Ok, I found a workaround to clear this flag after it's been cached... /usr/libexec/PlistBuddy -c "Delete :\"Architectures for arm64\":io.qz.qz-tray" ~/Library/Preferences/com.apple.LaunchServices/com.apple.LaunchServices.plist && sudo reboot ... where io.qz.qz-tray is the bundle identifier of your application. The reboot is critical for the setting to take effect.

It's quite unfortunate that this still does not have a workaround or solution. This notion that the main executable must be a binary introduces complexities for apps that rely on just-in-time compilation frameworks. The LSArchitecturePriority flag fixes this for new Desktop users, but without a way to "clear" this flag, it will be stuck until a user creates a new profile or reloads their mac. With regards to Java, OpenJDK has finally offered a jpackage utility starting with JDK17, however projects relying on LTS versions such as JDK11 are faced with a dilemma of whether or not to introduce native compilation into a project or struggle with bugs that are a side-effect of the script being the main executable. doing this will create other issues as well Agreed. We're facing another issue where setOpenURIHandler is ignored as well. The docs say this is handled by Info.plist, however it appears to be handled more like an entitlement on the main binary, blocking a Java application from receiving any URI strings at runtime. OpenJDK does not believe this to be a bug. More and more issues will occur as a result of this, however the lack of workaround makes supporting these apps in the interim frustrating to "framework" ISVs supporting the Apple Ecosystem.

I had an identical issue using SDK 10.9 targeting x86_64 from macOS Sonoma on an M1 Mac. What I found was that the SDK I was using didn't contain a MacOSX10.9.sdk/usr/include/c++/v1 folder, but instead contained a MacOSX10.9.sdk/usr/include/c++/4.2.1 folder. The fix was to either explicitly include the 4.2.1 folder during build time or create a symbolic link v1 --> 4.2.1. In my case, I was using cmake, so I added the include directory to my build.

Yes, however I did not find anything related to Installer.app. I considered adding Installer.app to the listing, but no longer have access to the offending machine and I'm since unable to reproduce on the latest Ventura version. I'll see if I can find out which OS version was originally used.

Feel free to file a bug against the docs. Done via FB11983426 (<-- hmm... this auto-linking is broken, shall I file another?). As a slight aside, I reported an unrelated bug with Notes (FB11709965) on Ventura beta that still seems to be present, so my confidence in this system has yet to be won over. :)

Most organisations that use a custom CA install its root certificate via MDM. Indeed, that’s the only option on iOS and its child platforms [1]. If you want to use a custom CA, that’s the path you should be on. iOS does offer installing custom device profiles for this exact purpose (which MDMs can automate). It's an unfortunate side-effect of the mobile landscape. I do admit that these profiles (whether provided via MDM or manually) do place iOS better than Android in this area, but this conversation is about the MacOS desktop. Mobile platforms are not the target for this app due specifically to their strict sandboxing. In regards to MDM solutions, these just don't scale well for non-enterprise deployments. The simple act of proposing an MDM solution for an SSL problem is quite presumptuous. In my case, SSL is needed for websocket communication from browser to a natively running application. This application is distributed to millions of PCs worldwide and macOS is the only platform that places a blocking UI prompt in this fashion. To that point, macOS is also the only one to warn of other important security, privacy and non-sandboxed actions, which is fantastic, but these are all non-blocking. For example, the same application must make changes in other areas of the OS (background tasks, browser helpers) and the OS -- quite politely -- asks if this is OK, something no other OSs keep track of, which is a step in the right direction. To that point, SSL is so important and prolific in the industry it should come as no surprise that there are perfectly valid use-cases for limited scope certificates, perhaps this is the biggest oversight of prescriptive solutions, that once you mandate SSL everywhere, private-network communication is left in the dust unless exceptions to the assumption of "HTTPS = public websites" are made. Using a CA-issued certificate is just the first step. I'll have to strongly disagree. Using CA-issued certificates inside distributed applications is a substantial security risk. Furthemore, CA-issued certificates can't easily be issued for localhost or LAN communication anyway. If you're aware of a non-enterprise way to do this, I'm all ears. :) In an attempt to stay on topic, I'll file a bug against the documentation. Disclaimer, the OP -- Vzor -- and I have been discussing this problem offline. He'll be sharing a GitHub actions CI issue that suffers a similar problem.

