The answer is simple but complicated. I’m changing the title of this thread to be more generic.
- First, there are some security-related key/value pairs which do belong in the application’s Info.plist - for example NSAppTransportSecurity https://developer.apple.com/documentation/bundleresources/information_property_list/nsapptransportsecurity – I think this is what led me to the incorrect belief that all security-related values belonged there. But that’s wrong.
- examples of other security-related tags which belong in the Info.plist are the human-reable descriptions, such as
<key>NSPhotoLibraryUsageDescription</key>
<string>MyApp can use images, movies, and metadata such as title and description when you drag & drop items from the Photos app.</string>
- However, the actual key/value pairs for Entitlements instead have to be added during the code-signing process, they do not belong in Info.plist at all
- To do this, first Create an entitlements plist file (the name doesn’t matter, but I use myapp_entitlements.plist) which looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
[... followed by a list of entitlements that you need for your app ... ]
<key>com.apple.security.assets.pictures.read-write</key>
<true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.personal-information.photos-library</key>
<true/>
[... etc ...]
</dict>
</plist>
- the full list of entitlements can be found here: https://developer.apple.com/documentation/bundleresources/entitlements
- when code-signing, you pass this entitlements plist file in as part of the command line, e.g
codesign --force --options runtime --deep --entitlements /path/to/myapp_entitlements.plist --sign 'Developer ID Application: my company' /path/to/myapp.app
- to see what entitlements an app has, use this command:
codesign -d --entitlements :- /path/to/myapp.app