Duh! It didn't like the Xml. Here are the entitlements:
com.apple.security.automation.apple-events true
com.apple.security.network.client true
com.apple.security.network.server true
com.apple.security.temporary-exception.apple-events true
com.apple.security.cs.allow-unsigned-executable-memory true
com.apple.security.cs.disable-library-validation true
com.apple.security.cs.allow-dyld-environment-variables true
com.apple.security.files.user-selected.read-write true
StewMacLean
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Last seen
User for
From
New Zealand
Post
Replies
Boosts
Views
Activity
OK, I've moved on a bit... and would appreciate confirmation of my current understanding...
The reason that terminal works is because this is enabled in
Security & Privacy > Privacy > Automation > Terminal.app > System Events.app (checked). When the app is run via the terminal it inherits these rights, so all is fine and dandy.
The only way to make this work when double clicking the app is to use a temporary exception entitlement:
com.apple.security.temporary-exception.apple-events
This is largely prohibited from the app store, which doesn't concern me, as I will be "out of App store".
So I've taken my first round of the codesign, notarize dance:
After creating my App ID, the Developer Certificate, and Provisioning Profile I then created an entitlements plist. Please see below.
I then signed the app and notarized sucessfully. Note: I am not using XCode, but used the command line utilities. This did not fix the problem.
My current thinking as to what may address the issue is:
Set the Capabilities within the App ID. When I set this up, I couldn't see any that related to System Events, so currently no capabilities are enabled. What one(s), if any do I need to enable on the App ID to activate the System Events?
I need to use the Provisioning Profile to "whitelist" the temporary exception. Is this required? I haven't found any instructions yet as to how to use the Provisioning Profile to white list the temporary exception. How do I do this? I've seen a reference to placing it in the MacOS directory, but not sure...
I need to "Harden Up"!. I suspect this may be a prerequisite for enabling the temporary exception, but again I'm not sure. I believe there's a setting within XCode, but how do I "harden" manually, and at what stage do I do this?
I'm missing some other entitlements. Please see the current ones below - are these all necessary and sufficient?
I suspect that the network entitlements have worked, but how do I check that? There are no permissions within the Privacy panel. I understand that the user approved entitlements get stored in the TCC database, but the tccutil doesn't provide a way of listing these?
I'd very much appreciate some pointers as to which avenues to take.
Thanks,
Stew
<key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
<key>com.apple.security.cs.disable-library-validation</key><true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
<key>com.apple.security.files.user-selected.read-write</key><true/>