[RFA] Add --enable-codesign to gdb's configure

[RFA] Add --enable-codesign to gdb's configure

[Tom Tromey]

macOS requires that the gdb executable be signed in order to be able
to successfully use ptrace.  This must be done after each link.

This patch adds a new --enable-codesign configure option so that this
step can be automated.

gdb/ChangeLog
2018-06-28  Tom Tromey  <tom@tromey.com>

	* NEWS: Mention --enable-codesign.
	* silent-rules.mk (ECHO_SIGN): New variable.
	* configure.ac: Add --enable-codesign.
	* configure: Rebuild.
	* Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
	(gdb$(EXEEXT)): Optionally invoke codesign.
---
 gdb/ChangeLog       |  9 +++++++++
 gdb/Makefile.in     |  7 +++++++
 gdb/NEWS            |  7 +++++++
 gdb/configure       | 11 +++++++++++
 gdb/configure.ac    |  7 +++++++
 gdb/silent-rules.mk |  1 +
 6 files changed, 42 insertions(+)

diff --git a/gdb/ChangeLog b/gdb/ChangeLog
index a125b72e420..08271641370 100644
--- a/gdb/ChangeLog
+++ b/gdb/ChangeLog
@@ -1,3 +1,12 @@
+2018-06-28  Tom Tromey  <tom@tromey.com>
+
+	* NEWS: Mention --enable-codesign.
+	* silent-rules.mk (ECHO_SIGN): New variable.
+	* configure.ac: Add --enable-codesign.
+	* configure: Rebuild.
+	* Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
+	(gdb$(EXEEXT)): Optionally invoke codesign.
+
 2018-06-27  Tom Tromey  <tom@tromey.com>
 
 	* machoread.c (macho_symfile_read): Define "symbol_table" earlier.
diff --git a/gdb/Makefile.in b/gdb/Makefile.in
index 5934cd6a23e..13627e07e0a 100644
--- a/gdb/Makefile.in
+++ b/gdb/Makefile.in
@@ -222,6 +222,10 @@ LIBICONV = @LIBICONV@
 # Did the user give us a --with-gdb-datadir option?
 GDB_DATADIR = @GDB_DATADIR@
 
+# Code signing.
+CODESIGN = codesign
+CODESIGN_CERT = @CODESIGN_CERT@
+
 # Flags to pass to gdb when invoked with "make run".
 GDBFLAGS =
 
@@ -1916,6 +1920,9 @@ gdb$(EXEEXT): gdb.o $(LIBGDB_OBS) $(ADD_DEPS) $(CDEPS) $(TDEPLIBS)
 	$(ECHO_CXXLD) $(CC_LD) $(INTERNAL_LDFLAGS) $(WIN32LDAPP) \
 		-o gdb$(EXEEXT) gdb.o $(LIBGDB_OBS) \
 		$(TDEPLIBS) $(TUI_LIBRARY) $(CLIBS) $(LOADLIBES)
+ifneq ($(CODESIGN_CERT),)
+	$(ECHO_SIGN) $(CODESIGN) -s $(CODESIGN_CERT) gdb$(EXEEXT)
+endif
 
 # Convenience rule to handle recursion.
 $(LIBGNU) $(GNULIB_H): all-lib
diff --git a/gdb/NEWS b/gdb/NEWS
index 13da2f1d4e9..d72b2961530 100644
--- a/gdb/NEWS
+++ b/gdb/NEWS
@@ -84,6 +84,13 @@ SH-5/SH64 running OpenBSD 	SH-5/SH64 support in sh*-*-openbsd*
   the tradeoff that there is a possibility of false hits being
   reported.
 
+* New configure options
+
+--enable-codesign=CERT
+  This can be used to invoke "codesign -s CERT" after building gdb.
+  This option is useful on macOS, where code signing is required for
+  gdb to work properly.
+
 *** Changes in GDB 8.1
 
 * GDB now supports dynamically creating arbitrary register groups specified
diff --git a/gdb/configure b/gdb/configure
index d3a3bbe44c9..28756ed9826 100755
--- a/gdb/configure
+++ b/gdb/configure
@@ -745,6 +745,7 @@ AWK
 REPORT_BUGS_TEXI
 REPORT_BUGS_TO
 PKGVERSION
+CODESIGN_CERT
 HAVE_NATIVE_GCORE_TARGET
 TARGET_OBS
 subdirs
@@ -861,6 +862,7 @@ enable_gdbtk
 with_libunwind_ia64
 with_curses
 enable_profiling
+enable_codesign
 with_pkgversion
 with_bugurl
 with_system_zlib
@@ -1550,6 +1552,7 @@ Optional Features:
   --enable-tui            enable full-screen terminal user interface (TUI)
   --enable-gdbtk          enable gdbtk graphical user interface (GUI)
   --enable-profiling      enable profiling of GDB
+  --enable-codesign=CERT  sign gdb with 'codesign -s CERT'
   --disable-rpath         do not hardcode runtime library paths
   --enable-libmcheck      Try linking with -lmcheck if available
   --enable-werror         treat compile warnings as errors
@@ -7050,6 +7053,14 @@ $as_echo "$ac_cv_cc_supports_pg" >&6; }
   CFLAGS="$OLD_CFLAGS"
 fi
 
+CODESIGN_CERT=
+# Check whether --enable-codesign was given.
+if test "${enable_codesign+set}" = set; then :
+  enableval=$enable_codesign; CODESIGN_CERT=$enableval
+fi
+
+
+
 
 
 # Check whether --with-pkgversion was given.
diff --git a/gdb/configure.ac b/gdb/configure.ac
index 44b6c62d709..4c20ea5178d 100644
--- a/gdb/configure.ac
+++ b/gdb/configure.ac
@@ -471,6 +471,13 @@ if test "$enable_profiling" = yes ; then
   CFLAGS="$OLD_CFLAGS"
 fi
 
+CODESIGN_CERT=
+AC_ARG_ENABLE([codesign],
+  AS_HELP_STRING([--enable-codesign=CERT],
+                 [sign gdb with 'codesign -s CERT']),
+  [CODESIGN_CERT=$enableval])
+AC_SUBST([CODESIGN_CERT])
+
 ACX_PKGVERSION([GDB])
 ACX_BUGURL([http://www.gnu.org/software/gdb/bugs/])
 AC_DEFINE_UNQUOTED([PKGVERSION], ["$PKGVERSION"], [Additional package description])
diff --git a/gdb/silent-rules.mk b/gdb/silent-rules.mk
index 803dbda546a..ade77ad1c51 100644
--- a/gdb/silent-rules.mk
+++ b/gdb/silent-rules.mk
@@ -10,5 +10,6 @@ ECHO_GEN_XML_BUILTIN = \
 ECHO_GEN_XML_BUILTIN_GENERATED = \
               @echo "  GEN    xml-builtin-generated.c";
 ECHO_INIT_C =  echo "  GEN    init.c" ||
+ECHO_SIGN =   @echo "  SIGN   gdb";
 SILENCE = @
 endif
-- 
2.17.1

Re: [RFA] Add --enable-codesign to gdb's configure

[Joel Brobecker]

Hi Tom,

On Thu, Jun 28, 2018 at 10:37:45AM -0600, Tom Tromey wrote:
> macOS requires that the gdb executable be signed in order to be able
> to successfully use ptrace.  This must be done after each link.
> 
> This patch adds a new --enable-codesign configure option so that this
> step can be automated.
> 
> gdb/ChangeLog
> 2018-06-28  Tom Tromey  <tom@tromey.com>
> 
> 	* NEWS: Mention --enable-codesign.
> 	* silent-rules.mk (ECHO_SIGN): New variable.
> 	* configure.ac: Add --enable-codesign.
> 	* configure: Rebuild.
> 	* Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
> 	(gdb$(EXEEXT)): Optionally invoke codesign.

Good idea! The NEWS portion needs to wait for Eli's feedback.
But the rest looks good to me (the NEWS entry too, FWIW).

Thank you!
-- 
Joel

Re: [RFA] Add --enable-codesign to gdb's configure

[Eli Zaretskii]

> From: Tom Tromey <tom@tromey.com>
> Cc: Tom Tromey <tom@tromey.com>
> Date: Thu, 28 Jun 2018 10:37:45 -0600
> 
> macOS requires that the gdb executable be signed in order to be able
> to successfully use ptrace.  This must be done after each link.
> 
> This patch adds a new --enable-codesign configure option so that this
> step can be automated.
> 
> gdb/ChangeLog
> 2018-06-28  Tom Tromey  <tom@tromey.com>
> 
> 	* NEWS: Mention --enable-codesign.
> 	* silent-rules.mk (ECHO_SIGN): New variable.
> 	* configure.ac: Add --enable-codesign.
> 	* configure: Rebuild.
> 	* Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
> 	(gdb$(EXEEXT)): Optionally invoke codesign.
> ---
>  gdb/ChangeLog       |  9 +++++++++
>  gdb/Makefile.in     |  7 +++++++
>  gdb/NEWS            |  7 +++++++
>  gdb/configure       | 11 +++++++++++
>  gdb/configure.ac    |  7 +++++++
>  gdb/silent-rules.mk |  1 +
>  6 files changed, 42 insertions(+)
> 
> diff --git a/gdb/ChangeLog b/gdb/ChangeLog
> index a125b72e420..08271641370 100644
> --- a/gdb/ChangeLog
> +++ b/gdb/ChangeLog
> @@ -1,3 +1,12 @@
> +2018-06-28  Tom Tromey  <tom@tromey.com>
> +
> +	* NEWS: Mention --enable-codesign.
> +	* silent-rules.mk (ECHO_SIGN): New variable.
> +	* configure.ac: Add --enable-codesign.
> +	* configure: Rebuild.
> +	* Makefile.in (CODESIGN, CODESIGN_CERT): New variables.
> +	(gdb$(EXEEXT)): Optionally invoke codesign.
> +
>  2018-06-27  Tom Tromey  <tom@tromey.com>

OK for the NEWS part, but I think we should reflect this option in the
output of "gdb --configure", because users will want to know whether
their GDB was configured that way.

Thanks.

Re: [RFA] Add --enable-codesign to gdb's configure

[Joel Brobecker]

Hi Eli,

> OK for the NEWS part, but I think we should reflect this option in the
> output of "gdb --configure", because users will want to know whether
> their GDB was configured that way.

The new option actually influences the build, not whether GDB provides
a given feature or not.

On MacOS X, GDB needs to be codesigned in order to be allowed debug
privileges. What Tom's configuration option does is that it automates
that during the build so that it gets automatically done each time
the user types "make". Users who do not use the new option already
achieve the same effect by running the codesign command by hand
each time after running "make".

If a user wants to know whether his binary has been codesigned or
not, and if yes, using which certificate, he can also use the codesign
command.
http://osxdaily.com/2016/03/14/verify-code-sign-apps-mac-os-x/

-- 
Joel

Re: [RFA] Add --enable-codesign to gdb's configure

[Tom Tromey]

>> OK for the NEWS part, but I think we should reflect this option in the
>> output of "gdb --configure", because users will want to know whether
>> their GDB was configured that way.

Joel> The new option actually influences the build, not whether GDB provides
Joel> a given feature or not.

I'm not sure there's a way for gdb to know whether it's been signed, I
guess other than invoking codesign itself.  I'm going to check this in,
but if it still needs the change, let me know and I will see if I can
implement it.

Tom

Re: [RFA] Add --enable-codesign to gdb's configure

[Joel Brobecker]

> I'm not sure there's a way for gdb to know whether it's been signed, I
> guess other than invoking codesign itself.  I'm going to check this in,
> but if it still needs the change, let me know and I will see if I can
> implement it.

I just gave it a try, and basically, you do it using the -d option
of codesign. I also added -v, to get a bit more information about
the signature -- otherwise, you either get "not signed", or the name
of the executable. Here is an example of both situations:

  | $ codesign -dv simple_main
  | simple_main: code object is not signed at all
  | $ codesign -dv gdb
  | Executable=/[...]/gdb
  | Identifier=org.gnu.gdb
  | Format=Mach-O thin (x86_64)
  | CodeDirectory v=20100 size=82012 flags=0x0(none) hashes=2559+2 location=embedded
  | Signature size=1572
  | Signed Time=23 Feb 2017 09:29:17
  | [...]

-- 
Joel