Apple Events security, Build script and existing info.plist

Short version:

Is combining an existing info.plist with PListBuddy commands in a build script a bad idea, buggy, or was I doing it wrong?

Long version:

I built an app that responds to a custom URI based on this post: https://blog.xojo.com/2016/05/09/let-your-os-x-desktop-app-react-to-custom-uris/

And with this in my build script, all was well:

var App As String = CurrentBuildLocation + "/" + CurrentBuildAppName
call DoShellCommand("/usr/libexec/PlistBuddy -c ""add :CFBundleURLTypes array"" " + App + "/Contents/Info.plist" )
call DoShellCommand("/usr/libexec/PlistBuddy -c ""add :CFBundleURLTypes:0 dict"" " + App + "/Contents/Info.plist" )
call DoShellCommand("/usr/libexec/PlistBuddy -c ""add :CFBundleURLTypes:0:CFBundleURLName string 'Sgz'"" " + App + "/Contents/Info.plist" )
call DoShellCommand("/usr/libexec/PlistBuddy -c ""add :CFBundleURLTypes:0:CFBundleURLSchemes array"" " + App + "/Contents/Info.plist" )
call DoShellCommand("/usr/libexec/PlistBuddy -c ""add :CFBundleURLTypes:0:CFBundleURLSchemes:0 string 'sgz'"" " + App + "/Contents/Info.plist" )

Then much later I decided to add something that used an Applescript to talk to the Finder. Forgetting about the build step code, I dragged in an info.plist that I use when I need Applescript:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.security.automation.apple-events</key>
  <true/>
  <key>NSAppleEventsUsageDescription</key>
  <string>Humoring Apple so I can do stuff with Applescript</string>
</dict>
</plist>

And running at this point I could never get the security prompt to appear to allow the app to use Apple Events. That’s when I remembered I was using both an existing info.plist and the build script for the final version of the info.plist. So I opened up the plist file that was created when the app was built. Besides everything that is normally added in the build process, both my Apple Event info from the original plist file as well as the entries from PListBuddy added by the script were all there.

To me at least, it seemed the plist wasn’t the issue. But after a day of learning way too much about and experimenting with tccutil, I still couldn’t get a security prompt. So I decided to take another look at the plist.

Going to the info.plist that was built with the app, I copied the entries that were added by PListBuddy and added them to the info.plist I dragged into the app:

Edit: And I commented out the build script.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.security.automation.apple-events</key>
  <true/>
  <key>NSAppleEventsUsageDescription</key>
  <string>Humoring Apple so I can do stuff with Applescript</string>
  <key>CFBundleURLTypes</key>
	<array>
		<dict>
			<key>CFBundleURLName</key>
			<string>Sgz</string>
			<key>CFBundleURLSchemes</key>
			<array>
				<string>sgz</string>
			</array>
		</dict>
	</array>
</dict>
</plist>

And suddenly I get the security prompt and everything starts working. I don’t know if combining an existing info.plist with a build script is inherently bad, surprisingly bad (bug) or if I was just doing it wrong.