Hi all,
I'm trying to add a Finder Sync (FinderSync) extension (appex) to our macos application. I wanted to provide custom contextual menu items that perform file and folder management tasks.
However, extension installation errors occur in some systems:
error 13:56:21.324867+0900 pkd [d ] [u 23575956-D35A-4548-8C72-207FC055E72F] [()] rejecting; Ignoring mis-configured plugin at [/Library/Application Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex]: plug-ins outside containing apps must be protected by SIP.
error 13:56:22.468347+0900 pkd [d ] [u 23575956-D35A-4548-8C72-207FC055E72F] [()] rejecting; Ignoring mis-configured plugin at [/Library/Application Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex]: plug-ins outside containing apps must be protected by SIP.
error 14:02:56.228344+0900 pkd [d ] [u 23575956-D35A-4548-8C72-207FC055E72F] [()] rejecting; Ignoring mis-configured plugin at [/Library/Application Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex]: plug-ins outside containing apps must be protected by SIP.
This error does not happen 100% of the time. Sometimes, I can successfully add extensions to some of our systems.
In the environment where the installation fails, I have tried adding our ScanExtensionScan.appex to [Security & Privacy Preferences/Privacy/Full Disk Access] to check if this is an app permission problem and I was able to install the extension successfully.
Below are the information about our extension:
ScanExtensionScan.entitlements
fbtest@fbtestnoMac-mini build_debug % codesign -d --entitlements :- /Library/Application\ Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex
Executable=/Library/Application Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex/Contents/MacOS/ScanExtensionScan
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>co.jp.fuva-brain.scanextension</string>
</array>
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<array>
<string>/</string>
</array>
<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
<array>
<string>/</string>
</array>
</dict>
</plist>
Codesigning our plugin with the cert:
codesign --sign <cert> --entitlements ScanExtensionScan.entitlements --force /Library/Application\ Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex
Questions:
What are the possible reasons why we can install our app extension on some environments and fail on others, sometimes on the same environment?
How do we guarantee 100% success on adding and activating extensions without adding it to Full Disk Access?
Thanks in advance for your help.
I'm trying to add a Finder Sync (FinderSync) extension (appex) to our macos application. I wanted to provide custom contextual menu items that perform file and folder management tasks.
However, extension installation errors occur in some systems:
error 13:56:21.324867+0900 pkd [d ] [u 23575956-D35A-4548-8C72-207FC055E72F] [()] rejecting; Ignoring mis-configured plugin at [/Library/Application Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex]: plug-ins outside containing apps must be protected by SIP.
error 13:56:22.468347+0900 pkd [d ] [u 23575956-D35A-4548-8C72-207FC055E72F] [()] rejecting; Ignoring mis-configured plugin at [/Library/Application Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex]: plug-ins outside containing apps must be protected by SIP.
error 14:02:56.228344+0900 pkd [d ] [u 23575956-D35A-4548-8C72-207FC055E72F] [()] rejecting; Ignoring mis-configured plugin at [/Library/Application Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex]: plug-ins outside containing apps must be protected by SIP.
This error does not happen 100% of the time. Sometimes, I can successfully add extensions to some of our systems.
In the environment where the installation fails, I have tried adding our ScanExtensionScan.appex to [Security & Privacy Preferences/Privacy/Full Disk Access] to check if this is an app permission problem and I was able to install the extension successfully.
Below are the information about our extension:
ScanExtensionScan.entitlements
fbtest@fbtestnoMac-mini build_debug % codesign -d --entitlements :- /Library/Application\ Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex
Executable=/Library/Application Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex/Contents/MacOS/ScanExtensionScan
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>co.jp.fuva-brain.scanextension</string>
</array>
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<array>
<string>/</string>
</array>
<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
<array>
<string>/</string>
</array>
</dict>
</plist>
Codesigning our plugin with the cert:
codesign --sign <cert> --entitlements ScanExtensionScan.entitlements --force /Library/Application\ Support/test/bin/ScanExtension.app/Contents/PlugIns/ScanExtensionScan.appex
Questions:
What are the possible reasons why we can install our app extension on some environments and fail on others, sometimes on the same environment?
How do we guarantee 100% success on adding and activating extensions without adding it to Full Disk Access?
Thanks in advance for your help.
