Last active
November 28, 2024 17:06
-
-
Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
Simple Utility Script for allowing debug of hardened macOS apps.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /bin/bash | |
# Simple Utility Script for allowing debug of hardened macOS apps. | |
# This is useful mostly for plug-in developer that would like keep developing without turning SIP off. | |
# Credit for idea goes to (McMartin): https://forum.juce.com/t/apple-gatekeeper-notarised-distributables/29952/57?u=ttg | |
# Update 2022-03-10: Based on Fabian's feedback, add capability to inject DYLD for sanitizers. | |
# | |
# Please note: | |
# - Modern Logic (on M1s) uses `AUHostingService` which resides within the system thus not patchable and REQUIRES to turn-off SIP. | |
# - Some hosts uses separate plug-in scanning or sandboxing. | |
# if that's the case, it's required to patch those (if needed) and attach debugger to them instead. | |
# | |
# If you see `operation not permitted`, make sure the calling process has Full Disk Access. | |
# For example Terminal.app is showing and has Full Disk Access under System Preferences -> Privacy & Security | |
# | |
app_path=$1 | |
if [ -z "$app_path" ]; | |
then | |
echo "You need to specify app to re-codesign!" | |
exit 0 | |
fi | |
# This uses local codesign. so it'll be valid ONLY on the machine you've re-signed with. | |
entitlements_plist=/tmp/debug_entitlements.plist | |
echo "Grabbing entitlements from app..." | |
codesign -d --entitlements - "$app_path" --xml >> $entitlements_plist || { exit 1; } | |
echo "Patch entitlements (if missing)..." | |
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" $entitlements_plist | |
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" $entitlements_plist | |
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" $entitlements_plist | |
# allow custom dyld for sanitizers... | |
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-dyld-environment-variables bool true" $entitlements_plist | |
echo "Re-applying entitlements (if missing)..." | |
codesign --force --options runtime --sign - --entitlements $entitlements_plist "$app_path" || { echo "codesign failed!"; } | |
echo "Removing temporary plist..." | |
rm $entitlements_plist |
Signing fails on Ventura.
/Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!
Please see:
https://gist.github.com/talaviram/1f21e141a137744c89e81b58f73e23c3?permalink_comment_id=3222379#gistcomment-3222379
TL;DR - xattr -rc
totally missed that. It worked. Thanks!
Worked beautifully for me on an M1 mac. Thanks!
It doesn't seem to work anymore with Ableton Live 12 (release version) :'(
It doesn't seem to work anymore with Ableton Live 12 (release version) :'(
It'll be helpful to have more details.
Anyway, I don't have Live 12 but the trial version allows re-signing just fine...
Grabbing entitlements from app...
Executable=/Users/talaviram/Downloads/Ableton Live 12 Trial.app/Contents/MacOS/Live
Patch entitlements (if missing)...
Add: ":com.apple.security.cs.disable-library-validation" Entry Already Exists
Add: ":com.apple.security.cs.allow-unsigned-executable-memory" Entry Already Exists
Re-applying entitlements (if missing)...
/Users/talaviram/Downloads/Ableton Live 12 Trial.app: replacing existing signature
Removing temporary plist...
Ah sorry, I forgot.
sudo xattr -rc Ableton\ Live\ 12\ Suite.app
did the trick :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Signing fails on Ventura.
/Applications/Ableton Live 11 Suite.app: resource fork, Finder information, or similar detritus not allowed codesign failed!