My app is fully hardened, code-signed, and notarized for Catalina.
- When the user drags & drops a file to the app window, the app can open it normally.
- However, my app includes a Helper app inside its bundle. When the Helper app tries to operate on this file, it is unable to open it.
- My app also has a procedure to download a sample project. When this happens, it triggers Catalina’s “MyApp would like to access to files in the Downloads folder”
- If the user allows this, then the Helper app can now access files within the Downloads folder as well.
Here’s what seems to be happening:
- The Helper app is automatically inheriting permissions for accessing Folder trees (Documents, Downloads, etc.) when the Catalina prompt comes up.
- The Helper app is not inheriting permissions for accessing individual files, even if the file was opened via user action (drag & drop or the Open… file menu) within the main app.
- The main app communicates to the Helper app by simply passing a URL ( file://…) The helper app does not inherit permissions in this case. Should I be doing something different?
- Suppose a user drops a file in the main app. Would it make sense for the main app to then try to open the parent folder, which would then trigger the OS ‘would like to access files’ prompt, which would then allow the Helper app to access the file too?
I feel like #1 is probably the right way to do this but #2 seems reasonable as well.
[Edit to add: this is a non-sandoxed non-Mac-App-Store app]
Further testing makes me wonder if this is a Catalina bug or undocumented ‘feature’
- I use ‘tccutil reset All’ to reset permissions before testing.
- I launch my app, then drag & drop one or more files into the main app. The main app can always read the file.
The test is to see if the Helper app can also read the file:
- Test 1: when the App has no permissions at all, the helper app can read files within Public, Pictures, Movies, and Music but not Downloads, Documents, or Desktop.
- Test 2: when the app has permissions for Documents, the helper app can read files within Public, Pictures, Movies, Music and Documents, but not Desktop or Downloads.
Results are repeatable. Catalina never prompts to ask for permission; when the Helper app can read the file, it just happens magically. This is certainly not intuitive. It feels like Catalina is applying some sort of heuristic.
Anyone else run into this?
I finally figured this out - basically it’s an issue with Catalina permissions and CFBookmarks, which is described here (for Mojave). https://forum.xojo.com/50424-mojave-privacy-with-drag-drop-and-helper-apps/0/
In Catalina things generally work OK:
- if your main app and helper app are properly code-signed
- and they communicate using CFBookmark data
- then Catalina is smart enough to put up the permissions prompt when the Helper app opens the file.
However, that’s only true if the Helper app is actually opening the file.
In my case, the Helper app was sometimes not loading the file, but instead passing the URL to a WKWebView which would open the URL. Since WKWebView runs in a separate process, I think this confused Catalina, and it failed to put up the permissions dialog.
The solution / workaround is fairly simple: the Helper app must not only call CFBookmark.ResolveBookmarkData() to get a folderItem, but it must also try to open the file. It’s opening the file that triggers Catalina to ask for permissions.
Once that’s done, you can safely pass the URL on to a WKWebview and it all works as epxected.