Why are you changing trust settings? Adding an SSL certificate to the machine for secure communication. Running a process as "root" requires authentication by the OS, making it redundant. But to the OP's point, this prompt seems to mismatch the documentation, which clearly indicates that no further action is required, quoting it again: "[...] When making changes to system-wide trust settings, the user is prompted with an alert panel asking for an administrator’s name and password unless the calling process is running as root, in which case no further authentication is needed. [...] The documentation warns that this can and will block, quoting: "[...] Note that this function might block while waiting for user input. [...] ... so I find the OP's question to be valid. It sounds like you’re under the misapprehension that “running … as root” is the same as “Administrator privileges”. I'm having a hard time understanding where this assumption was drawn from, the OP clearly says "root". XCode calls this root: Product > Scheme > Edit Scheme > Debug process as root Changing trust settings requires user interaction regardless of the BSD level privileges of your process. I'm having a hard time understanding if this is suggesting that the documentation is outdated, or if the Scheme is not doing as described? In general this is not a happy path to be going down. Reading between the lines, I think there's some assumption that modifying the SSL trust settings is bad practice. This is both presumptuous as well as untrusting. In my use-case, myself and my company have been vetted by Apple through Dun & Bradstreet. Each application distributed undergoes notarization and stapling by Apple, however there are use-cases where this User Interaction blocks similarly as documented (but even when running as root). I think the OP's question as well as the quoted documentation have merit and as a result promote happiness. :) More strictly speaking, self-signed certificates are arguably more secure than CA-issued certificates because the chain of trust does not imply monolith issuers. Furthemore, when done properly, private key leakage will only impact a single machine. I understand there are some cases where self-signed certificates are lazily installed (e.g. SuperFish / Lenovo) and those concerns have merit as well, but then this turns more into a conversation about the dangers in self-signed certificate (e.g. wildcard and/or non-owned FQDN and/or non-localhost) scope, rather than about security in general. Furthemore, in the event of the SuperFish / Lenovo disaster, it was the worldwide private-key sharing across all devices that made the scope so terrifying. Perhaps this behavior should be fingerprinted and added as a blocker to the notarization process, since I've seen other apps (e.g. Cricut) continue this practice years after that fiasco. :( Oddly, Apple does have a plist flag for suppressing this prompt, but this technique seems like using a sledgehammer to crack a nut, and due to how contradictory this appears from a security perspective, can be presumed will be removed in a future OS update.

Sorry to be a necromancer here, but @eskimo, has this behavior changed since Monterey? Reference: https://github.com/java-native-access/jna/issues/1423#issuecomment-1382220523

I have a somewhat similar issue. Since Big Sur, one of my machines cannot read files from the Desktop (AdoptOpenJDK 11). Granting java full disk permissions didn't fix it. My app is distributed as an .app. The launcher uses /usr/libexec/java_home to find a suitable Java vendor, which -- in this case -- returns /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home. What's most troubling is the "Application Foo is trying to Access the Desktop" popup doesn't show on the offending machine.

I've found a project which uses JNA to accomplish this in Java: https://github.com/dyorgio/macos-tray-icon-fixer. Note, future Java versions will have a new property. More about that here: JDK-8252015

have you seen the https://github.com/apple/openjdk/ repo? Apple has open sourced JNF as part of that just recently. They just built it with the openjdk project. That's OK, I guess, but it would be nice to have it bundled with XCode for ARM64 so developers can use it, or at least provide it as a standalone project to fetch at build time, since it's a one-liner: https://github.com/apple/openjdk/blob/xcodejdk14-release/build.sh#L32

Since Apple is unable to provide a technique to detect this, we've begun the process to update the JDK to internally (properly) use the NSImage:isTemplate flag. More details about this available here: https://github.com/AdoptOpenJDK/openjdk-support/issues/146#issuecomment-697723671 I'm marking this as the accepted answer. The patch will not be available in the JDK for some time yet as it takes a while to get the code approved through the proper channels.