Code signing crash when registering login item

I'm getting a code signing crash when I try to register a helper app as a login item, and I think this is new with macOS 13.4. That is, the crash log contains this:

Exception Type:  EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: CODESIGNING 4 Launch Constraint Violation

I'm seeing one suspicious message in the system log:

tccd	Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=com.jwwalker.AutoPairs.uiapp, 
pid=91471, auid=501, euid=501, binary_path=/Applications/AutoPairs 4.0.1a1/AutoPairs4.0.1a1.app/Contents/MacOS/AutoPairs}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=531, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd},

I can't figure out why the OS would think that I need an Apple Events entitlement.

I've looked a the thread Resolving Code Signing Crashes on Launch, but it hasn't enlightened me. One problem I ran into is at the step

certtool d "authorised0.cer"

I get the output

CSSM_CL_CertGetAllFields: CSSMERR_CL_UNKNOWN_FORMAT

Accepted Reply

It looks like your main app (AutoPairs4.0.1a1.app/Contents/MacOS/AutoPairs) is trying to do something with Apple events which has caused the system (appleeventsd) to prompt the user for authorisation (TCC) which is failing because you have the hardened runtime set and no com.apple.security.automation.apple-events entitlement. That normally wouldn’t trigger a crash but rather the Apple event API would return an error.

I can't figure out why the OS would think that I need an Apple Events entitlement.

Indeed. AFAIK none of the login item APIs use Apple events.

What API are you using to register your login item?

Which process is crashing with the launch constraint violation?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies

It looks like your main app (AutoPairs4.0.1a1.app/Contents/MacOS/AutoPairs) is trying to do something with Apple events which has caused the system (appleeventsd) to prompt the user for authorisation (TCC) which is failing because you have the hardened runtime set and no com.apple.security.automation.apple-events entitlement. That normally wouldn’t trigger a crash but rather the Apple event API would return an error.

I can't figure out why the OS would think that I need an Apple Events entitlement.

Indeed. AFAIK none of the login item APIs use Apple events.

What API are you using to register your login item?

Which process is crashing with the launch constraint violation?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I failed to mention that I'm getting that message about Apple Event entitlement for both the main app and the helper.

What API are you using to register your login item?

-[SMAppService registerAndReturnError:]

Which process is crashing with the launch constraint violation?

Now that you asked, I took a closer look at the crash report, and saw that what was crashing was the login item from a different build of my product. D'oh! I suppose it's something about the code signing being different. I had an App Store build installed, but for testing an update I was using a notarized build.

Once I removed the old version, the crash stopped happening. However I still see the warning about Apple Events entitlements for both the main app and the login item.

Once I removed the old version, the crash stopped happening.

Cool.

However I still see the warning about Apple Events

I can’t readily explain that. Given that everything is working otherwise, I’m inclined to write it off as log noise.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"