search

appveyor / ci

AppVeyor community support repository
https://www.appveyor.com
344 stars 65 forks source link

Build scripts not authorized to control Finder (macOS) #3216

Open cfillion opened 4 years ago

cfillion commented 4 years ago

Using an AppleScript to configure the .DS_Store within DMG files produced in a build fails because of a security feature in Mojave and later.

CPack Error: Error executing custom script on disk image.
/Users/appveyor/projects/sws/setup/macos/DS_Store.scpt:199:248: execution error: Finder got an error: AppleEvent timed out. (-1712)

https://ci.appveyor.com/project/cfillion/sws/builds/29059454/job/ul5siarj67w3mrip#L438

The timeout error is likely caused by macOS showing a blocking message box requesting user interaction:

macOS's modal authorization popup

As far as I could find there is no way to programatically authorize access to Finder without interacting with the GUI once (https://i.imgur.com/ZH5XT9Z.png).

Googling indicates that the authorization is persisted in ~/Library/Application Support/com.apple.TCC or /Library/Application Support/com.apple.TCC, which are not normally accessible even by root (SIP).

Could this be pre-allowed on the macOS images?

The issue can be reproduced and the authorization request can be triggered using this command:

osascript -e 'tell application "Finder" to set current view of container window to icon view'
FeodorFitsner commented 4 years ago

More information:

Looks like the problem is not solved yet - there is no way to allow app automation with the script and disable this behavior all together.

cfillion commented 3 years ago

I tried solving this again after noticing GitHub Action's current macOS image does not have this issue.

Adding the following command to the build script solves it (tested with both the macos and macos-mojave images):

sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "INSERT INTO access VALUES('kTCCServiceAppleEvents','$(dirname "$0")/appveyor-build-agent',1,1,1,X'fade0c000000002800000001000000080000001469862bbf79a6795b784518beed2ae09bf63e58ef',NULL,0,'com.apple.finder',X'fade0c000000002c00000001000000060000000200000010636f6d2e6170706c652e66696e64657200000003',NULL,1605970638);"

(I got the values above by reading TCC.db after manually authorizing appveyor-build-agent to control Finder using VNC into a running build.)

FeodorFitsner commented 3 years ago

Thanks for sharing. Wondering why it's not working on Big Sur locally.

cfillion commented 3 years ago

It turns out the 6th column (csreq) in TCC.db's access table contains a hash tied to the contents of the appveyor-build-agent binary. Here's an updated snippet which computes the csreq value as per this SO answer, in order to support any version of the build agent.

# compute the code directory hash value for the build agent
AGENT="$(dirname "$0")/appveyor-build-agent"
codesign -D /tmp/agent.sig -s- "$AGENT"
codesign -d -r- -D /tmp/agent.sig "$AGENT" 2>&1 | awk -F ' => ' '/designated/{print $2}' | csreq -r- -b /tmp/csreq.bin
CSREQ="$(xxd -p -c256 /tmp/csreq.bin)"

# authorize control of Finder.app for DMG generation, see appveyor/ci#3216
sqlite3 "$HOME/Library/Application Support/com.apple.TCC/TCC.db" "INSERT INTO access VALUES('kTCCServiceAppleEvents','$AGENT',1,1,1,X'$CSREQ',NULL,0,'com.apple.finder',X'fade0c000000002c00000001000000060000000200000010636f6d2e6170706c652e66696e64657200000003',NULL,strftime('%s', 'now'));"