I was aware of the new 'App Management' feature added in macOS Ventura, I am wondering if there is an API for a macOS app to request and grant this permission, instead of waiting for the push notification, change privacy settings, restart the app and try again.
Post
Replies
Boosts
Views
Activity
I have an installer app which will download our macOS app from server (as zip) and extract it to the root folder of a USB flash drive. Both installer and the macOS app are code signed / notarized with the same Developer ID certificate and Team ID.
What to expect?
macOS Ventura should allow my installer to extract the app bundle to the root folder of the USB flash drive.
What happened?
macOS Ventura doesn't allow my installer to extract the app bundle to the root folder of the drive, App Management notification was triggered. It does allow my installer to extract the software to any subfolders on the USB drive.
I am forcing my users to enable Full Disk Access before installing the software to their USB drive, this is not ideal. Is it a bug of Gatekeeper?
I have an Electron app built for macOS, and it was distributed via 'Developer ID' for years, it worked well and I was able to access the photos in the system Photos library. Surely I already have the 'NSPhotoLibraryUsageDescription' key in Info.plist.
Recently we are trying to publish this app to Mac App Store, so I have to turn on the sandbox, after that the app starts giving XPC errors while accessing the Photos library. The errors look like:
PHAuthorizationStatus: Authorized
CoreData: XPC: sendMessage: failed #0
CoreData: XPC: Unable to sendMessage: to server
...
CoreData: XPC: sendMessage: failed #7
CoreData: XPC: Unable to connect to server with options {
NSPersistentHistoryTrackingKey = 1;
NSXPCStoreServerEndpointFactory = "<PLXPCPhotoLibraryStoreEndpointFactory: 0x7fc67e8af370>";
skipModelCheck = 1;
}
CoreData: XPC: Unable to load metadata: Error Domain=NSCocoaErrorDomain Code=134060 "A Core Data error occurred." UserInfo={Problem=Unable to send to server; failed after 8 attempts.}
CoreData: fault: Unable to create token NSXPCConnection. NSXPCStoreServerEndpointFactory 0x7fc67e8af370 -newEndpoint returned nil
CoreData: error: Failed to create NSXPCConnection
It seems the app could detect the current PHAuthorizationStatus which is Authorized, but it can't fetch the photos from the Photos library (using PhotoKit).
I learned from here that I could look for errors from the sandboxd daemon, so I did that, here is what I saw:
Sandbox: Picture Keeper(32625) deny(1) mach-lookup com.apple.photos.service
Violation: deny(1) mach-lookup com.apple.photos.service
Process: Picture Keeper [32625]
Path: /Applications/Picture Keeper.app/Contents/MacOS/Picture Keeper
Load Address: 0x103bd3000
Identifier: com.simplifieditproducts.picturekeepermas
Version: 4575 (4.5.75)
Code Type: x86_64 (Native)
Parent Process: Picture Keeper [1]
Responsible: /Applications/Picture Keeper.app/Contents/MacOS/Picture Keeper
User ID: 501
Date/Time: 2024-08-26 16:16:14.645 EDT
OS Version: macOS 14.5 (23F79)
Release Type: User
Report Version: 8
MetaData: {"process_path":["Users","Kevin","Projects","Electron","picturekeeper-electron","dist","picturekeeper","mas-dev","Picture Keeper.app","Contents","MacOS","Picture Keeper"],"apple-internal":false,"primary-filter":"global-name","policy-description":"Sandbox","flags":5,"platform-policy":false,"build":"macOS 14.5 (23F79)","process-path":"\/Applications\/Picture Keeper.app\/Contents\/MacOS\/Picture Keeper","responsible-process-path":"\/Applications\/Picture Keeper.app\/Contents\/MacOS\/Picture Keeper","primary-filter-value":"com.apple.photos.service","platform_binary":"no","responsible-process-signing-id":"com.simplifieditproducts.picturekeepermas","hardware":"Mac","target":"com.apple.photos.service","action":"deny","mach_namespace":1,"checker-pid":1,"container":"\/Users\/Kevin\/Library\/Containers\/com.simplifieditproducts.picturekeepermas\/Data","binary-in-trust-cache":false,"team-id":"LU744924UY","process":"Picture Keeper","global-name":"com.apple.photos.service","platform-binary":false,"pid":32625,"summary":"deny(1) mach-lookup com.apple.photos.service","checker":"launchd","responsible-process-team-id":"xxxxx","operation":"mach-lookup","normalized_target":["com.apple.photos.service"],"errno":1,"uid":501,"profile-flags":0,"profile-in-collection":false,"sandbox_checker":"launchd","signing-id":"com.simplifieditproducts.picturekeepermas","release-type":"User"}
I believe I already have the necessary entitlements for the Photos library, see:
codesign -d --entitlements - /Applications/Picture\ Keeper.app/Contents/MacOS/Picture\ Keeper
[Dict]
[Key] com.apple.application-identifier
[Value]
[String] xxxx.com.simplifieditproducts.picturekeepermas
[Key] com.apple.developer.team-identifier
[Value]
[String] xxxx
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] xxxx.com.simplifieditproducts.picturekeepermas
[Key] com.apple.security.assets.movies.read-only
[Value]
[Bool] true
[Key] com.apple.security.assets.music.read-only
[Value]
[Bool] true
[Key] com.apple.security.assets.pictures.read-write
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-dyld-environment-variables
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-jit
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-unsigned-executable-memory
[Value]
[Bool] true
[Key] com.apple.security.cs.disable-executable-page-protection
[Value]
[Bool] true
[Key] com.apple.security.cs.disable-library-validation
[Value]
[Bool] true
[Key] com.apple.security.device.usb
[Value]
[Bool] true
[Key] com.apple.security.files.bookmarks.app-scope
[Value]
[Bool] true
[Key] com.apple.security.files.bookmarks.document-scope
[Value]
[Bool] true
[Key] com.apple.security.files.downloads.read-only
[Value]
[Bool] true
[Key] com.apple.security.files.user-selected.read-write
[Value]
[Bool] true
[Key] com.apple.security.network.client
[Value]
[Bool] true
[Key] com.apple.security.network.server
[Value]
[Bool] true
[Key] com.apple.security.personal-information.location
[Value]
[Bool] true
[Key] com.apple.security.personal-information.photos-library
[Value]
[Bool] true
By the way, the Photos library related code was built into a .node file (which is a dylib), and it will be loaded by the main executable during runtime.
Anything I missed? Thank you!
On my dev machine, I built my app to the 'dist' folder, the app was signed in either a 'Development' provision profile, or a 'Distribution' provision profile.
I then published the app to Mac App Store and it is alive. When I tried to install the app, I noticed that Mac App Store may install my app to my 'dist' folder (i.e. the build folder) instead of 'Applications' folder.
Is there a way to make sure that the app will always be installed to the 'Applications' folder?
Testing on a non-dev machine seems to be working fine.
Apple provides a way for the app developer to migrate app data from previous locations to the Mac App Store app container folder, see Migrating your app’s files to its App Sandbox container.
My question is, it seems this feature only allows us to migrate or move the existing app files into the sandbox folder, however, I'd like to "copy" these files instead of "move" them.
Instead of using the "Move" key in the plist file, I have already tried "Copy" key and it didn't work.