kTCCServiceSystemPolicyAppData warning from Transparency Consent and Control (TCC)

Code Signing Entitlements
dkocher OP
Created 1d
Replies 3
Boosts 0
Views 214
Participants 2

The problem is described in full with log output in #16844

We are having an issue with TCC prompting users for access to the app group container despite signing with entitlements following all guidelines.

This is a regression from the Feb 2025 Changes discussed in App Groups: macOS vs iOS: Working Towards Harmony

The problem can only be reproduced with Xcode 16.0 and later.

The entitlements for the app include access for the group container with

[Key] com.apple.security.application-groups
	[Value]
		[Array]
			[String] G69SCX94XU.duck

The documentation notes the group name can be arbitrary, e.g. <team identifier>.<group name>. Cyberduck uses G69SCX94XU.duck by default. Interestingly enough the alert is not shown when a group name matching the bundle identifier is used, e.g. G69SCX94XU.ch.sudo.cyberduck.

Replies  3
Boosts  0
Views  214
Participants  2
DTS Engineer OP
Apple
15h

What does this report:

% security cms -D -i "Cyberduck Nightly.app/Contents/embedded.provisionprofile" | plutil -p -

I would expect to see the profile authorise your claim to com.apple.security.application-groups > G69SCX94XU.duck.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
dkocher OP
10h

The issue is reproduced with a provisioning profile embedded. The output of security cms -D -i is

{
  "AppIDName" => "Cyberduck"
  "ApplicationIdentifierPrefix" => [
    0 => "G69SCX94XU"
  ]
  "CreationDate" => 2025-02-03 20:45:33 +0000
  "DER-Encoded-Profile" => {length = 3546, bytes = 0x30820dd6 06092a86 4886f70d 010702a0 ... 8f791dc8 806888ea }
  "DeveloperCertificates" => [
    0 => {length = 1448, bytes = 0x308205a4 3082048c a0030201 02020854 ... bd543e5c c872b843 }
  ]
  "Entitlements" => {
    "com.apple.application-identifier" => "G69SCX94XU.ch.sudo.cyberduck"
    "com.apple.developer.icloud-container-identifiers" => [
    ]
    "com.apple.developer.icloud-services" => "*"
    "com.apple.developer.team-identifier" => "G69SCX94XU"
    "com.apple.developer.ubiquity-container-identifiers" => [
    ]
    "com.apple.developer.ubiquity-kvstore-identifier" => "G69SCX94XU.*"
    "keychain-access-groups" => [
      0 => "G69SCX94XU.*"
    ]
  }
  "ExpirationDate" => 2043-01-30 20:45:33 +0000
  "IsXcodeManaged" => 0
  "Name" => "Cyberduck Distribution Provisioning Profile"
  "Platform" => [
    0 => "OSX"
  ]
  "ProvisionsAllDevices" => 1
  "TeamIdentifier" => [
    0 => "G69SCX94XU"
  ]
  "TeamName" => "David Kocher"
  "TimeToLive" => 6570
  "UUID" => "27de22e9-7fce-4a84-928a-1260d2a4a1e2"
  "Version" => 1
}

I cannot find the com.apple.security.application-groups in Entitlements.

There is no such thing as to customize the app group when creating a provisioning profile in developer center for macOS.

0
dkocher OP
9h

The issue is reproduced with a provisioning profile embedded that has the com.apple.security.application-groups set

{
  "AppIDName" => "Cyberduck"
  "ApplicationIdentifierPrefix" => [
    0 => "G69SCX94XU"
  ]
  "CreationDate" => 2025-09-23 07:54:54 +0000
  "DER-Encoded-Profile" => {length = 3604, bytes = 0x30820e10 06092a86 4886f70d 010702a0 ... 7013d550 78b027d9 }
  "DeveloperCertificates" => [
    0 => {length = 1448, bytes = 0x308205a4 3082048c a0030201 02020854 ... bd543e5c c872b843 }
  ]
  "Entitlements" => {
    "com.apple.application-identifier" => "G69SCX94XU.ch.sudo.cyberduck"
    "com.apple.developer.icloud-container-identifiers" => [
    ]
    "com.apple.developer.icloud-services" => "*"
    "com.apple.developer.team-identifier" => "G69SCX94XU"
    "com.apple.developer.ubiquity-container-identifiers" => [
    ]
    "com.apple.developer.ubiquity-kvstore-identifier" => "G69SCX94XU.*"
    "com.apple.security.application-groups" => [
      0 => "G69SCX94XU.*"
    ]
    "keychain-access-groups" => [
      0 => "G69SCX94XU.*"
    ]
  }
  "ExpirationDate" => 2043-09-19 07:54:54 +0000
  "IsXcodeManaged" => 0
  "Name" => "Cyberduck Distribution Provisioning Profile"
  "Platform" => [
    0 => "OSX"
  ]
  "ProvisionsAllDevices" => 1
  "TeamIdentifier" => [
    0 => "G69SCX94XU"
  ]
  "TeamName" => "David Kocher"
  "TimeToLive" => 6570
  "UUID" => "6ac7645d-fbd4-427a-8cb9-b8f53edae62d"
  "Version" => 1
}
0
kTCCServiceSystemPolicyAppData warning from Transparency Consent and Control (TCC)
First post date Last post date
 
 
Q