If Applications are not codesigned or notarised then we are seeing multiple Files and Folders user consents

macOS needs a way to determine code identity. If the user grants consent to version N of an app and then you upgrade the app to version N+1, the system needs to be able to know that version N+1 is actually the same app, and not some imposter. It does this via code signing. Exactly how this works varies by subsystem, but most subsystems rely on the designated requirement (DR), which is part of the code signature. You need to make sure that’s consistent between releases of your app.

You can dump the DR for your app as shown below:

$ codesign -d -r - Keyboard\ Maestro.app
Executable=/MyApplications/Keyboard Maestro.app/Contents/MacOS/Keyboard Maestro
designated => identifier "com.stairways.keyboardmaestro.editor" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = QMHRBA4LGH

The key points here are the Team ID and the code signing identifier. All the other goo just identifies this as a Developer ID app.

If you don’t sign your code then the system has no way to track its identity and all sorts of things will fail.

WARNING At WWDC 2019 Session 701 Advances in macOS Security we announced that a future versions of macOS will not run unsigned code by default.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"