How to remove executable applications from TCC .

I have created a command line application with Xcode, the application acquires permissions to capture screen (for example) however then I would like to remove only it with the command tccutil reset All [bundler id] the problem is that my executable seems to have no bundler id and I don't know how to remove it. I have also modified the Product Bundle Identifier option in the Build Settings tab but this didn't work either.

Up vote post of mise Down vote post of mise
1.8k views
Posted by
mise
Reply
Add a Comment

Replies

The trick here is to give your command-line tool a bundle ID. You can’t put this in a Info.plist file, because the command-line tool isn’t packaged, but you can add it to a custom section in your executable. To do this in Xcode, enable the Create Info.plist Section in Binary build setting (CREATE_INFOPLIST_SECTION_IN_BINARY).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi,

Unfortunately the above suggestion doesn't seem to work as the binary is not a real bundled app, e.g. see for 'codesign'

That is to say it's identified by path within TCC.db rather that its bundle id.

Thanks, Doron.

Posted by
dseijffers
Up vote reply of dseijffers Down vote reply of dseijffers
Add a Comment

@eskimo and how do I do this for executable that is not created with Xcode? I have a golang app that I need to reset permissions to.

BTW it is silly that tccutil reset only works with bundle ID and not executable path while non-bundle executables are identified in TCC database by full path (I've checked that in /Library/Application Support/com.apple.TCC/TCC.db)

Any help much apreciated.

Posted by
gruszex
Up vote reply of gruszex Down vote reply of gruszex
Add a Comment

I have a golang app

Can you clarify what you mean by “app” in this context? On Apple platforms we generally use the term app to refer to something that the user can launch from the Finder (or Home Screen or whatever) but I suspect you’re using it in a more general way.

it is silly that tccutil reset only works with bundle ID and not executable path while non-bundle executables are identified in TCC database by full path

This is, IME, the least of tccutil failings )-: I encourage you to file an enhancement request for the features you think it should have.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

By "app" I mean an executable that I've installed with a .pkg installer into /usr/local/bin/.

To give you more context - the reason I'm trying to revoke this permission is that it seems that after each update my app loses ability to make screenshots. This is despite the fact that in the Screen Recording preferences it can see it has permissions granted. After I install new version of my app I have to manually go into preferences, remove screen recording permissions and re-add it. Without this manual permissions re-adding the screenshots the app makes are only the background with menu bar.

Maybe you can think of a better way of approaching this (than trying to revoke permission in order to force macos to show screenshot permissions dialog anew)? Can I preserve screen recording permissions after app update?

Posted by
gruszex
Up vote reply of gruszex Down vote reply of gruszex
Add a Comment

By "app" I mean an executable that I've installed with a .pkg installer into /usr/local/bin/.

To clarify more it is a terminal app, which is launched as a service and runs in the background.

Posted by
gruszex
Up vote reply of gruszex Down vote reply of gruszex
Add a Comment

Thanks for those extra details.

You wrote:

which is launched as a service and runs in the background.

How is it launched? As a launchd agent?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Yes, it's launched via launchd

Posted by
gruszex
Up vote reply of gruszex Down vote reply of gruszex
Add a Comment

Yes, it's launched via launchd

As a daemon? Or an agent?

Regardless, I see two issues in play here. Earlier you wrote:

after each update my app loses ability to make screenshots

This is almost certainly a code signing issue. Either your program is not signed or it’s ad hoc signed. This means that TCC can’t record a stable signing identity for it, so it doesn’t know that version N+1 is ‘the same’ as version N. If you’re curious about the details, see TN3137 On Mac keychain APIs and implementations.

The fix for this is to sign your code with a stable identity, either Apple Development for day-to-day work or Developer ID when you distribute it.

Apropos that, see:

Also, if you end up using Developer ID, see The Care and Feeding of Developer ID.

The other issue is that, in order for TCC to display a nice prompt for a launch job, it needs to be associated with an app. You do this using the AssociatedBundleIdentifiers property in your launchd property list. See the launchd.plist man page for details.

In many cases it makes sense to create an app that installs your launchd job. On modern systems you can do this pretty easily using SMAppService. See Service Management.

If you don’t want to do that, you can just create a minimal app that’s exists primarily for the benefit of TCC. It doesn’t have to do anything, but it’s nice if you can add some basic UI, like showing the status of your job.

This only makes sense if you’re distributing your app widely. If this is just something you’re making for yourself, I’d skip the app entirely.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment