Sequoia Group Container for Mac Catalyst Apps

Do you have a currently shipping app that uses the group prefix?

ps For context, a while back I wrote App Groups: macOS vs iOS: Fight! At some point I’ll update that to cover the macOS 15 changes, but I haven’t quite got to that yet )-: I’m also waiting to see how things pan out in the final release (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes. My app Zavala is impacted by the macOS 15 changes.

OK. Can you walk me through the process that triggers the problem?

AFAICT your app uses a group ID, group.io.vincode.Zavala, that is registered to your team and the app is distributed via the Mac App Store. Given that, I wouldn’t expect you to have problems.

ps For more context on this, see 114586798 in the macOS Sequoia 15 Beta 2 Release Notes.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

There is a sample project included in FB14171101 which I filed about the issue. Here is the code in the sample project which triggers the issue.

let appGroup = "group.io.vincode.AppGroupSampleProject"
let containerURL = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: appGroup)
let testFileURL = containerURL!.appendingPathComponent("test.txt")
		
let fileData = "Sample file data".data(using: .utf8)
try? fileData?.write(to: testFileURL)

The alert appears when writing to the file.

Zavala is an Open Source project if you want to look at it in particular.

I'm sure several other projects have to be getting tripped up by this. If you are building a Mac Catalyst project, Xcode prompts you to create your App Group beginning with group. Xcode doesn't even allow you to have a different App Groups for iOS vs. macOS in the same target. It certainly feels like App Groups starting with group should be allowed.

It certainly looks like I shouldn't be receiving the prompt based on this sentence from the change notes.

Specifically, the app must use FileManager to get the app group container path and meet one of the following requirements: the app is deployed through Mac App Store; the app group identifier is prefixed with the app’s Team ID; or the app group identifier is authorised by a provisioning profile embedded within the app

The second criteria doesn't look like it is being honored.

Another project impacted by this is NetNewsWire. Although it isn't a Mac Catalyst app, it uses an App Group suffixed with group. (I didn't realize macOS differed from iOS when I contributed the code to NNW.) Based on the change notes, it shouldn't be impacted either, but it does receive the prompt.

There is a bunch of stuff to unpack here. First up, I’m gonna assume that you’re familiar with the backstory in App Groups: macOS vs iOS: Fight!. If not, read it now.

In that I wrote:

In Mac Catalyst things behave as they do on iOS.

and I wasn’t kidding. A Mac Catalyst app should use iOS-style app group names (group.*), where those app group entitlement claims are authorised by its provisioning profile. Here’s an example of that:

% vtool -show-build Test758358.app/Contents/MacOS/Test758358
…
 platform MACCATALYST
…
% codesign -d --entitlements - Test758358.app               
…
	[Key] application-identifier
	[Value]
		[String] SKMME9E2Y8.com.example.apple-samplecode.Test758358
	[Key] com.apple.application-identifier
	[Value]
		[String] SKMME9E2Y8.com.example.apple-samplecode.Test758358
    …
	[Key] com.apple.security.application-groups
	[Value]
		[Array]
			[String] group.eskimo1.test
…
% security cms -D -i Test758358.app/Contents/embedded.provisionprofile | plutil -p -
{
  …
  "Entitlements" => {
    "application-identifier" => "SKMME9E2Y8.com.example.apple-samplecode.Test758358"
    "com.apple.application-identifier" => "SKMME9E2Y8.com.example.apple-samplecode.Test758358"
    …
    "com.apple.security.application-groups" => [
      0 => "group.eskimo1.test"
    ]
    …
  }
  …
}

As you can see, the group.eskimo1.test app group claim is authorised by the allowlist in the app’s provisioning profile.

Note Having both the application-identifier (iOS) and com.apple.application-identifier (macOS) entitlement is a tell-tale sign of a Mac Catalyst app. But if you want to confirm that, vtool is a great option.

Thus, Mac Catalyst apps meet the third criterion (“the app group identifier is authorised by a provisioning profile embedded within the app”). However, this isn’t working right now )-:

Based on bug reports from you and other developers, we investigated this and determined that there’s a bug in the app group authorisation check (r. 129667695).

As always, I can’t make any promises as to when this’ll be fixed, but I encourage you to monitor both Feedback Assistant and any future macOS 15 beta seeds.

Non-Catalyst apps should use Mac-style app group names (TTT.*, where TTT is the Team ID). That’ll avoid the container prompt because of the second criterion (“the app group identifier is prefixed with the app’s Team ID”)

Non-Catalyst apps deployed via the Mac App Store may also use an iOS-style app group name (group.*) as long as that group is registered to the app’s team. This is the first criterion mentioned in the release notes (“the app is deployed through Mac App Store”).

Finally, some thoughts on testing. First, when testing this stuff it’s best to create a new app. macOS 15 beta has some built-in compatibility exceptions and it’s easy to get confused if you run your tests using popular products [1].

Second, to do a full test you’ll need multiple teams. That’s tricky if you’re a member of just one team. A neat way to get around this is to use a different Apple ID as a Personal Team.

Third, I’ve found that VMs are super helpful when testing stuff like this, because I can easily reset the VM back to a clean state, one where it’s never seen any of my test apps.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Ask me how I know )-:

Quinn, thank you for the very though answer. I guess I'll hold tight and see what happens to Mac Catalyst apps on Sequoia. I'll also notify the NetNewsWire team that a fix needs to be made prior to the Sequoia public release.