I'm working on a macOS app that I want to give "Full Disk Access". When I run from Xcode, I get "permission denied" errors when reading a file in my home directory.
What can I do so that I can run and debug from Xcode?
I dragged the binary from the derived data folder to the System Preferences list for Full Disk Access, but that seems to do nothing.
I get "permission denied" errors when reading a file in my home directory.
Which file specifically? The reason this matters is that our MAC system supports two different flavours, Files & Folders and Full Disk Access, and your best path forward depends on that detail.
Note For more background on this, see On File System Permissions.
I'm working on a macOS app
Just to clarify, are you using “app” to mean a “standalone GUI app that the user would normally double click in the Finder”.
Also, does your program have a stable code signing identity? In Xcode’s, Signing & Capabilities tab, what is the Signing Certificate popup set to?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Okay, "Files and Folders" might work. The first file that gave the error had a path like "~/Workspace/MyProject/main.jl". That "Workspace" directory is where I have a lot of software dev and other projects. And yes, it's a GUI app that the user would normally click on in Finder. I think I want permissions similar to Xcode. The app is going to be editing different kinds of files: scripts, programming language code files, and custom "project" files that are SQLite databases. It's an app for creating 2D and 3G generative art. So it will probably open "Projects" that are directories full of files, but I would also like it to be able to edit random files. (So, similar to how Xcode works in that respect.)
Oops, forgot your last question. The Signing Certificate popup says "Development" now. I'm sorry, I don't know what you mean by "stable code signing identity". For some of my other projects, which are iOS apps deployed in the App Store, that item is not a popup and it does not say "Development". It will say something like "Apple Development: [My Name] ([alpha-numeric code])". This macOS app that I'm asking about has no App Store record (maybe someday).
The first file that gave the error had a path like
~/Workspace/MyProject/main.jl.
That location is not one protected by MAC. Is your app sandboxed?
The Signing Certificate popup says "Development" now.
That’ll do.
I don't know what you mean by "stable code signing identity".
For MAC to work is has to be able to identify build N+1 of your app as being the ‘same code’ as build N. It does this via its code signature, but that only works if the signature is the same from build to build. Hence “stable”. An Apple Development code signing identity works for that. The two things that don’t are unsigned code and ad hoc signed code.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Yes, it's sandboxed. Should I just turn that off? It was the default when Xcode created the project. It seems like the ideal is to leave it on and enable access to resources as needed. ?
I think I want permissions similar to Xcode.
Xcode is not sandboxed.
Should I just turn that off?
Well, that depends (-:
If you plan to deploy via the Mac App Store, you can’t turn it off. Mac App Store apps must be sandboxed.
If you’re deploying independently using Developer ID, you have the option to turn it off. As you say, it’s generally better to leave it on. The explicit user consent required by the App Sandbox makes it hard to support certain user experiences.
You mentioned two things in your earlier post:
A project document that references other files
2D and 3D art
The first is feasible in a sandboxed app. The trick is to have your project document store document-relative security-scoped bookmarks for each file referenced by the project. When the user adds a file to the project, you create and store a bookmark that lets you get back to that file.
The second is more challenging. Many existing file formats, especially in the 3D space, contain references to other files as simple strings. It’s hard to create a decent user experience for this in a sandbox app. See this post and my response to it.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Okay, thanks! I'll need time to try out these suggestions and post back later if I'm stuck. I wonder how recursive are the security-scoped bookmarks? Could I simply ask for access to /Users/joe or /Users/joe/Workspace and have read/write access to everything under it? I'll find out when I experiment some today.
I wonder how recursive are the security-scoped bookmarks?
Security-scoped bookmark let you save and restore access to a directory, and access to a directory encompasses everything inside it.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
