Catalina Entitlements or Permissions (was Possible Catalina problem)

Paul Dupuis paul at researchware.com
Wed Jun 17 15:23:48 EDT 2020 

Arghh!

So I am Googling and Googling and hunting around the Apple Developer 
site to try to find a comprehensive list of macOS entitlements so I can 
code sign my app with the the entitlements my app needs to not generate 
errors under Catalina.

I want to execute: codesign --verbose --deep --force --sign 
"<your_certificate_here>" --entitlements 
<path_to_entitlements.plist_file> <path_to_standalone_app_bundle>
with an entitlements.plist file with entitlemenst to grant my app 
certain disk access, internet access, email access, and finder integration.

Finally, I find this article that basically says Apple has no 
comprehensive list - their published developer documentation has not 
kept up with the additions they have been making in point release 
updates to macOS: 
https://eclecticlight.co/2019/02/26/entitlements-how-apps-get-back-what-theyve-given-up/

The lack of an up-to-date comprehensive entitlements list was apparently 
bad enough that a guy by the name of Jonathan Levin built a database to 
keep track of them since Apple couldn't (or wouldn't), so at least there 
is this hand database at http://newosxbook.com/ent.jl

Now, if only I could figure out from the database which ones I need to add.

Perhaps, it is time to switch to Mark Talluto's suggestion to use 
AppWrapper!


On 6/16/2020 6:28 PM, Paul Dupuis via use-livecode wrote:
> Hi Panos,
>
> Thank you very much. The discussion in the bug entry answered  lot of 
> my questions. I have one last thing I hope you or someone can point me 
> two, which is a list of Apple macOS "entitlements"
>
> From the bug entry I see:
>
>     <key>com.apple.security.device.audio-input</key>
>     <true/>
>     <key>com.apple.security.device.camera</key>
>     <true/>
>
> I need to figure out the ones for email access, finder integration 
> (drag/drop), internet access, and disk access.
>
> We've seen Catalina ask the user for:
>
> 1. HyperRESEARCH requests access to the Internet (if Apple Firewall is
>    turned on). - We assume this is because out app needs to check for
>    new versions and updates and for license management.
> 2. HyperRESEARCH requests access to the "Finder". - We assume this is
>    to receive AppleEvents (system messages) if a Study file is double
>    clicked or dragged and dropped on HyperRESEARCH to open the Study.
> 3. HyperRESEARCH requests access to your "Contacts". We assume this is
>    for access to send an email for an error report if an error occurs.
>    Our App does not accessing any names or addresses.
>
> I have tried Google for macOS or Catalina and entitlements but all I 
> seem to be able to find is articles from the user's perspective, not 
> developers information.
>
>
>
>
> On 6/15/2020 12:21 PM, panagiotis merakos via use-livecode wrote:
>> Hello Paul,
>>
>> I guess you can sign the standalone mac app with entitlements, i.e. 
>> use a
>> file that will contain all the necessary entitlements, and include it in
>> the params passed to the codesign command. See this report for more 
>> details:
>>
>> https://quality.livecode.com/show_bug.cgi?id=22660
>>
>> Kind regards,
>> Panos
>> -- 
>>
>> On Mon, 15 Jun 2020 at 14:56, Paul Dupuis via use-livecode <
>> use-livecode at lists.runrev.com> wrote:
>>
>>> We're having some macOS Catalina permissions/entitlements issues
>>>
>>> We have applications that we deliver for Catalina where the application
>>> (LiveCode standalone) is code-signed. It is then packaged in an
>>> installers (LiveCode standalone) and the installer is code signed. That
>>> is then placed in a DMG, which is code-signed, notarized, and stapled.
>>>
>>> This has worked for us since October when Catalina was released.
>>>
>>> It still works, except sometimes, after successful downloading and
>>> installation, when the applications is first launched, Catalina does 
>>> not
>>> ask for the permissions the Application needs. Instead certain handler
>>> throw an execution error. The handlers that produce the errors on
>>> startup when Catalina fails to ask for permissions have the 
>>> following in
>>> common:
>>>
>>> The set the defaultFolder to folders such as:
>>>
>>> /Library/PreferencePanes
>>> /Users/<username>/Library/Preferences -- this is using the code: the
>>> home folder & "/Library/PreferencePanes/"
>>> or
>>> /private/var/folders/fj/0llnt4vs44vfzy4r97k_wngc0000gp/T/TemporaryItems
>>> -- this is 'the temporary folder' on Mojave or Catalina. On Mavericks
>>> and earlier teh temporaty folder was
>>> /Users/<USER>/Library/Caches/TemporaryItems
>>>
>>> After setting the defaultFolder, the code gets 'the files' or 'the
>>> folders' and fails (actually we've not pinned down whether it fails on
>>> set the defaultFolder OR on the call to 'the files/folders')
>>>
>>> Going to Apple (menu) > System Preferences (menu item) > Security &
>>> Privacy (control) > Privacy (tab) and selecting Full Disk Access and
>>> adding our applications prevents these errors from occuring.
>>>
>>> The issue is clearly with Catalina failing to detect and ask for the
>>> correct permissions. This is a known issue a number of developers have
>>> run into. See https://forums.developer.apple.com/thread/125438 as one
>>> example where an Apple support person admits that detecting what
>>> permissions a process is requesting that is tied back to your user
>>> visible app (something Apple calls 'responsibility tracking') is really
>>> hard.
>>>
>>> For iOS and Android, you can specify entitlements or requested
>>> permissions in the Standalone Builder Settings. How do you do this for
>>> macOS Catalina?
>>>
>>> Does anyone know if there is a way to specify entitlements for a macOS
>>> desktop app built in LiveCode? I have been googling and googling and 
>>> can
>>> seem to find anything. I found one discussion on stackExchange that 
>>> seem
>>> to imply that the PLIST file could be edited to specify entitlements. I
>>> have tried the Apple Developer site, but SO MUCH of it is orient 
>>> towards
>>> people with lots of Apple Developer experience and focuses of C and
>>> SWIFT and Apple specific technologies I don't understand.
>>>
>>> I can edit the XML in a PLIST file in the standalone bundle IF I only
>>> knew what to add?
>>>
>>>
>>> _______________________________________________
>>> use-livecode mailing list
>>> use-livecode at lists.runrev.com
>>> Please visit this url to subscribe, unsubscribe and manage your
>>> subscription preferences:
>>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>>
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your 
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your 
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list