Audio Entitlements stopped working seemingly since macOS 14.5

Question

Created Jul ’24

Replies 3

Boosts 0

Participants 2

I have an app that gets successfully notarised with microphone entitlements and everything was working fine (i.e. the app could receive audio input) up to macOS 14.4.1.

Since upgrading to 14.5 it seems that none of the versions that were previously working up to 14.4.1 are working anymore with 14.5 with respect to receiving audio input.

Ive tried using the microphone entitlement as well as the audio-input entitlement.

I should note that im using cmake to build my app through an external git actions CI/CD pipeline and this is the version that no longer seems to be getting the entitlements correctly.

When I build using the latest version of Xcode I can see that the app does seem to be getting the correct entitlements but I cant work out what the difference is.

Is there anything thats changed with respect to entitlements in macOS 14.5?

Should I be using microphone or audio-input entitlements? ( believe one is more for Sandboxed app and the other is for hardened runtime. Is that correct? Note: Im not distributing through the Mac App Store)

Any guidance would be greatly appreciated! 🙏

Answered by DTS Engineer in 798370022

In future, I’d help you if you a code block for listings like this. That makes them much easier to read. See Quinn’s Top Ten DevForums Tips for info on how to set that up.

Anyway, here’s your results reformatted:

% codesign -d --entitlements - -vvv /Applications/AudioMap.app
Executable=/Applications/AudioMap.app/Contents/MacOS/AudioMap
Identifier=com.AudioMap.AudioMap
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20500 size=383713 flags=0x10000(runtime) hashes=11980+7 location=embedded Hash type=sha256 size=32
CandidateCDHash sha256=56d4f956b957404261625ddf1a11633475eb70e4
CandidateCDHashFull sha256=56d4f956b957404261625ddf1a11633475eb70e4ee3454082640f96438da77c9
Hash choices=sha256
CMSDigest=56d4f956b957404261625ddf1a11633475eb70e4ee3454082640f96438da77c9
CMSDigestType=2
CDHash=56d4f956b957404261625ddf1a11633475eb70e4
Signature size=9048
Authority=Developer ID Application: Steven Gadeley (83MK4AAT9M)
Authority=Developer ID Certification Authority Authority=Apple Root CA
Timestamp=31 Jul 2024 at 5:41:00 PM
Info.plist entries=12
TeamIdentifier=83MK4AAT9M
Runtime Version=14.5.0
Sealed Resources version=2 rules=13 files=3
Internal requirements count=1 size=184
[Dict]
    [Key] com.apple.security.app-sandbox
    [Value]
        [Bool] true
    [Key] com.apple.security.device.microphone
    [Value]
        [Bool] true
    [Key] com.apple.security.files.user-selected.read-write
    [Value]
        [Bool] true
    [Key] com.apple.security.network.client
    [Value]
        [Bool] true
    [Key] com.apple.security.network.server
        [Value] [Bool] true

Note the presence of the runtime flag, meaning that you’ve enabled the hardened runtime.

Note the presence of the App Sandbox entitlement (com.apple.security.app-sandbox), meaning that you’ve also enabled the App Sandbox.

Given that, you’ll need to enable microphone access in both subsystem, which means applying both com.apple.security.device.audio-input and com.apple.security.device.microphone. You’ve only applied the second one, and that’s the cause (well, a cause :-) of this issue.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’24

one is more for Sandboxed app and the other is for hardened runtime. Is that correct?

We have two documentation pages that list the entitlements for each of these technologies:

All of these entitlements an unrestricted, so they don’t need to be authorised by a profile. You just have to sign your app to claim them.

My advice is that you first check what the app is claiming, then work backwards to see where things are going wrong. To do that, run:

% codesign -d --entitlements - -vvv /path/to/your/built.app

What do you see?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

scradeley OP

Aug ’24

sgadeley@Falcon AudioMap % codesign -d --entitlements - -vvv /Applications/AudioMap.app Executable=/Applications/AudioMap.app/Contents/MacOS/AudioMap Identifier=com.AudioMap.AudioMap Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=383713 flags=0x10000(runtime) hashes=11980+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=56d4f956b957404261625ddf1a11633475eb70e4 CandidateCDHashFull sha256=56d4f956b957404261625ddf1a11633475eb70e4ee3454082640f96438da77c9 Hash choices=sha256 CMSDigest=56d4f956b957404261625ddf1a11633475eb70e4ee3454082640f96438da77c9 CMSDigestType=2 CDHash=56d4f956b957404261625ddf1a11633475eb70e4 Signature size=9048 Authority=Developer ID Application: Steven Gadeley (83MK4AAT9M) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=31 Jul 2024 at 5:41:00 PM Info.plist entries=12 TeamIdentifier=83MK4AAT9M Runtime Version=14.5.0 Sealed Resources version=2 rules=13 files=3 Internal requirements count=1 size=184 [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.device.microphone [Value] [Bool] true [Key] com.apple.security.files.user-selected.read-write [Value] [Bool] true [Key] com.apple.security.network.client [Value] [Bool] true [Key] com.apple.security.network.server [Value] [Bool] true

0

Answer 3

DTS Engineer OP

Apple

Aug ’24

Recommended

In future, I’d help you if you a code block for listings like this. That makes them much easier to read. See Quinn’s Top Ten DevForums Tips for info on how to set that up.

Anyway, here’s your results reformatted:

% codesign -d --entitlements - -vvv /Applications/AudioMap.app
Executable=/Applications/AudioMap.app/Contents/MacOS/AudioMap
Identifier=com.AudioMap.AudioMap
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20500 size=383713 flags=0x10000(runtime) hashes=11980+7 location=embedded Hash type=sha256 size=32
CandidateCDHash sha256=56d4f956b957404261625ddf1a11633475eb70e4
CandidateCDHashFull sha256=56d4f956b957404261625ddf1a11633475eb70e4ee3454082640f96438da77c9
Hash choices=sha256
CMSDigest=56d4f956b957404261625ddf1a11633475eb70e4ee3454082640f96438da77c9
CMSDigestType=2
CDHash=56d4f956b957404261625ddf1a11633475eb70e4
Signature size=9048
Authority=Developer ID Application: Steven Gadeley (83MK4AAT9M)
Authority=Developer ID Certification Authority Authority=Apple Root CA
Timestamp=31 Jul 2024 at 5:41:00 PM
Info.plist entries=12
TeamIdentifier=83MK4AAT9M
Runtime Version=14.5.0
Sealed Resources version=2 rules=13 files=3
Internal requirements count=1 size=184
[Dict]
    [Key] com.apple.security.app-sandbox
    [Value]
        [Bool] true
    [Key] com.apple.security.device.microphone
    [Value]
        [Bool] true
    [Key] com.apple.security.files.user-selected.read-write
    [Value]
        [Bool] true
    [Key] com.apple.security.network.client
    [Value]
        [Bool] true
    [Key] com.apple.security.network.server
        [Value] [Bool] true

Note the presence of the runtime flag, meaning that you’ve enabled the hardened runtime.

Note the presence of the App Sandbox entitlement (com.apple.security.app-sandbox), meaning that you’ve also enabled the App Sandbox.

Given that, you’ll need to enable microphone access in both subsystem, which means applying both com.apple.security.device.audio-input and com.apple.security.device.microphone. You’ve only applied the second one, and that’s the cause (well, a cause :-) of this issue.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0