Notarised application not being detected by Mac OS automation security settings

Before notarisation, this functionality was working fine

Does “before notarisation” mean “before we started the process of adding notarisation support”? Or does it literally mean “before notarisation”, that is, before you notarised your product? The latter would be weird because notarisation is essentially a read-only process (only stapling modifies your product and that’s optional).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I meant non-notarised version of application is detected by Automation settings but after notarisation application is not being detected by Automation settings. Is there any entitlement needs to be given while notarising the application which can help in resolving this ?

I meant non-notarised version of application …

So, to be clear, you see this:

1. You build the app and sign it for distribution.

2. You run it; it works correctly with regards System Preferences > Security & Privacy > Privacy > Automation.

3. You notarise it.

4. It stops working.

Is that right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Just to clear it bit more : We have a previous version of our application on which signing and notarisation steps were not performed. So this is a non-notarised version of our application. This version is recognised by "Automation" security settings automatically when it is installed in any MAC system. Now, We performed notarisation steps mentioned in the below link through Jenkin and created notarised version of our application.

"https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution"

This latest version is not being detected by "Automation" security settings. Following are the signing and notarisation commands we used.

/usr/bin/codesign --deep --verify --verbose --force --timestamp -o runtime --sign 'X' <APP.dmg>

xcrun altool --notarize-app --primary-bundle-id "<APP_BUNDLE_ID>" --username "X" --password "Y" --asc-provider "Z" --file <APP.dmg>

OK, so, it’s not that notarisation broke your app, it’s that you had to change your signing process to account for notarisation and that change broke your app.

The most likely cause of your specific problem is the hardened runtime. Notarisation requires that you enable the hardened runtime and that comes with some additional requirements when it comes to Apple events:

• You must enable the Apple Events entitlement (com.apple.security.automation.apple-events).

• You must set the NSAppleEventsUsageDescription property in your Info.plist [1].

You wrote:

Following are the signing and notarisation commands we used.

I have two bits of feedback here:

• Don’t sign using --deep. See --deep Considered Harmful for an explanation as to why. Rather sign each code item separately, from the inside out.

• You should switch to notarytool. It’s better, stronger, and faster (-: For more details, see WWDC 2021 Session 10261 Faster and simpler notarization for Mac apps.

Finally, I encourage you to read through Signing a Mac Product For Distribution. It’s full of hints and tips on how to set up code signing outside of Xcode.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Technically this isn’t required by the hardened runtime but this property was rolled out at the same time as the hardened runtime and so I always group them together.

Hi, I have tried with these solution : "You must enable the Apple Events entitlement (com.apple.security.automation.apple-events). You must set the NSAppleEventsUsageDescription property in your Info.plist [1]."

But still my notarised application is not being detected by Automation settings. Could you please suggest more on this.

But still my notarised application is not being detected by Automation settings.

Can you expand on what you mean by “not being detected by Automation settings”? At a user level, there do things diverge between your notarised and non-notarised builds?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

At below Security preferences path , there is a automation settings : Security preferences->Privacy->Automation Before notarisation, whenever the application was installed in any Mac system, it is automatically added in this settings. But after the notarisation, if I install the application, It does not come in this Automation settings. Hope it clears.

whenever the application was installed in any Mac system

That’s not how that this setting works. Note that the list shows automation source apps and, for each source app, a list of target apps. There is no single “enable automation for everything” option. Rather, the list of target apps is built lazily, with a new entry each time the source app tries to automate a specific target app.

So, installing the app does not add entries to this list. Rather, the entries show up when the app runs and tries to automate another app.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

yeah, but even after running the application, its not automatically triggering other applications as it used to do earlier without notarisation. And the reason seems to be this application not coming in "automations settings"

its not automatically triggering other applications as it used to do

OK. There are a variety of potential causes of this. I recommend that you find the code that previously triggered an automation authorisation alert and check whether:

• It’s still actually executing

• It returns any helpful errors

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"