Sqlite and Monterey on M1

Paul Dupuis paul at researchware.com
Thu May 12 15:30:23 EDT 2022

On 5/12/2022 2:25 PM, Richard Gaskin via use-livecode wrote:
> Bob Sneidar wrote:
> > I don't think the latest Apple operating systems allow the writing
> > to the App Support folder, even if you have explicit write
> > permissions.
> Where are we supposed to write application support files if not to 
> Application Support?
> First they demanded control of the file format apps use for Prefs, now 
> this...

I did a little bit of research when I ran into my app breaking on 
Catalina and up when trying to reach a folder at 
specialFolderPath("temporary") and write files in that folder. The 
problem is that newer macOSes use an runtime algorithm to try to 
determine when an application is asking for access in "special" places. 
If the algorithm detect special access (sat to the Desktop or Documents 
folder or a Webcam and so on) the OS pops up the "Do you want to allow 
.. " dialog for the user to allow or deny access. An application signed 
and notarized WITH entitlements can specify some entitlements that are 
checked and if the App has declared these entitlements to protected 
resources, they are allowed. Some "protected" resources have NOT 
corresponding entitlements (at least currently). For disk access to 
folder paths without entitlements, the user can grant an application 
Full Disk Access, from System Preferences > Security, but and App can 
not specify an entitlement for Full Disk Access. It must be granted by 
the user.

Further, an Apple Engineer is a forum response (or someone claiming to 
be an Apple Engineer) noted that the algorithm to detect requests for 
special access resources can make mistakes and not recognize a request 
as a request and there for present a dialog to the user for allowing or 
denying and the default is to deny. So some circumstances, like apps 
running  in multiple processes (was an example cited, but it was implied 
there are other circumstances) your app MIGHT get the allow/deny dialog 
OR it might not - depending on your app. And for some resources, it just 
won't get any dialog and no entitlement will allow access, only 
instructions to the user to grant Full Disk Access (or some other 
similar ONLY allowed by the user permissions) will work.

In short, Apple's sandboxing is a developer mess. If you can, placing 
files in the Documents folder is best as (A) you can specify the 
Documents folder in an entitlement and (C) the sandboxing algorithm does 
seem to always detect (first time) Documents access requests and pop up 
the dialog.

DISCLAIMER: I did not have time to research this in detail and the 
"apple engineer" may or may not have been a real Apple engineer or knew 
what they were posting about. Our installer asks people on the last 
screen to grant our apps full disk access (if they are on Catalina+) and 
most people do and it solved a lot of recoding.

More information about the use-livecode mailing list