How to set up "lldb_codesign" certificate!

To use the in-tree debug server on macOS, lldb needs to be code signed. The
Debug, DebugClang and Release builds are set to code sign using a code signing
certificate named "lldb_codesign". This document explains how to set up the
signing certificate.

Note that it's possible to build and use lldb on macOS without setting up code
signing by using the system's debug server. To configure lldb in this way with
cmake, specify -DLLDB_CODESIGN_IDENTITY=''.

If you have re-installed a new OS, please delete all old lldb_codesign items
from your keychain. There will be a code signing certification and a public
and private key. Reboot after deleting them. You will also need to delete and
build folders that contained old signed items. The darwin kernel will cache
code signing using the executable's file system node, so you will need to
delete the file so the kernel clears its cache.

If you don't have one yet you will need to:
- Launch /Applications/Utilities/Keychain Access.app

- In Keychain Access select the "login" keychain in the "Keychains"
  list in the upper left hand corner of the window.

- Select the following menu item:

    Keychain Access->Certificate Assistant->Create a Certificate...

- Set the following settings

    Name = lldb_codesign
    Identity Type = Self Signed Root
    Certificate Type = Code Signing

- Click Create
- Click Continue
- Click Done
- Click on the "My Certificates"
- Double click on your new lldb_codesign certificate
- Turn down the "Trust" disclosure triangle, scroll to the "Code Signing" trust
  pulldown menu and select "Always Trust" and authenticate as needed using your
  username and password.
- Drag the new "lldb_codesign" code signing certificate (not the public or private
  keys of the same name) from the "login" keychain to the "System" keychain in the
  Keychains pane on the left hand side of the main Keychain Access window. This will
  move this certificate to the "System" keychain. You'll have to authorize a few
  more times, set it to be "Always trusted" when asked.
- Remove "~/Desktop/lldb_codesign.cer" file on your desktop if there is one.
- In the Keychain Access GUI, click and drag "lldb_codesign" in the "System" keychain
  onto the desktop. The drag will create a "~/Desktop/lldb_codesign.cer" file used in
  the next step.
- Switch to Terminal, and run the following:

sudo security add-trust -d -r trustRoot -p basic -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/lldb_codesign.cer
rm -f ~/Desktop/lldb_codesign.cer

- Drag the "lldb_codesign" certificate from the "System" keychain back into the
  "login" keychain
- Quit Keychain Access
- Reboot
- Clean by removing all previously creating code signed binaries and rebuild
  lldb and you should be able to debug.

When you build your LLDB for the first time, the Xcode GUI will prompt you for permission
to use the "lldb_codesign" keychain. Be sure to click "Always Allow" on your first
build. From here on out, the "lldb_codesign" will be trusted and you can build from the
command line without having to authorize. Also the first time you debug using a LLDB that
was built with this code signing certificate, you will need to authenticate once.

posted @ 2019-05-15 18:24  opencoder  阅读(241)  评论(0编辑  收藏  举报