4

I made an application that requires users to give permission to accessibility features. It's working as it when application first started and asks for accessibility

const void * keys[] = { kAXTrustedCheckOptionPrompt };
const void * values[] = { force };
CFDictionaryRef options = CFDictionaryCreate(kCFAllocatorDefault,
                                             keys,
                                             values,
                                             sizeof(keys) / sizeof(*keys),
                                             &kCFCopyStringDictionaryKeyCallBacks,
                                             &kCFTypeDictionaryValueCallBacks);
    
access = AXIsProcessTrustedWithOptions(options);
CFRelease(options);

The problem is, when I release new version (using sparkle) accessibility permissions are gone, so users should give permission again. Is that because my code is not signed with Apple Developer ID ? I'm distributing my app outside the app store.

Julian F. Weinert
  • 7,474
  • 7
  • 59
  • 107
sftsz
  • 346
  • 4
  • 14
  • 1
    I noticed you use Sparkle for the updates. I'm not too familiar with it, but suspect its changing the executable in such a way that some kind of checksum might be changed... Give Sparkle 2 a try. It's still in beta, but that allows sandboxing for example, so it might handle these kinds of cases – Julian F. Weinert Jul 11 '20 at 01:17

1 Answers1

7

I don't have a way to test this, but I expect that when the user approves accessibility for the app, it creates an ad-hoc code signature for the app, and uses that signature to recognize the app thereafter. A new version, or even another copy of the same version, won't have the same signature and therefore won't be recognized as the "same" app for accessibility purposes.

Solution: sign the app, and sign subsequent versions with the same code-signing certificate. An Apple-suplied developer ID cert would be good for this (and would also keep Gatekeeper happy), but I think any random code-signing cert would work to allow accessibility to recognize it (provided you always use the same cert).

Gordon Davisson
  • 118,432
  • 16
  • 123
  • 151
  • 1
    This is correct and it's documented in [Code Signing Tasks](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html): "[...] a new version of your product, sign it just as you signed the previous version, with the same identifier and the same[...] requirement. The user’s system considers the new version of your product to be the same program as the previous version. For example, Keychain Services does not distinguish older and newer versions of your program as long as both are signed and the unique Identifier remains constant." – TheNextman Jul 10 '20 at 03:11