App with camera access crashes when launched from Finder but runs from Terminal

An App running on macOS Monterey 12.2.1 crashes when trying to access the camera with the following error report:

Termination Reason: Namespace TCC, Code 0 This app has crashed because it attempted to access privacy-sensitive data without a usage description. The app's Info.plist must contain an com.apple.security.device.camera key with a string value explaining to the user how the app uses this data.

The App's Info.plist contains a NSCameraUsageDescription key plus description. Also it asks the user for permission and works fine when run from the Terminal. It only crashes when launched via Finder or Dock.

The App is not signed nor hardened and thus has no entitlements. Did something change? The App worked fine before.

Many thanks for any hints.

Dear Fritzt,

In addition to the access usage description in the Info.plist you also need to add the key com.apple.security.device.camera set to true in the Entitlements.plist. If you are signing the code manually, you have to pass the Entitlements.plist to the codesign tool like :

codesign --timestamp --deep --entitlements Entitlements.plist --keychain <keychain> --sign <signing ID> MyApplication.app -f -o runtime

For more information, you can have a look at this great blog post by David Fernandez : https://www.theimpostersyndrome.dev/posts/macospackaging/

Dear Makav, thanks for your response. Is it mandatory now to have the macOS App signed to allow camera-access? The app isn't singed at all, and the camera access code is provided by an unsigned plugin. I cannot easily sign the whole thing, it basically loads most of the functionality from plugins that are written by external developers.

Is it mandatory now to have the macOS App signed to allow camera access?

We strongly recommend that you sign all code. Moreover, code signing is absolutely required on Apple silicon; it’s impossible to run unsigned code on those machines.

If you’re working with a protected resource, like the camera, then it’s critical that you sign with a stable signing identity (that is, not use ad hoc signing). TCC uses that stable signing identity to confirm that version N+1 of your app is the “same code” as version N. Without that, you get a lot of unnecessary privacy alerts.

Furthermore, I recommend that you also enable the hardened runtime. This is required for Developer ID signed apps to be notarised and is best practice in other circumstances. And you’ll see why this is relevant in a sec (-:

The app isn't singed at all, and the camera access code is provided by an unsigned plugin. I cannot easily sign the whole thing, it basically loads most of the functionality from plugins that are written by external developers.

All of that is still possible. If these plug-ins are embedded within your app then you should sign them as part of your packaging process. The logic here is that, if you put this code on the user’s machine, you are responsible for its behaviour and so you should sign it as your code.

If you need to load a plug-in that isn’t embedded in your app and isn’t signed by you [1], you must ensure that library validation isn’t enabled. If you have the hardened runtime enabled, which you should, that opts you in to library validation and so you’ll need to opt out. To do that, sign your app with the Disable Library Validation Entitlement (com.apple.security.cs.disable-library-validation) entitlement.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Keep in mind that plug-in developers shouldn’t be distributing unsigned code. If it’s Apple silicon code, you won’t be able to load it. And, regardless, it’s good for the code to be signed so that you can check its signature and then give the user an informed choice about whether your app should load it. You can do that using the code signing API, and I’m happy to go into those details if you want.

Thanks for the detailed explanation, I read about it some years ago. The software in question is a graphical in-house development tool, the final products are signed and notarized of course. I still think the error explanation in the crash log is in contrast to the documentation and your explanation ("app's Info.plist must contain an com.apple.security.device.camera key"). I filed a radar for it: FB9910936.

What I also don't understand why it runs when I start the App from Terminal and only crashes when launched from Finder ...

What I also don't understand why it runs when I start the App from Terminal

That’s most likely because an app started from Terminal inherits Terminal’s TCC context.

There are two inter-related things in play here:

You have to get both right.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

App with camera access crashes when launched from Finder but runs from Terminal
 
 
Q