LLDB code signing

Hi!
We are thinking of bundling custom LLDB build with our product. What should we do with code signing? I just moved built lldb from one of my macs to another and it reports error: "initial process state wasn't stopped: exited".

The way I've been doing that is to ship an LLDB.framework and setting the environment variable LLDB_DEBUGSERVER_PATH to point to Xcode's debugserver.

I use hard-coded paths and am migrating to xcode-select -print-path. It's not the best solution, but it should work most of the time. The user can also provide a debugserver path, and I check several paths before giving up.
There CAN be some breakage when the versions don't match, but the debugserver isn't updated that often (but, as of today, the debugserver that ships with the current version of Xcode can't re-run a program).

I don't know if it's even possible to sign a debugserver binary and make it work on other macs without installing and trusting the certificate.

Good luck. And wait for someone at Apple to reply, to have a more definitive answer w.r.t. Mac OS X.

Regards,

  Filipe

P.S: You can also ship several LLDB.frameworks matching several Xcode versions and select one of those in runtime (and then point to a debugserver with a matching version).

I should also say that my project is still in a beta phase and has very few users… For now I can get away with my hack, and I can use the latest LLDB.framework version. :slight_smile:

Regards,

  Filipe

On Mac OS X any program that wants to get the task port of another program (which you need to do to inspect the other program) must be code signed by a trusted authority. It also needs to be marked as using task_for_pid in its Info.plist (debugserver already does this so you don't need to worry about that part.) So you need to either get a code signing identity from some pre-trusted source (Verisign et al) or else each target system must be induced to express (code siging) certificate trust in the signing root.

Jim

If you don't require any changes to debugserver, you can always copy the debugserver binary from the LLDB.framework that comes with the latest Xcode since that will be code signed by Apple. Currently debugserver is the only thing that needs to be codesigned.

The issue you are seeing is indeed due to incorrect code signing.

Greg

Hi!
Copying debugserver is a good idea. But what happens if it is changed and Xcode build with new version is not available yet? We can't upgrade our product to newer version of LLDB that Xcode uses in this case.
Maybe we can install our certificate which was used for code signing of LLDB with AppCode and ask user to trust it in order to use debugger with AppCode?

Hi!
Copying debugserver is a good idea. But what happens if it is changed and Xcode build with new version is not available yet? We can't upgrade our product to newer version of LLDB that Xcode uses in this case.

Indeed.

Maybe we can install our certificate which was used for code signing of LLDB with AppCode and ask user to trust it in order to use debugger with AppCode?

That sounds good, but I am not sure how to do this. If you figure this out, please let us know how and what you did!

Greg