7

I'm experimenting with full-disk access and can't make it working. Here is list of steps I did:

  1. Sandbox is turned ON. In fact the entitlements file looks like:
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.bookmarks.app-scope</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
  1. I created archive of the app and tried to distribute it using boths Developer ID or Development methods
  2. I placed the binary of my app to /Applications folder
  3. I went to System Preferences -> Security & Privacy -> Privacy -> Full Disk Access and added access to my app in /Applications folder
  4. Of course I'm NOT attached to the app with Xcode

I'm testing it in Xcode 11 and on Catalina. It's dummy app, opening NSOpenPanel to let user select archives to decompress and tries to decompress it in the same directory.

In fact it's not about NSOpenPanel, the question is:

What is necessary to do to make sandboxed app using full-disk access?

Any hints? Am I doing anything wrong?

Martin Pilch
  • 3,245
  • 3
  • 38
  • 61
  • Does your app use a launch script, or is it only a binary exec? – Richard Barber Oct 25 '19 at 12:51
  • I'm quite new to macOS development thus my goal is to learn something new and implement a simple compressing/decompressing app using libarchive as library to do the job. The app can open and decompress associated files, drag-n-dropped files, files selected using NSOpenPanel or opened from FinderSync. Nothing special, just regular application, not using launch script or XPC services – Martin Pilch Oct 25 '19 at 14:12
  • Ok, apps that use a launch script need to have the particular shebang interpreter granted file system access by the user in *Catalina*. But that is not the case here. Please also post any error messages your are rxing. – Richard Barber Oct 25 '19 at 15:52
  • libarchive keeps saying it can't read files. It's working as expected when sandbox is turned OFF – Martin Pilch Oct 25 '19 at 18:21
  • That means you need to use sandbox-extending entitlements. – Richard Barber Oct 25 '19 at 18:25
  • Not sure if I follow. I found this documentation regarding entitlements file: https://developer.apple.com/documentation/bundleresources/entitlements/app_sandbox – Martin Pilch Oct 25 '19 at 19:26
  • What is the actual question? What is "not working"? The steps you've listed look fine. – pkamb Mar 08 '20 at 02:54

1 Answers1

2

Here is solution found for iTerm2 (it is worth read how solution was found). It just adds this to application plist:

<key>NSSystemAdministrationUsageDescription</key>
<string>I want to read all your files</string>

Documentation is a bit fuzzy.

Sadly this solution doesn't work for launchctld daemons (this is what I need). I think daemons are an exception since the do not see UI at all.

But for regular applications it should work like a charm (didn't test it yet).

pkamb
  • 33,281
  • 23
  • 160
  • 191
Marek R
  • 32,568
  • 6
  • 55
  • 140