Arghh!
So I am Googling and Googling and hunting around the Apple Developer
site to try to find a comprehensive list of macOS entitlements so I can
code sign my app with the the entitlements my app needs to not generate
errors under Catalina.
I want to execute: codesign --verbose --deep --force --sign
"<your_certificate_here>" --entitlements
<path_to_entitlements.plist_file> <path_to_standalone_app_bundle>
with an entitlements.plist file with entitlemenst to grant my app
certain disk access, internet access, email access, and finder integration.
Finally, I find this article that basically says Apple has no
comprehensive list - their published developer documentation has not
kept up with the additions they have been making in point release
updates to macOS:
https://eclecticlight.co/2019/02/26/entitlements-how-apps-get-back-what-theyve-given-up/
The lack of an up-to-date comprehensive entitlements list was apparently
bad enough that a guy by the name of Jonathan Levin built a database to
keep track of them since Apple couldn't (or wouldn't), so at least there
is this hand database at http://newosxbook.com/ent.jl
Now, if only I could figure out from the database which ones I need to add.
Perhaps, it is time to switch to Mark Talluto's suggestion to use
AppWrapper!
On 6/16/2020 6:28 PM, Paul Dupuis via use-livecode wrote:
Hi Panos,
Thank you very much. The discussion in the bug entry answered lot of
my questions. I have one last thing I hope you or someone can point me
two, which is a list of Apple macOS "entitlements"
From the bug entry I see:
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
I need to figure out the ones for email access, finder integration
(drag/drop), internet access, and disk access.
We've seen Catalina ask the user for:
1. HyperRESEARCH requests access to the Internet (if Apple Firewall is
turned on). - We assume this is because out app needs to check for
new versions and updates and for license management.
2. HyperRESEARCH requests access to the "Finder". - We assume this is
to receive AppleEvents (system messages) if a Study file is double
clicked or dragged and dropped on HyperRESEARCH to open the Study.
3. HyperRESEARCH requests access to your "Contacts". We assume this is
for access to send an email for an error report if an error occurs.
Our App does not accessing any names or addresses.
I have tried Google for macOS or Catalina and entitlements but all I
seem to be able to find is articles from the user's perspective, not
developers information.
On 6/15/2020 12:21 PM, panagiotis merakos via use-livecode wrote:
Hello Paul,
I guess you can sign the standalone mac app with entitlements, i.e.
use a
file that will contain all the necessary entitlements, and include it in
the params passed to the codesign command. See this report for more
details:
https://quality.livecode.com/show_bug.cgi?id=22660
Kind regards,
Panos
--
On Mon, 15 Jun 2020 at 14:56, Paul Dupuis via use-livecode <
use-livecode@lists.runrev.com> wrote:
We're having some macOS Catalina permissions/entitlements issues
We have applications that we deliver for Catalina where the application
(LiveCode standalone) is code-signed. It is then packaged in an
installers (LiveCode standalone) and the installer is code signed. That
is then placed in a DMG, which is code-signed, notarized, and stapled.
This has worked for us since October when Catalina was released.
It still works, except sometimes, after successful downloading and
installation, when the applications is first launched, Catalina does
not
ask for the permissions the Application needs. Instead certain handler
throw an execution error. The handlers that produce the errors on
startup when Catalina fails to ask for permissions have the
following in
common:
The set the defaultFolder to folders such as:
/Library/PreferencePanes
/Users/<username>/Library/Preferences -- this is using the code: the
home folder & "/Library/PreferencePanes/"
or
/private/var/folders/fj/0llnt4vs44vfzy4r97k_wngc0000gp/T/TemporaryItems
-- this is 'the temporary folder' on Mojave or Catalina. On Mavericks
and earlier teh temporaty folder was
/Users/<USER>/Library/Caches/TemporaryItems
After setting the defaultFolder, the code gets 'the files' or 'the
folders' and fails (actually we've not pinned down whether it fails on
set the defaultFolder OR on the call to 'the files/folders')
Going to Apple (menu) > System Preferences (menu item) > Security &
Privacy (control) > Privacy (tab) and selecting Full Disk Access and
adding our applications prevents these errors from occuring.
The issue is clearly with Catalina failing to detect and ask for the
correct permissions. This is a known issue a number of developers have
run into. See https://forums.developer.apple.com/thread/125438 as one
example where an Apple support person admits that detecting what
permissions a process is requesting that is tied back to your user
visible app (something Apple calls 'responsibility tracking') is really
hard.
For iOS and Android, you can specify entitlements or requested
permissions in the Standalone Builder Settings. How do you do this for
macOS Catalina?
Does anyone know if there is a way to specify entitlements for a macOS
desktop app built in LiveCode? I have been googling and googling and
can
seem to find anything. I found one discussion on stackExchange that
seem
to imply that the PLIST file could be edited to specify entitlements. I
have tried the Apple Developer site, but SO MUCH of it is orient
towards
people with lots of Apple Developer experience and focuses of C and
SWIFT and Apple specific technologies I don't understand.
I can edit the XML in a PLIST file in the standalone bundle IF I only
knew what to add?
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
