Hi,
I realize that there was a similar question asked about a year ago, but I wasn't sure if it was appropriate to "piggy back" onto that thread, and it didn't seem to have a definitive solution. The thread I'm referring to is: https://developer.apple.com/forums/thread/131568?answerId=415860022
My problem is similar but perhaps not quite the same as I just have one app that 'owns' the helper tool.
I am currently on xcode 13 and Monterey. I implemented an app and privileged helper according to the EvenBetterAuthorizationSample, using SMJobBless and everything.
The Privileged helper is a console tool, with the sole purpose of running the installer command to install a downloaded installer package. The app and tool are codesigned, and the app has 'Privacy - Downloads Folder Usage Description' in the plist.
When I launch the app it should install a specified package via the helper tool.
And... it works great, which I was pleasantly surprised with given the complexity of this thing. There is just one problem:
The helper tool cannot access the Downloads folder. If the package is located in /users/me, no problem, but if it's /users/me/Downloads then installer can't access the file. This is not unique to '/usr/sbin/installer' command- I tested other commands like '/bin/ls'
If I look in Security & Privacy --> Privacy --> Full Disk Access, I can see the helper listed there as com.myCompany.myApp.helper but it is not checked. If I check it manually, then.. it works - Great! Only problem is, for this to work for a user it would have to fail once, and then I would have to explain to the user how to fix it and try again, which is very awkward.
While I'm doing testing, between tests I'm using launchctl to unload the helper, and removing it from LaunchDaemons and PrivilegedHelperTools. I'm also using 'tccutil reset SystemPolicyAllFiles com.myCompany.myApp'
Another observation: The app itself can somehow write files to the Downloads folder. And it doesn't show a dialog to ask for permission when I launch the app.
Obviously one solution is to not even use the Downloads folder these downloads. I could create a folder like /users/me/myDownloads, and download the packages there. That seems a bit silly... or maybe not?
Thanks for any help with this.