英文:
How can I sign all executable cmake targets to enable core dumps on MacOS?
问题
根据这个链接,MacOS可执行文件必须签名才能生成核心转储文件。
建议的步骤是:
要使可执行文件生成核心转储文件,必须进行签名。为此,请创建一个
.entitlements文件,其中包含com.apple.security.get-task-allow权限设置:
/usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" segv.entitlements使用这个
.entitlements文件对可执行文件进行签名:
codesign -s - -f --entitlements segv.entitlements segv
我们有一个CMakeLists.txt文件的分层结构,其中包含子目录中的库和可执行目标。
是否有办法在运行在MacOS上时,让CMake自动签名所有包含的子目标,而不需要或只需要最小的更改子目标?
生成的segv.entitlements文件如下:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.get-task-allow</key>
<true/>
</dict>
</plist>
因此,我可以将其添加到存储库中,这只留下了codesign步骤。
注意:我们不是从XCode构建,而是使用不同的IDE(CLion、VSCode等)与CMake一起使用。生产可执行文件将在Linux上运行,MacOS仅用于开发。
英文:
According to this, MacOS executables have to be signed in order to produces core dumps.
The suggested procedure is:
> For an executable to dump a core-file it must be signed. To do this, create an .entitlements file with the com.apple.security.get-task-allow entitlement set:
>
> /usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" segv.entitlements
>
> Using this .entitlements file, sign the executable:
>
> codesign -s - -f --entitlements segv.entitlements segv
We have a hierarchical structure of CMakeLists.txt files, with libraries and executables targets in subdirectories.
Is there a way to have CMake automatically sign all the included sub-targets (when run on MacOS) without, or with only minimal, changes to the sub-targets?
The generated segv.entitlements file looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.get-task-allow</key>
<true/>
</dict>
</plist>
So I could add it to the repository, which only leaves the codesign step.
Note: We are not building from XCode, but rather using different IDEs (CLion, VSCode, etc) with CMake. The production executables will be running on Linux, MacOS is just for development.
答案1
得分: 1
以下是翻译好的部分:
- You can run the
PlistBuddycommand during CMake's configure phase with itsexecute_processcommand.
然后使用 the build-events signature of add_custom_command 来定义一个 POST_BUILD 自定义命令,用于在每个目标上运行签名命令。
我不太确定,但我认为它应该类似于这样:
set(entitlements_file "${CMAKE_BUILD_DIR}/foo.entitlements")
execute_process(COMMAND /usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" "${entitlements_file}")
set(targets_to_sign target_a target_b target_c)
foreach(target "${targets_to_sign}")
add_custom_command(TARGET "${target}" POST_BUILD
COMMAND codesign -s - -f --entitlements "${entitlements_file}" "$<TARGET_FILE:${target}>"
COMMENT "sign target \"${target}\" to enable core dump on MacOS"
VERBATIM
)
endforeach()
英文:
You can run the PlistBuddy command during CMake's configure phase with its execute_process command.
Then use the build-events signature of add_custom_command to define a POST_BUILD custom command on each target that runs the signing command.
I'm not 100% sure, but I believe it would look something like this:
set(entitlements_file "${CMAKE_BUILD_DIR}/foo.entitlements")
execute_process(COMMAND /usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow bool true" "${entitlements_file}")
set(targets_to_sign target_a target_b target_c)
foreach(target "${targets_to_sign}")
add_custom_command(TARGET "${target}" POST_BUILD
COMMAND codesign -s - -f --entitlements "${entitlements_file}" "$<TARGET_FILE:${target}>"
COMMENT "sign target \"${target}\" to enable core dump on MacOS"
VERBATIM
)
endforeach()
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论