macOS entitlements

Hi,

I am in the process of building a macOS app that needs access to file metadata (amongst which the ownerAccountId). Trying to change properties like owner and group id results in an Operation Not Permitted error.

From what I understand one needs Privileged File Operation entitlements for such operations.

I am having a hard time figuring out how to achieve this. I have been searching the internet and forums, to no avail. The documentation does not offer a solution either. And it is unclear to me if you have to apply for entitlements when (still) developing and debugging an application for macOS (not ready for publication in the AppStore yet).

Does anybody know a proper 'how to' on using entitlements. Which entitlement, when and how to apply them? A step-by-step read would be perfect.

In case you would like to answer directly... more specifically my code consists of a bunch of 'utility functions' in a framework. I included unit tests in the framework to be able to test the functionality. One of the tests would be testSettingAccountId, that tests some function that sets a file attribute (FileAttributeKey.ownerAccountID) on some test file. Right now that test fails due to insufficient permissions, which is understandable. I would like to know how I can set ups the environment to properly test the function. That is: do I need to set entitlements. If so, which one(s) and where would I set these in order for the unit test to run successfully?

Any help would be much appreciated. Thanks!

Trying to change properties like owner and group id results in an Operation Not Permitted error.

Indeed.

From what I understand one needs Privileged File Operation entitlements for such operations.

Yes (assuming you plan to distribute via the Mac App Store; non-MAS apps have other options).

Does anybody know a proper 'how to' on using entitlements. Which entitlement, when and how to apply them? A step-by-step read would be perfect.

The entitlement you need, com.apple.developer.security.privileged-file-operations, is special, that is, you must be granted access to it by Apple. You can request such access using this form.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
@Quin: thanks. If I understand well, one should also ask for special permission when still developing on a local machine. I would understand if Apple would want that when publishing (in the App Store), but it is a bit confusing that Apple wants developers to ask special permissions for local development (in the early stages). I would expect one to be able to develop 'without restrictions' as long as nothing is signed for distribution. I can only assume the special permissions are linked to the signing certificate(?).

I can only assume the special permissions are linked to the signing certificate(?).

Not quite. When you’re granted access to a special entitlement, that’s reflected in the developer web site. Specifically, when you manually create a provisioning profile the web site displays an extra step listing the special entitlements you have available and thus can apply to the profile.

it is a bit confusing that Apple wants developers to ask special permissions for local development

That’s a policy issue that’s outside of my remit.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

I would expect one to be able to develop 'without restrictions' as long as nothing is signed for distribution. I can only assume the special permissions are linked to the signing certificate(?)

You can. But if your app is configured for the Mac App Store, then it is going to run under that environment. There are some thing that you can configure yourself in the Developer portal to give your app local capabilities without App Review. But this is not one of them.

You can always turn off the app sandbox. Your app will start up in a different environment, so you have to be aware of that. You'll have a different set of preferences and app state, for example. But this would allow you to test this one feature before it is approved.

Approval for this entitlement is not guaranteed either.
macOS entitlements
 
 
Q