Mora Catalina permissions woes....

Paul Dupuis paul at researchware.com
Mon Jun 29 15:31:21 EDT 2020 

List Folks: A head up of a Catalina issue:

If your code signed Standalone is trying to access stacks that are 
OUTSIDE the app bundle under Catalina, sometimes Catalina will not 
properly detect your apps need for access. You will not get an "App 
wants access to blah blah: Allow or Deny" dialogs and you app will throw 
a script error (if you have assumed successful access and not coded for 
errors)

In our case, we have the App (bundle) and a folder of stacks that sits 
next to it, both in a containing folder that is what is installed where 
the user installs it. So

FOLDER: OurAppFolder
 > OurApp.app
 >FOLDER: OurStacks
 >> Some library stacks

We construct a full path to each library stack in "OurStacks" in a 
variable called tLibrary and when we execute
if there is a file tLibrary then
   start using tLibrary
end if
for the 1st library, we get a script error on the start using statement. 
The test for existence does return true.

start: can't find object

If you go to Apple (menu) > System Preferences (menu item) > Security & 
Privacy (panel) > Privacy (tab) > Full Disk Access and grant 
"OurApp.app" access, then subsequent launches work flawlessly.

This is clearly a Catalina entitlements/permissions issue.

We have distilled a test stack and have seen the error occur multiple 
times. The problem is we have not found a recipe that reproduces the 
error 100% reliably.

I have seen discussions that suggest Apple has provided NO entitlement 
you can code sign your app with to allow full disk access. They see 
individual folder access (like Documents, Desktop, etc.) and Full Disk 
Access (which subsumes all individual folder access) as being only 
grantable by the user.

QUESTIONS:

1) Any one else run into any situations where Catalina is failing to 
detect and ask for ANY given entitlement?

2) Any one else run into failures in detecting and asking for disk 
access entitlements?

3) If you have this problem, do you you tell customers to grant the app 
full disk access before running it? If so, how do you phrase that in a 
way that makes them comfortable and works?

4) Does anyone know of an entitlement for macOS Catalina that allows 
full disk access? Or even access to say the Applications folder?


P.S. If we can produce a recipe that is reliable, we will file a bug 
report on this. At the very least, LC may want to update "start using" 
to return an error code so you don't have to trap it with a try...end 
try block.

More information about the use-livecode mailing list