MacOS Ventura: Unable to replace application bundle in /Applications

Question

I am trying to replace an application bundle at /Applications/example.app with an updated version of the same bundle on OSX Ventura and I get Operation not permitted. Both bundles are signed and notarized with the same identity. Inside both applications bundles I have a tool called swap which takes two paths, and does a renamex_np(pathA, pathB, RENAME_SWAP) which results in Operation not permitted. I can run codesign -dvvv <appbundle> for both app bundles, and can see the Authority, TeamIdentifier, Identity all set, and are the same for both. I also do this same command on the swap app, and see Authority, and TeamIdentifier match the bundle, with Identifier=swap.

The notification pops up saying "Application X was prevented from updating or deleting apps on your Mac."

Some notes:

If I allow the app under App Management, it works.
The app bundle app can modify itself however it wishes.
For signed apps, macOS allows apps from the same developer — those sharing the same Team ID — to modify the app’s bundle. This does not seem to be working.
WWDC2022 video. Repeats the above point: apps signed with same Team ID can update each other. Jump to 5min. Signing issue?
Console log shows TCC (Transparency, Control and Consent) kTCCServiceSystemPolicyAppBundles is blocking the application. TCC was extended to /Applications folder in Ventura.

Help! Thanks

I would check if the entitlement com.apple.security.inherit is set to true. This entitlement allows a helper tool to inherit the same entitlements as its parent process. — djmonki, Apr 17 '23 at 03:13
Hi @djmonki, [that property](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html) only matters if sandboxing is enabled. However I'm not using app sandboxing. — fionbio, Apr 20 '23 at 18:58
How was the application installed in the first place? By drag-and-drop, or .pkg? — TheNextman, Apr 20 '23 at 19:57
% ls -l /Applications | grep example.app =>> drwxr-xr-x@ 3 fionbio admin — fionbio, Apr 20 '23 at 20:08
I know it's not a solution, but did you try manually adding you .app to the list in Privacy > App Management. Does it work then? — TheNextman, Apr 20 '23 at 20:18
Holy shit I might have figured it out. With nothing blocked under app management, I started thinking there was a bug in the os hit by the breadth of varied attempts, so I did a reboot, clicked the update mechanism in the app, and it worked. I'll slim out the process, and triple check to be sure I'm not crazy. — fionbio, Apr 20 '23 at 20:39

score 1 · Accepted Answer · answered Apr 20 '23 at 21:28

After the massive set of evidence that suggested everything was in-place, I starting thinking the Gatekeeper mechanism was out of sync with reality, and did a reboot. After this I ran the application, hit update, and the package was replaced without issue.

Some notes:

The application is standalone (plist or entitlements are not required).
We are actually using replaceItemAt... over renamex_np. Be sure to do this operation for targets on the same volume!

MacOS Ventura: Unable to replace application bundle in /Applications

1 Answers1