Can a notarized safari web extension (that is distributed outside the store) be permanently allowed to run in the Safari browser when a user selects 'Allow Unsigned extensions'? Or do they have to keep doing it every single time they open the browser?

I am performing some tests that involves the app extension and an external app connected through XPC I get the following when I try to connect to an external app from the safari app extension with sandbox enabled connection to service named "com.test.sample"was invalidated: failed at lookup with error 159 - Sandbox restriction." UserInfo={NSDebugDescription=The connection to service named com.test.sample was invalidated: failed at lookup with error 159 - Sandbox restriction. I have tried: Disabling the sandbox for the app extension target Adding the entitlements file path in the test target Both of which still give me the same result. How can I proceed with this? Does the entitlement for the sandbox only work when Safari is running the appex?

It appears that safari web extensions can only go through the app store. In order to distribute it outside, is it sufficient to use a valid Developer ID cert or does it need to be notarized? I understand that users would have to click Allow Unsigned Extensions. Do they have to do this every single time even if a valid cert is used to sign the app?

A new instance of SafariWebExtensionHandler (which is set as the NSExtensionPrincipal class) inside the app extension is created for every incoming message from the browser extension. Is this something that can be changed? What is the lifecycle of this object? If I have to instantiate other class objects, would they have to be singleton instances?