Skip to content

Instantly share code, notes, and snippets.

@talaviram
Last active February 13, 2025 00:52
Show Gist options
  • Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
Save talaviram/1f21e141a137744c89e81b58f73e23c3 to your computer and use it in GitHub Desktop.
Simple Utility Script for allowing debug of hardened macOS apps.
#! /bin/bash
# Simple Utility Script for allowing debug of hardened macOS apps.
# This is useful mostly for plug-in developer that would like keep developing without turning SIP off.
# Credit for idea goes to (McMartin): https://forum.juce.com/t/apple-gatekeeper-notarised-distributables/29952/57?u=ttg
# Update 2022-03-10: Based on Fabian's feedback, add capability to inject DYLD for sanitizers.
#
# Please note:
# - Modern Logic (on M1s) uses `AUHostingService` which resides within the system thus not patchable and REQUIRES to turn-off SIP.
# - Some hosts uses separate plug-in scanning or sandboxing.
# if that's the case, it's required to patch those (if needed) and attach debugger to them instead.
#
# If you see `operation not permitted`, make sure the calling process has Full Disk Access.
# For example Terminal.app is showing and has Full Disk Access under System Preferences -> Privacy & Security
#
app_path=$1
if [ -z "$app_path" ];
then
echo "You need to specify app to re-codesign!"
exit 0
fi
# This uses local codesign. so it'll be valid ONLY on the machine you've re-signed with.
entitlements_plist=/tmp/debug_entitlements.plist
echo "Grabbing entitlements from app..."
codesign -d --entitlements - "$app_path" --xml >> $entitlements_plist || { exit 1; }
echo "Patch entitlements (if missing)..."
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" $entitlements_plist
# allow custom dyld for sanitizers...
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-dyld-environment-variables bool true" $entitlements_plist
echo "Re-applying entitlements (if missing)..."
codesign --force --options runtime --sign - --entitlements $entitlements_plist "$app_path" || { echo "codesign failed!"; }
echo "Removing temporary plist..."
rm $entitlements_plist
@PWhiddy
Copy link

PWhiddy commented Jan 24, 2024

Worked beautifully for me on an M1 mac. Thanks!

@faqteur
Copy link

faqteur commented Mar 11, 2024

It doesn't seem to work anymore with Ableton Live 12 (release version) :'(

@talaviram
Copy link
Author

It doesn't seem to work anymore with Ableton Live 12 (release version) :'(

It'll be helpful to have more details.
Anyway, I don't have Live 12 but the trial version allows re-signing just fine...

Grabbing entitlements from app...
Executable=/Users/talaviram/Downloads/Ableton Live 12 Trial.app/Contents/MacOS/Live
Patch entitlements (if missing)...
Add: ":com.apple.security.cs.disable-library-validation" Entry Already Exists
Add: ":com.apple.security.cs.allow-unsigned-executable-memory" Entry Already Exists
Re-applying entitlements (if missing)...
/Users/talaviram/Downloads/Ableton Live 12 Trial.app: replacing existing signature
Removing temporary plist...

@faqteur
Copy link

faqteur commented Mar 11, 2024

Ah sorry, I forgot.
sudo xattr -rc Ableton\ Live\ 12\ Suite.app did the trick :)

@BenKalish42
Copy link

Having trouble with Mac OS Sequoia and Ableton Live 12 Suite. Live 11 worked just fine, but with LIve 12 I get:

resource fork, Finder information, or similar detritus not allowed codesign failed!

I tried:
sudo chmod 777 /Applications/Ableton\ Live\ 12\ Suite.app/ Operation Not Permitted, with and without sudo
sudo xattr -rc /Applications/Ableton\ Live\ 12\ Suite.app/ Operation Not Permitted, with and without sudo

Anyone else find a way around this?

@talaviram
Copy link
Author

talaviram commented Dec 12, 2024

Did you look at the comment above you? (https://gist.github.com/talaviram/1f21e141a137744c89e81b58f73e23c3?permalink_comment_id=4982316#gistcomment-4982316)

EDIT: Ahh! Do you have enough permissions in Terminal? Full Disk Access and Developer Tools?

@codeSamuraii
Copy link

The command fails on macOS 15.3:

Cannot parse a NULL or zero-length data
Error Reading File: /private/tmp/debug_entitlements.plist
/tmp/debug_entitlements.plist: unrecognized blob type (accepting blindly)

To fix the issue, add an -x flag to the PlistBuddy commands:

#! /bin/bash
app_path=$1
entitlements_plist=/tmp/debug_entitlements.plist

if [ -z "$app_path" ];
then
    echo "You need to specify app to re-codesign!"
    exit 0
fi

echo "Grabbing entitlements from app..."
codesign -d --entitlements - "$app_path" --xml >> $entitlements_plist || { exit 1; }

echo "Patch entitlements (if missing)..."
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.disable-library-validation bool true" -x $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-unsigned-executable-memory bool true" -x $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" -x $entitlements_plist
/usr/libexec/PlistBuddy -c "Add :com.apple.security.cs.allow-dyld-environment-variables bool true" -x $entitlements_plist

echo "Re-applying entitlements (if missing)..."
codesign --force --options runtime --sign - --entitlements $entitlements_plist "$app_path" || { echo "codesign failed!"; }

echo "Removing temporary plist..."
rm $entitlements_plist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment