Hi, is it possible for a user to remove the implicit permission he or she gave to an app after opening a folder using a standard dialog? I'm asking this because a discussion took place with actual users reasonably arguing that the action may have been a mistake, not intentional at all, so at least we should give them a way to revert what was wrongly interpreted as intent. I believe that they are right and there should be a simple user-level way of doing that. So I looked for a way to remove the bookmark from the command line but to no avail. Thanks, Carlos.

I have created a .Net MAUI application that I have written for Windows and MacCatalyst. In my entitlements.plist I have com.apple.security.app-sandbox = no. <PropertyGroup Condition="'$(Configuration)|$(TargetFramework)|$(Platform)'=='Debug|net7.0-maccatalyst|AnyCPU'"> <MtouchLink>SdkOnly</MtouchLink> <EnableCodeSigning>True</EnableCodeSigning> <EnablePackageSigning>true</EnablePackageSigning> <CreatePackage>true</CreatePackage> <CodesignKey>Developer ID Application: xxxxxxxxxx</CodesignKey> <CodesignProvision>xxxxxxxx</CodesignProvision> <CodesignEntitlements>Platforms\MacCatalyst\Entitlements.plist</CodesignEntitlements> <PackageSigningKey>Developer ID Installer: xxxxxxxxx</PackageSigningKey> <UseHardenedRuntime>true</UseHardenedRuntime> <RuntimeIdentifier>maccatalyst-arm64</RuntimeIdentifier> <MtouchInterpreter>-all</MtouchInterpreter> </PropertyGroup> I have a 3rd party executable that I manually codesigned: codesign --force --verify --verbose --sign xxxxxx 3rdpartyApp --timestamp --deep --options runtime Then I build the application in Visual Studio Mac. Everything is codesigned, etc. After building I am able to successfully notarize the pkg and then staple the the notarization to it. When I take that pkg and install it in a test environment, everything installs fine, no warning. I am able to start my application and do what I need to do But when it tries to run that 3rd party executable, it just fails. At first I checked exec permissions. I chmod it to +x. within the .app container and also all the way at the beginning, and rebuilt the application, resigned, re-notarized, etc. I am working to get some logging out to see why it failed, but having an issue with that at the moment. In the meantime I have taken the non-notarized pkg, forced the install in the test environment and the 3rd party executable runs successfully. So it seems the notarization process is causing this child process to fail?

Good morning, I have a new version of an app which is on the App Store already, but I would like to send it to others using TestFlight first. I have created a new version for the app on the Apple Connect website. I have confirmed the new version number in Xcode for this app, but when I upload it through the archive process in Xcode I get this response: "App record with bundle identifier "" not found on App Store Connect. Create an app record on App Store Connect, or distribute the app from Xcode, and then try again." That was the default setting for App Store Connect. If I use the custom setting (and change the SKU because it is written as the bundle id identifier) I get this response: The app identifier "com.DefaultCompany.MyAppName" cannot be registered to your development team because it is not available. Change your bundle identifier to a unique string to try again. Can someone please help me resolve this. A task that was supposed to take thirty minutes has extended to over four hours, and I have not found a solution to this problem. All documentation on the apple developer site assumes an app will ve updated to a new version without sharing first through TestFlight. All of this seems really counter intuitive to what should be a relatively straightforward process.

On Sonoma I develop with gcloud and python2.7 and python3.9 from MacPorts. I always get MULTIPLE dialogue pop-ups when starting the python webserver in Terminal.app Choices are not remembered (neither block nor allow!!) I tried to solve that with socketfilterfw and codesign but it has NO effect at all. Questions like this creep around since 10 years on Stackexchange. I am searching since several hours for a solution of this problem. Is there any solution? 20 : /opt/local/Library/Frameworks/Python.framework/Versions/3.9/Resources/Python.app ( Allow incoming connections ) 21 : /opt/local/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app ( Allow incoming connections ) sudo codesign -s - -f /opt/local/Library/Frameworks/Python.framework/Versions/3.9/Resources/Python.app

The old one is "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture"

Hello, I have made a basic c program and i have compiled it with gcc. This program has not been signed (i didn't run codesign). When i am trying to run this program from terminal, i don't get any Gatekeeper popup. My first question is... why ? I have create a SwiftUI project with Xcode (Xcode 15). I have set signing settings to "Sign to run locally" (by the way, can you tell me how i can disable signing in Xcode ?) I have opened terminal and i have changed current directory to ~/Library/Developer/Xcode/DerivatedData/..../Products/Debug/MyApp.app/Contents/MacOS folder. Now i get a gatekeeper confirmation popup if run "./Myapp" from terminal. My second question is... Why ? Does that mean Gatekeeper only checks signed binaries ? Thanks

I have a toy application that uses CMake to generate a .dmg that contains a simple c++ binary that prints "codesignTest". The binary gets signed by CMake, and I manually sign the .dmg. I am using the "Unix Makefiles" generator, and am signing with a Developer ID Application certificate with a Private Key. Despite this, I still get an "App is damaged and can't be opened" error when running the binary on a secondary test MacOS machine. I've created a github repository with instructions on how to reproduce this problem, and I've copy/pasted the binary's signature below. Is there anything invalid with my signature? Thank you. cisl-ridgeland:~ pearse$ codesign -dv --verbose=4 /Applications/codesignTest.app/Contents/MacOS/codesignTest Executable=/Applications/codesignTest.app/Contents/MacOS/codesignTest Identifier=codesignTest Format=bundle with Mach-O thin (arm64) CodeDirectory v=20400 size=496 flags=0x0(none) hashes=10+2 location=embedded VersionPlatform=1 VersionMin=786432 VersionSDK=787200 Hash type=sha256 size=32 CandidateCDHash sha256=df158907d48f1eb3f5ef7b145d43d114bff0c6c3 CandidateCDHashFull sha256=df158907d48f1eb3f5ef7b145d43d114bff0c6c3e2564197c4a69594500f7f66 Hash choices=sha256 CMSDigest=df158907d48f1eb3f5ef7b145d43d114bff0c6c3e2564197c4a69594500f7f66 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=16384 Executable Segment flags=0x1 Page size=4096 Launch Constraints: None CDHash=df158907d48f1eb3f5ef7b145d43d114bff0c6c3 Signature size=9045 Authority=Developer ID Application: University Corporation for Atmospheric Research (DQ4ZFL4KLF) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Nov 1, 2023 at 9:43:36 AM Info.plist=not bound TeamIdentifier=DQ4ZFL4KLF Sealed Resources=none Internal requirements count=1 size=172

I'm encountering an intermittent issue while trying to run safaridriver on macOS Sonoma. Here are the details of the problem: I ran sudo /usr/bin/safaridriver -p0 --enable in the beginning. After that when I run this multiple times /usr/bin/safaridriver -p0, I sometimes receive an "Operation not permitted" error, but not consistently. This issue seems to occur intermittently. I've checked the sudo logs, and I see the following error message: kernel: (Sandbox) Sandbox: com.apple.WebDriver.HTTPService(2049) deny(1) user-preference-write com.apple.WebDriver.HTTPService cfprefsd: (CoreFoundation) [com.apple.defaults:cfprefsd] rejecting write of key(s) MobileDeviceRemoteXPCEnabled in { com.apple.WebDriver.HTTPService, nimish, kCFPreferencesAnyHost, /Users/nimish/Library/Preferences/com.apple.WebDriver.HTTPService.plist, managed: 0 } from process 2049 (com.apple.WebDriver.HTTPService) because setting these preferences requires user-preference-write or file-write-data sandbox access cfprefsd: (CoreFoundation) [com.apple.defaults:cfprefsd] Couldn't open parent path due to [2: No such file or directory kernel: (Sandbox) Sandbox: com.apple.WebDriver.HTTPService(2049) deny(1) network-bind local:*:7055 com.apple.WebDriver.HTTPService: (WebDriver) [com.apple.WebDriver:WebService] Error starting HTTP server listening on localhost:0: Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedDescription=Operation not permitted, NSLocalizedFailureReason=Error in bind() function} com.apple.WebDriver.HTTPService: (WebDriver) [com.apple.WebDriver:XPCService] Client connection invalidated for some reason I am getting this on Mac Os Sonoma Can anybody please help on this?

I've built an app in Electron. I am in the process of preparing to release the app on my website as a free download. Since the app is free, I'm not really looking to spend a ton of money on security certificates. I can get the app to work on Windows by clicking through the Windows Defender, but I cannot run it at all on Mac even after disabling Gatekeeper. So my question is... Is it possible for me to get a certificate for my Electron app through the apple developer program. Keep in mind I have never touched the apple developer ecosystem. Avoiding subscriptions for this app's security certificates is what I am looking for. As that is all I have seen as options online so far. Any other suggestions are more than welcome! Thanks in advance!

I was reading through this post: https://developer.apple.com/forums/thread/718583 I've been able to reproduce this behavior by double-clicking a DMG in the Finder while the Mac is Offline. I checked the Notarization status of the app via spctl and it shows "Notarized Developer ID". So sure enough, Quinn's comment about Gatekeeper "ingesting" the notarization ticket stapled to the DMG and automatically applying it to the app inside is 100% spot-on. However, I can't seem to get the same behavior to happen when mounting the DMG via hdiutil in Terminal. While Offline, I do a: hdiutil attach /path/to/my/dmg.dmg and then spctl -a -t exec -vvv /Volumes/path/to/my/mounted/dmg/myapp.app After the spctl I'm seeing /Volumes/path/to/my/mounted/dmg/myapp.app: rejected source=Unnotarized Developer ID origin=Developer ID Application: My Developer Creds (XXXXXXXXXX) Is there a way to get Gatekeeper to "ingest" the notarization ticket stapled to the DMG when using hdiutil while Offline? Note 1: If I use hdiutil while online, everything works as expected. Note 2: I'm testing all this via a VM of macOS 12.7.1, if that makes any difference. Thanks!

Sehr geehrte Damen und Herren, ich wende mich an Sie als Entwickler im Rahmen eines akademischen Projektes. Aktuell arbeite ich an meiner Bachelorarbeit, in der ich eine mobile Anwendung für iOS-Geräte entwickle. Für den Erfolg dieses Projektes ist es essentiell, präzise Informationen über die Hardware-Komponenten spezifischer iPhone-Modelle zu haben, insbesondere des iPhone SE mit der Modellnummer MMXN3ZD/A und der iOS-Version 17.1.1. Mein Hauptinteresse liegt in den genauen technischen Spezifikationen der im iPhone SE verbauten LEDs und des CCD- oder CMOS-Bildsensors (je nachdem, ******* Typ verwendet wird). Für mein Projekt ist es entscheidend, die spektralen Eigenschaften dieser Komponenten zu verstehen: LED-Spezifikationen: Ich benötige Informationen über die Spektren der LEDs, insbesondere welche Wellenlängen des Lichts sie emittieren. Dies ist relevant für die Funktionalität meiner App, die sich auf fotometrische Analysen stützt. CCD-/CMOS-Sensorspezifikationen: Des Weiteren ist es wichtig für mich zu wissen, für welche Wellenlängen der im Gerät verbaute Sensor empfindlich ist. Diese Information ist kritisch, um die Interaktion zwischen dem Sensor und der beleuchteten Umgebung korrekt zu interpretieren. Die Ergebnisse meiner Forschung und Entwicklung werden nicht nur für meine akademische Arbeit von Bedeutung sein, sondern könnten auch wertvolle Einblicke für die Weiterentwicklung von iOS-Anwendungen in meinem Studienbereich bieten. Ich wäre Ihnen sehr dankbar, wenn Sie mir diese Informationen zur Verfügung stellen könnten oder mich an eine entsprechende Abteilung oder Ressource verweisen würden, wo ich diese spezifischen technischen Daten erhalten kann. Vielen Dank im Voraus für Ihre Unterstützung und Kooperation. Mit freundlichen Grüßen, Mohammad Jbeh

