I want to troubleshoot entitlements to icloud drive. An app downloaded on the macOS app store has no entitlements related to icloud. Its entitlements look like this (removing the irrelevant ones): [Key] com.apple.developer.maps [Value] [Bool] true [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.files.user-selected.read-write [Value] [Bool] true [Key] com.apple.security.network.client [Value] [Bool] true [Key] com.apple.security.network.server [Value] [Bool] true [Key] com.apple.security.personal-information.addressbook [Value] [Bool] true [Key] com.apple.security.personal-information.calendars [Value] [Bool] true [Key] com.apple.security.personal-information.location [Value] [Bool] true I have not manually given it access to the icloud drive. This app does not appear in the list of app appearing in Settings / iCloud Drive / options. And yet, this app is able to create its directory inside iCloud drive. My understanding is that it should not have access to iCloud drive without a specific entitlement. Is my understanding off, or is this is security bug?

I have an app that runs on macOS Monterey. For various reasons, I have to externally add a sandbox entitlement (externally, as in using codesign, rather than rebuilding it) After adding the sandbox entitlement, and resigning appropriately, the app crashes on launch with the following error : ERROR:process_singleton_posix.cc(1186)] Failed to bind() /var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket So I assumed I needed to give access to this file. So I added the following entitlements to the app, via codesign : <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key> <array> <string>/var</string> <string>/var/folders/s2/j0z79krx321qg318das1r95_zc0000gn/T/com.funkyapp/S/SingletonSocket</string> </array> and also <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> Unfortunately, it still crashes on load, with the same error. Does anyone know why that is? From my perspective, I gave the appropriate entitlements to bind a socket at that path, what am I missing? Thanks !

When loading a network extension, I see the following error, raised by the trustd process, in the console :Entitlement com.apple.application-identifier=RUXT127L01.com.team.AppName.NetworkExtension is ignored because of invalid application signature or incorrect provisioning profile Entitlement com.apple.security.application-groups=( "RUXT127L01.com.team.AppName" ) is ignored because of invalid application signature or incorrect provisioning profileHowever, I believe my appGroups and bundle identifiers are correctly set in the Entitlements :com.apple.application-identifier RUXT127L01.com.team.AppName.NetworkExtension com.apple.developer.team-identifier RUXT127L01 com.apple.security.application-groups RUXT127L01.com.team.AppName com.apple.security.get-task-allowAlso, when I run "codesign -d -vvvv" or "codesign -d --entitlements" on the systemextension, everything looks fine.Does anyone have any idea what could be off? Or any suggesting of where to look?Note that the system extension seems to work fine anyway, and allows XPC communications.