Cannot attach debugger to Helper app on macOS

I've got a macOS app with a "Helper" (LoginItem) app that I'd like to attach the debugger to in order to debug the communication between the two.


I realize hardening a target makes it impossible to attach the Xcode debugger to it, however I've created a separate entitlements file for Debug mode, turned "Enable Hardening" OFF for both Debug targets and have also added a "com.apple.security.get-task-allow" set to "YES" in the entitlement files for both debug targets. Still, I see this:


macOSTaskPolicy: (com.apple.debugserver) may not get the taskport of (com.b) (pid: 4144): (com.b) is hardened, (com.b) doesn't have get-task-allow, (com.apple.debugserver) is a declared debugger


I'm unable to debug the helper and it's frustrating. How can I disable SIIP or whatever it takes to get this to work?

Post not yet marked as solved Up vote post of Smithers Down vote post of Smithers
1.3k views

Answers

When dealing with your own code, as opposed to system code, you’ll see this error if:

  • The app has the hardened runtime enabled

  • The app does not have the

    com.apple.security.get-task-allow
    entitlement

So, you can either disable the hardened runtime or add the

com.apple.security.get-task-allow
entitlement. You do this as part of building your app, so you don’t need to customise macOS itself.

Also, I recommend the latter because disabling the hardened runtime affects a bunch of other things as well.

I’m not sure why your attempts to do this have failed. My advice is that you first confirm which of these is the problem. Here you want to look at your built binary, not at your project setup. Specifically, this command tells you whether the hardened runtime is enabled:

% codesign -d -vvv MyTest.app
…
CodeDirectory v=20200 size=513 flags=0x0(runtime) hashes=8+5 location=embedded
…

Note the presence of the

runtime
flag.

And this command will dump your entitlements:

% codesign -d --entitlements :- MyTest.app
…
<dict>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>

Remember that, if you’re working with a login item, you need to run these commands against the login item embedded within your app, not the app itself.

Finally, Avoid the Get-Task-Allow Entitlement section of Resolving Common Notarization Issues discusses this issue in some detail.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

ps DTS is closed 21 Dec through 1 Jan.

Add a Comment