commented Mar 11, 2024

It doesn't seem to work anymore with Ableton Live 12 (release version) :'(

@talaviram
Copy link
Author

It doesn't seem to work anymore with Ableton Live 12 (release version) :'(

It'll be helpful to have more details.
Anyway, I don't have Live 12 but the trial version allows re-signing just fine...

Grabbing entitlements from app...
Executable=/Users/talaviram/Downloads/Ableton Live 12 Trial.app/Contents/MacOS/Live
Patch entitlements (if missing)...
Add: ":com.apple.security.cs.disable-library-validation" Entry Already Exists
Add: ":com.apple.security.cs.allow-unsigned-executable-memory" Entry Already Exists
Re-applying entitlements (if missing)...
/Users/talaviram/Downloads/Ableton Live 12 Trial.app: replacing existing signature
Removing temporary plist...

@faqteur
Copy link

faqteur commented Mar 11, 2024

Ah sorry, I forgot.
sudo xattr -rc Ableton\ Live\ 12\ Suite.app did the trick :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment