Hi,

Has anyone tried to get GDB to work on macOS 10.15 (beta) with the new 
notarization requirement yet? 
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
I looked into that for a couple of days now and managed to get it to run 
with the hardened runtime enabled.

To do so, I mainly changed darwin-nat.c:
* darwin_attach_pid(): Added a loop that tries task_for_pid() 10 times, 
sleeping 10000 usec inbetween. This change was inspired by LLDB and 
seems to be necessary for the hardened runtime.
* darwin_ptrace_me(): Changed the process group setting to occour after 
the ptrace calls (inspired by LLDB)
* darwin_ptrace_him(): Set the child process group to match its pid 
(inspired by LLDB)

I am not sure if the last two are really needed, but it looks like it 
improves the situation overall. The whole thing is a bit of a mess to 
test, as GDB behaves slightly different on 10.14 and 10.15 beta for me. 
It also depends strongly on if the inferior itself has hardened runtime 
enabled.

For the entitlement file I am currently using:

         <key>com.apple.security.cs.debugger</key>
         <true/>
         <key>com.apple.security.get-task-allow</key>
         <true/>
         <key>com.apple.security.cs.disable-library-validation</key>
         <false/>

* The debugger entitlement is obvious.
* The get-task-allow entitlement seems to be needed for GDB. GDB forks 
itself, starts tracing the fork and starts the inferior in this forked 
process with execv(). (details in darwin-nat.c and 
fork-inferior.c:fork-inferior)
To start tracing the forked process before the execv, we need this 
entitlement on GDB itself. LLDB seems to not need this, as LLDB has 
multiple different variations on how to start an inferior on macOS, 
using a posix spawn (default) or macOS app specific methods.
* The disable-library-validation is not really needed. However, 
notarizing apps with get-task-allow is only allowed if you also enable 
disable-library-validation.

I have attached a wip patch (not intended for gdb-patches) if anyone is 
interested in what I did exactly.

My current problem:
The problem I am now facing has little to do with notarization/hardened 
runtime, as it also happens without that on 10.14 and 10.15. GDB 
sometimes hangs in the second wait4 call in 
darwin-nat.c:darwin_decode_message(). The only "solution" to this is a 
"kill -9". The second wait4 in that function makes little sense to me 
and seems to be a workaround for previous macos versions. If I delete 
it, the sporadic hangs stop, and I get sporadic "During startup program 
terminated with signal ?, Unknown signal." messages instead (which is 
preferable imo). I tried to debug this further, but couldn't really find 
the cause or a solution yet. WTERMSIG(wstatus) returns 127 in 
darwin_decode_message() for me. If I add sleep statements after setting 
the process group in darwin_ptrace_me(), I can reduce the frequency of 
these hangs to less than 10%.

Has anyone encountered that as well? Or does anyone have a suggestion on 
what I can still try to fix this?

Thanks,
Felix

Intel Deutschland GmbH
Registered Address: Am Campeon 10-12, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Gary Kershaw
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928