Have been working on a Java Open Source project for 8 years with the last 2+ years on a cross-platform desktop GUI for it with a separate updater. The self-contained application runs on Linux and Windows - now I'm trying to figure-out Mac. Have had a Macbook Pro 13" Late 2013 Retina running Big Sur 11.7.10 for 3 weeks. Very new to Apple, but a retired 48-year engineer trying to support MacOS for the first time. Building with Ant and appbundler task, https://github.com/TheInfiniteKind/appbundler, then creating a DMG with DMG Canvas, https://www.araelium.com/dmgcanvas. Deliberately supporting older systems due to the nature of this data management and back-up application. It's been adapted to the MacOS look 'n feel. Questions: If I sign-up as an Apple Developer and pay the fee will this 2013 Macbook Pro still be able to sign DMG files - that will work on the latest MacOS - after the end-of-support in December 2023? For a updater: Should both the main application and separate updater both be signed? The basic process is: Download updater into system temp folder, prepare and execute updater, stop desktop application, updater downloads new version, prepares and copies update to installed location, then restarts desktop application and ends the updater. I'm old and have setup this Open Source project and web site so that it can be passed-off to others when I stop, one way or another. Can the developer account or certificate credentials be transferred to someone else at that time? Guidance for a noob would be appreciated. Thank you for your time. The project, not released yet: https://github.com/Corionis/ELS/tree/Version-4.0.0

I am unable to run any Xcode projects - new or old. I think I messed up my certificates or profiles as I kept deleting and adding new versions but I have no idea how to fix this. Any help would be greatly appreciated.

Hi, Do we need a new Certificate, a new Identifier and a new Profile for each app that we want to create? Thanks, Best, Steeve

I created an application and initially I wasn't going to use it to send notifications, but then I realised that I needed to. So quite naturally, I changed the settings in "Certificates, Identifiers & Profiles". I activated : Communication Notifications Time Sensitive Notifications But not: Push Notifications Because it's a local application. However, when I transfer a new build to TestFlight, the notification settings are not present in "Settings" on my iPhone: Same thing, in the notifications settings, it doesn't show up :/. So my question is this: How can I get my notification settings to be "activated", knowing that they weren't originally authorised in my "Certificates, Identifiers & Profiles" settings?

For a unit test, we are building a (non-bundled) test executable with the ENABLE_HARDENED_RUNTIME build setting enabled (set to "YES"), which eventually causes codesign to be run with the "--option runtime" setting. The resulting binary has the "hardening" bit (0x1000) set in the code signature and there are no exceptions per entitlements. In our unit test, we launch the test executable, obtain a SecCodeRef to the (dynamic) code using SecCodeCopyGuestWithAttributes() and inspect the flags in the signing information. We expect both kSecCodeStatusHard and kSecCodeStatusKill to be set for this code. When building and testing locally, this is always the case. When building and testing in our build pipeline, this is mostly the case, but every now and then, the test fails, because both "hard" and "kill" flags are missing from the signing information. It is my understanding that the "runtime" option (or the "hardening" bit in the signature) causes those two flags to be set when the code executes - is this incorrect or not guaranteed? If OTOH this is a correct understanding I would also assume that those flags are being set before the executable enters its main() function? Any explanation why we sometimes don't see those flags in the SecCodeRef for the guest code?

