Hello, I am trying to set up manual codesigning in an automated build script that runs in Github Actions. The process was hanging because the codesign command prompts for a password. I tried to get around this in several ways: passing the password to codesign in the script (doesn't seem to work) using the -T /usr/bin/codesign option when doing security import <certificate> using the -A option when doing security import <certificate> unlocking the keychain, and extending the timeout time The UI prompt would still always appear. I finally found this question: https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p which seems to be the same issue. The solution suggested there, security set-key-partition-list -S apple-tool:,apple: -s -k <keychain password> <keychain name> solves the problem. I couldn't find any answers on these forums explaining this command. I have two questions: 1) Why did the first things I tried not work? 2) Could I get some confirmation that this is the correct and secure way to do this? Thanks!

I am working on a macOS app which is distributed outside of the App Store and isn't sandboxed or signed. My understanding is that non-sandboxed apps should have access to everything that the user can access. Yet I'm getting a console error Sandbox: my-app(1868) System Policy: deny(1) file-read-data that is causing some problems: The app uses several filepath inputs that the user types into a form. We do some validation of the filepaths, and the user can't submit the form until validation passes. Validation involves (1) checking that the path exists, (2) checking for rwx permissions, and (3) trying to open the file. When the form autofills with inputs from the previous run, all filepath inputs fail validation on step (3). Clearing one input and re-entering it, which triggers validation to run again, causes all inputs to pass as expected. Looking at the console logs, there is an error Sandbox: my-app(1868) System Policy: deny(1) file-read-data <filepath> for each filepath input. Each time the app is run, it writes to a workspace directory (by default ~/Documents/model_workspace/. It creates this directory if it doesn't exist and overwrites it if it already exists. If the workspace directory exists and was created by a previous run of the app, it works as expected. But if it exists and was created by mkdir or by the CLI version of the app, it doesn't work. A similar error Sandbox: my-app(1868) System Policy: deny(1) file-read-data ~/Documents/model_workspace shows up in the console logs. Things I have tried: Changed the file permissions to drwxrwxrwx (no effect) Gave the app Full Disk Access in System preferences>Privacy (no effect) Looked further into the logs. The error correlates with an error from tccd: FAIL: PID[2624]: SecTaskCopySigningIdentifier(): [22: Invalid argument] I had thought that TCC would prompt the user for permission if the app tries to access ~/Documents. Maybe something is going wrong with that step? I tried to find more TCC logging with log show --info --debug --signpost --predicate 'eventMessage contains[c] "tcc"'. I have attached an excerpt from around the time of the form autofilling and validation failing. I notice several lines containing Composed entitlement check for ({ID: <ID of InvalidCode>. Is the invalid code a problem? We are very stuck on this issue and any help would be appreciated! TCC_logs - https://developer.apple.com/forums/content/attachment/6c7d668e-2170-4d72-9790-fcfae0980af8