Entitlements and debug vs non-debug builds

I have code-signing Build step scripts which code-sign my .debug app and my non-debug app.

Under 10.14.5, when the code-signed debug app runs, it does not behave like the signed and fully built app.

Specifically, both my app and debug app are signed with the following entitlements:

	<key>com.apple.security.assets.pictures.read-write</key>
	<true/>
	<key>com.apple.security.personal-information.photos-library</key>
	<true/>

And yet I consistently see that the debug app will fail to load photos, while the non-debug app works.

Looking inside System Preference / Security & Privacy / Photos, under “Allow the apps below to access your photos” I see only the non-debug app. The debug app never shows up.

Theories:

  • there is just something about running the debug app which doesn’t work
  • the debug app and the non-debug app share the same bundleID, and this is confusing the OS
  • ???

Any ideas?

FYI, this is a non-sandbox Developer ID app, built using Xojo 2019R1.1. I am code-signing with the hardened runtime but am NOT notarizing (basically, I’m using the steps shown here https://forum.xojo.com/55310-how-to-add-entitlements-to-a-xojo-app-using-codesign )

I would love it if there was some way to have my Debug app and non-debug app behave the same for testing purposes.