I’m trying to implement XPC Rendezvous like Quinn described in many awesome posts on here but I’m now at a stuck point were I just have no idea. I want to communicate with a Safari extension via XPC and also a helper application which led me to XPC Rendezvous (https://developer.apple.com/forums/thread/715338) because a XPC Service in the Extension is scoped to the container. I then made a Command Line Target and added it like its described here (https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app ) and also took the xpc test code and inspiration to set up my launch agent from here (https://developer.apple.com/documentation/servicemanagement/updating_your_app_package_installer_to_use_the_new_service_management_api). This command line tool should do the management for the XPC connections because it’s not in the sandboxed container. The tool sets up the xpc connection like in the sample code directly and not in a XPC Service added via a Target template. It exposes the Mach Service. And that looks like its building fine after some fighting but the service just wont start - I saw it trying in console and after running it in Xcode and finally finding the crash report - it brought me there (https://developer.apple.com/forums/thread/706390) I have Process is not in an inherited sandbox. - and thinking about it, it makes sense because I first thought its just because it ran through Xcode, but its crashing this way also as a LaunchAgent. I mean it does make sense - there is nothing to inherit because it’s spawned by launchd - and that’s what I want isn’t it - to make the Rendezvous? Okay I thought now removing com.apple.security.inherit brings it in its own Sandbox (its needs sandboxing) but this also crashes the process because of the sandbox. Also after adding it to the App Group. What am I missing here or what do I want to accomplish? Do I want to inherit the sandbox? I guess not the helper should have its own. The only difference I see in comparison to SMAppServiceSampleCode is it moves the product in Copy Bundle Resources, and I have a Copy Files Phase with Destination: Executables (Like the other sample code said - and that’s looks “more correct” - and well SMAppServiceSampleCode isn’t sandboxed. I then tried making a new Command Line Target and just added App Sandbox Capability and tried to run this fresh one - and that also crashes. This makes me think I’m just ****** somewhere but I have read now everything I could find. I’m happy to provide any Code or crash logs but I dont know what part is really relevant here, It looks like the LaunchAgent gets installed correctly and wants to run but the sandbox is preventing me. The Bundle Identifier and XPC device name of the helper starts with my teamID (I got that from here https://developer.apple.com/forums/thread/703702) What could I be doing wrong? Thanks a lot! Benjamin

Have been using a Mac for about a month, but am a 48-year engineer. Too many operating systems to list. Have my cross-platform self-contained Java application looking great on macOS with all the cool Mac conventions and a DMG "installer". Am attempting to get the existing self-updater working for macOS. It has conditional logic based on the operating system. But I'm stuck ... this is on a Macbook Pro 13" Retina Late 2013 2.8Ghz running macOS Big Sur 11.7.10 (fully updated). Deliberately supporting older hardware due to the nature of the application. The Process in Short Main program downloads updater program into a system temp directory Mounts updater DMG image with -mountroot in that directory Executes updater .app Exits Updater program downloads new Main program Mounts new program DMG image in the system temp directory The DMG image is the same one used for initial installations Makes back-ups of the Java and Plugins directories of existing program Copies the new Java and Plugins directories to existing Main program locations Umounts new program DMG image Either deletes back-up directories or restores them based on success or failure Restarts Main program .app Exits Main program receives special argument indicating success or failure of update Unmounts updater DMG image Displays appropriate dialog Issues The problems encountered are the mounting and unmounting of the DMG images executing hdiutil with Java Runtime.getRuntime().exec(). All mounts and unmounts have 1.5 sec. time-delayed retries for 3 attempts The initial download, mount, and execution of the updater works The mounting of the downloaded update DMG fails Running the command by hand works When the Main program is restarted the unmount of the updater DMG fails Running the command by hand works Also - these are unsigned images at this point. Have been unsure whether I would support macOS. But this is the last stumbling block. Questions Odd point - the initial download, mount and execution of the updater works Is this all because the DMG images are not signed (yet), so hdiutil is failing? Or is there something basic that I'm missing? Thank You For taking your time to read this. Any pointers would be appreciated. The Project https://github.com/Corionis/ELS/tree/Version-4.0.0 (not released) Component projects: https://github.com/Corionis

