"Failed to gain authorization"

[kettle11]

When I try to run an Allocations profile I get the following error:

      Failed instruments errored: [ERROR] Run issues detected (trace is still ready to be viewed):
* Failed to gain authorization

I'm on an M1 Mac running macOS Big Sur 11.4.

I suspect that it's related to this issue: https://developer.apple.com/forums/thread/681687

But if that were the case then it seems likely other users of cargo-instruments would be hitting it as well. Is anyone else hitting this issue?

[cmyr]

I'm still not running big sur anywhere, although I will be in a week or so.

[hkratz]

You have to replace the ad-hoc signature of the binary to be profiled with a new one that has the com.apple.security.get-task-allow entitlement enabled. You can do it like this:

1. Create an ent.plist file with the following contents in your home dir:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.get-task-allow</key>
        <true/>
    </dict>
</plist>

2. Build the binary.
3. Resign it with a new ad-hoc signature including the entitlement: codesign -s - -f --entitlements ~/ent.plist <path to binary>
4. Run the profiler with xcrun xctrace record --template 'Allocations' --launch -- <path to binary> [args...]

[cmyr]

@hkratz this sounds like something I should be able to do automatically as part of the tool?

[hkratz]

@cmyr Yes. It would probably be best if you could do this by setting some magic linker options for rustc. The linker is the one doing the ad-hoc signing in the first place so I assume it can also include the entitlement somehow.

[chotchki]

I think we could hack around this by doing an adhoc signature that's mentioned in this blog post

https://eclecticlight.co/2020/08/22/apple-silicon-macs-will-require-signed-code/