Jump to content

macOS: Plugins cannot be debugged - missing "get-task-allow" entitlement


Richard1

Recommended Posts

The xcode debugger cannot be attached to Vectorworks in any currently supported version of macOS.

 

Apple support have insisted to me that the only solution to this is in Big Sur or later is for Vectorworks to enable the "get-task-allow" entitlement.

Can this please be done in the next VW2021/2022 service pack and future updates?

 

If it cannot be done due to Apple's signing or notarisation rules, can Vectorworks please raise a formal issue with Apple regarding this issue, and let us know their official response?

 

It is strictly necessary for all developers to attach a debugger to macOS applications that have a plugin architecture.

 

While it still appears to be possible to use Recovery mode and csrutil to enable debugging, this is a very large sledgehammer.

Worse, Apple's response to my support request indicates it is going to be removed.

 

This kind of problem is making it very difficult to justify continuing to support a macOS version of our plugin, as any issue that we cannot reproduce on Windows will never be resolved.

  • Like 1
Link to comment
  • Vectorworks, Inc Employee

Hi @Richard1,

Can you elaborate a little bit more?

Are you not able to debug your plugin with xcode?

This is possible, and many third-party devs do it.

Could it be that you have the 'Debug executable' option on?

If that doesn't work, what's your setup? what do you see when you try to debug?

 

image.png

Link to comment

@VladoI believe the issue is that the debugger will only attach to Vectorworks if System Integrity Protection is off. I haven’t checked in a while to see if it’s still necessary. 
 

This is the procedure:

1. Click the Apple symbol in the Menu bar.
2. Click Restart…
3. Hold down Command-R to reboot into Recovery Mode.
4. Click Utilities.
5. Select Terminal.
6. Type csrutil disable.
csrutil enable --without debug
7. Press Return or Enter on your keyboard.
8. Click the Apple symbol in the Menu bar.
9. Click Restart…

This lets you debug signed binaries that you do not hold the certificate to. While this leaves most of SIP intact, I believe it does enable root. 

  • Like 2
Link to comment
  • 3 months later...

@Vlado JBenghiat is correct.

 

Debugging a Vectorworks plugin is only possible if one of the following applies:

  • You compiled Vectorworks itself on that Mac
  • Your Mac has access to the Vectorworks private developer keys
  • You have disabled macOS SIP security features.

Obviously the first two are not possible for anyone outside Vectorworks.

 

Apple do not support disabling macOS SIP security features, and have indicated to us that they will be removing this possibility in future macOS updates.

Several Apple support agents have insisted it's not possible at all on Big Sur/M1, so I've been holding off upgrading my Mac

  • Like 1
Link to comment
  • Vectorworks, Inc Employee

Hi all,

 

As mentioned above, get-task-allow does let Xcode attach. But we can't (and shouldn't) release with this entitlement enabled. However, you can simply re-sign Vectorworks using an ad-hoc signature (ie, a local signature instead of one backed by our Apple certificate). When you re-sign it, you specify get-task-allow. We have some reported success using this method.


To specify get-task-allow you need an entitlements file. I've attached it, and included its contents here too so you can see what's in it:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
	<key>com.apple.security.get-task-allow</key>
	<true/>
</dict>
</plist>

 

To debug, you ad-hoc re-sign the Vectorworks app, with the "entitlements.xml" file saved next to the application.

  • I would recommend doing this work in a work folder under your user profile, with the Vectorworks build in it, as opposed to under /Applications.
    • We'll assume it's in /Users/$USER/work/Vectorworks\ 2022, so you would have the app at: /Users/$USER/work/Vectorworks\ 2022/Vectorworks\ 2022.app
    • Feel free to change the structure, but Apple does some weird things with folders such as the Desktop, /Applications, Downloads, etc that may interfere with debugging.
  • Put the attached entitlements.xml file next to the app in  /Users/$USER/work/Vectorworks\ 2022
  • Open terminal, change directory to the VW root folder (e.g., cd /Users/$USER/work/Vectorworks\ 2022).
  • Run the following command which re-codesigns Vectorworks, applying the new entitlements (including :
    • codesign --entitlements entitlements.xml -f -s "-" --options runtime Vectorworks\ 2022.app

I mentioned this reportedly worked about a year ago and I don't think Apple has changed anything but I don't have a lot of experience besides that one workflow that worked. So let us know if this gets you going. Thanks!

 

entitlements.xml

  • Like 2
Link to comment
  • 3 weeks later...

Thanks Tim

Can you please add this information to the SDK documentation?

 

I'd also really appreciate it if the SDK documentation could be updated, it really seems like it's not been touched since 2018 or so!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...