kTCCServiceAppleEvents com.apple.security.automation.apple-events

See prior conversation for reference: https://forum.xojo.com/55310-how-to-add-entitlements-to-a-xojo-app-using-codesign

After signing & notarizing my app, I’m still seeing these warnings:

Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for ACC:{ID: com.mycompany.myapp, PID[1131], auid: 501, euid: 501, binary path: '/Users/me/Desktop/MyApp.app/Contents/MacOS/MyApp.app'}, REQ:{ID: com.apple.appleeventsd, PID[279], auid: 55, euid: 55, binary path: '/System/Library/CoreServices/appleeventsd'}

My app does not intentionally use Apple Events, but it does have a lot of old legacy code and includes a bunch of MBS plugins. In spite of the warning messages, it runs fine, but I’d like to know why I’m seeing those errors.

  • Could it be something in MBS which is triggering the message?
  • Should I just add the entitlement and not worry about it?
  • Do ALL Xojo apps require this entitlement?

Checking logs, I also see this which seems like it might be relevant:

<rdar://problem/11489077> A sandboxed application with pid 816, '"MyApp.app"', checked in with appleeventsd, but its code signature could not be read and validated by appleeventsd, and so it cannot receive AppleEvents targeted by name, bundle id, or signature. Install the application in /Applications/ or some other world readable location to resolve this issue. Error=ERROR: #100013  { "NSDescription"="SecCodeCopySigningInformation() returned 100013, -." }

This happens when I download my notarized app and launch it. If I validate the signature for the downloaded app, it does validate, so I’m not quite sure what the problem is. (This is in Catalina dev beta 5).

I wonder what “checked in with appleeventsd” means?

Did you do a goggle? I tried and the only suggestion I found was that your signing wasn’t done correctly. Have you verified your signing identities with AppWrapper?

codesign -vvvv /path/to/my.app
spctl --verbose --assess --type execute -v /path/to/my.app

both say it’s properly signed & notarized.