Is it mandatory now to have the macOS App signed to allow
camera access?
We strongly recommend that you sign all code. Moreover, code signing is absolutely required on Apple silicon; it’s impossible to run unsigned code on those machines.
If you’re working with a protected resource, like the camera, then it’s critical that you sign with a stable signing identity (that is, not use ad hoc signing). TCC uses that stable signing identity to confirm that version N+1 of your app is the “same code” as version N. Without that, you get a lot of unnecessary privacy alerts.
Furthermore, I recommend that you also enable the hardened runtime. This is required for Developer ID signed apps to be notarised and is best practice in other circumstances. And you’ll see why this is relevant in a sec (-:
The app isn't singed at all, and the camera access code is provided by
an unsigned plugin. I cannot easily sign the whole thing, it basically
loads most of the functionality from plugins that are written by
external developers.
All of that is still possible. If these plug-ins are embedded within your app then you should sign them as part of your packaging process. The logic here is that, if you put this code on the user’s machine, you are responsible for its behaviour and so you should sign it as your code.
If you need to load a plug-in that isn’t embedded in your app and isn’t signed by you [1], you must ensure that library validation isn’t enabled. If you have the hardened runtime enabled, which you should, that opts you in to library validation and so you’ll need to opt out. To do that, sign your app with the Disable Library Validation Entitlement (com.apple.security.cs.disable-library-validation
) entitlement.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Keep in mind that plug-in developers shouldn’t be distributing unsigned code. If it’s Apple silicon code, you won’t be able to load it. And, regardless, it’s good for the code to be signed so that you can check its signature and then give the user an informed choice about whether your app should load it. You can do that using the code signing API, and I’m happy to go into those details if you want.