Hi, after many hours looking for a solution I hope to find one here :) I am creating an ios application using flutter. Since updating my macbook to MacOs Sonoma it is impossible for me to launch an archive of the application on Xcode (the error below is displayed). By searching I thought I understood that it could come from Icloud but even if I put my App in the Application folder, I got this error. I can launch my application on Simulator but not on a physical phone either. error: Target release_unpack_ios failed: Exception: Failed to codesign /Users/etiennemary/Library/Developer/Xcode/DerivedData/Runner-hcgaysxersoeaugykishvsewlgps/Build/Intermediates.noindex/ArchiveIntermediates/Runner/BuildProductsPath/Release-iphoneos/Flutter.framework/Flutter with identity ...... /Users/etiennemary/Library/Developer/Xcode/DerivedData/Runner-hcgaysxersoeaugykishvsewlgps/Build/Intermediates.noindex/ArchiveIntermediates/Runner/BuildProductsPath/Release-iphoneos/Flutter.framework/Flutter: replacing existing signature Warning: unable to build chain to self-signed root for signer "Apple Development: Etienne Mary (. )" /Users/etiennemary/Library/Developer/Xcode/DerivedData/Runner-hcgaysxersoeaugykishvsewlgps/Build/Intermediates.noindex/ArchiveIntermediates/Runner/BuildProductsPath/Release-iphoneos/Flutter.framework/Flutter: errSecInternalComponent Failed to package /Applications/aa/evento.

I'm trying to run an app that has a .dylib listed in the configuration of the application as "Embed &amp; Sign" I can confirm it is correctly signed by inspecting the package using codesign -dv --verbose=4 lib_paths.dylib and it gives me the following: Executable=/Users/blablabla/Debug-iphoneos/TestApp.app/Frameworks/lib_paths.dylib Identifier=lib_paths Format=Mach-O thin (arm64) CodeDirectory v=20400 size=784 flags=0x0(none) hashes=16+5 location=embedded VersionPlatform=2 VersionMin=917504 VersionSDK=1049600 Hash type=sha256 size=32 CandidateCDHash sha256=7eaecbb8e00114767c9de0ac9054213620052212 CandidateCDHashFull sha256=7eaecbb8e00114767c9de0ac90542136200522121105dd217b38bd27e1fda4de Hash choices=sha256 CMSDigest=7eaecbb8e00114767c9de0ac90542136200522121105dd217b38bd27e1fda4de CMSDigestType=2 Executable Segment base=0 Executable Segment limit=32768 Executable Segment flags=0x0 Page size=4096 Launch Constraints: None CDHash=7eaecbb8e00114767c9de0ac9054213620052212 Signature size=4795 Authority=Apple Development: myemail@address.com (XXXXXXXXX) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=13 Dec 2023 at 21:39:28 Info.plist=not bound TeamIdentifier=XXXXXXXXXXX Sealed Resources=none Internal requirements count=1 size=180 But when trying to run the application, I am getting the following error: Referenced from: '/private/var/containers/Bundle/Application/3142F1F2-547B-41B5-8EF4-239F4EAD2A4F/TestApp.app/FSVTestApp' Reason: tried: '/usr/lib/system/introspection/lib_paths.dylib' (no such file), '/usr/lib/swift/lib_paths.dylib' (no such file), '/private/var/containers/Bundle/Application/3142F1F2-547B-41B5-8EF4-239F4EAD2A4F/TestApp.app/Frameworks/lib_paths.dylib' (code signature invalid (errno=1) sliceOffset=0x00000000, codeBlobOffset=0x0000C5E0, codeBlobSize=0x00004B50 for '/private/var/containers/Bundle/Application/3142F1F2-547B-41B5-8EF4-239F4EAD2A4F/TestApp.app/Frameworks/lib_paths.dylib'), Note that I enabled the "Automatically manage signing" option, and using a Personal Team. This seems to work fine for the application itself (otherwise it wouldnt even try to load the dylib). What is going on ?