darktable/inkscape/gimp: unable to access user files, when run via app bundle on big sur or monterey

[mascguy (Christopher Nielsen)]

When running these ports via their respective app bundles, user files are inaccessible on Big Sur or Monterey.

Granting "Full Disk Access" to these apps - via the macOS Security and Privacy settings - makes no discernible difference.

[mascguy (Christopher Nielsen)]

Observers: Currently testing on Big Sur and Monterey, to see what the behavior is.

Assuming there isn't an easy fix, I'll add keywords 'bigsur' and 'monterey' to ticket, for tracking purposes.

[mascguy (Christopher Nielsen)]

Per the following upstream discussion - albeit for 10.15 Catalina - it sounds like changes were made to address this. But perhaps there was a regression, or perhaps it's something related to our app bundle:

​https://github.com/darktable-org/darktable/issues/3107

[mascguy (Christopher Nielsen)]

Interestingly enough - or unsurprisingly, depending on your perspective - this is also an issue for Inkscape.

[JDLH (Jim DeLaHunt)]

I just encountered this error with inkscape @1.2_4+quartz, and inkscape-app @1.2_0 which calls the inkscape port, on macOS 12.4 Monterey. The symptom for me was that when I tried to save a file to ~/Documents or any folder within, Inkscape refused, and display an error message,

Could not read the contents of Documents. Error opening directory '/Users/myuserid/Documents': Operation not permitted. [OK]

I tried using System Preferences… Security & Privacy… Privacy… Full Disk Access to various executables: /Applications/MacPorts/Inkscape.app, /Applications/MacPorts/Inkscape.app/Contents/MacOS/Inkscape, and /opt/local/bin/inkscape. None of these were effective.

What was effective was the workaround suggested by ​​https://github.com/darktable-org/darktable/issues/3107 : 1. Ensure that, in Files and Folders, the Terminal.app has access to locations like "Documents Folder", "Network Volumes", "Desktop". 2. From the Terminal shell, run inkscape. This launches the quartz UI. I am now able to save from Inkscape to within my Documents directory.

[JDLH (Jim DeLaHunt)]

I just tried this same test with the Inkscape.app installed from the .dmg downloaded from upstream, ​https://inkscape.org/release/1.2/mac-os-x/ . The app version I got was 1.2.0 (dc2aeda), for arm64 architecture. When I tried to save a file to ~/Documents, Inkscape had the system ask me to grant it access to the Documents folder, just as is supposed to happen. So I guess this issue is related to how MacPorts packages and delivers Inkscape. We don't yet have evidence that it is a bug in the upstream code.

[mascguy (Christopher Nielsen)]

I ran some experiments in Big Sur and Monterey yesterday, specifically related to adding GateKeeper exceptions for these apps.

The original state -- before making any changes -- is as follows:

$ spctl --assess --verbose /Applications/MacPorts/darktable.app
/Applications/MacPorts/darktable.app: rejected
source=no usable signature

$ spctl --assess --verbose /Applications/MacPorts/Inkscape.app
/Applications/MacPorts/Inkscape.app: rejected
source=no usable signature

That's an expected result, as we're not signing the apps.

Then I added app-specific exceptions for these, and re-checked the assessment results:

$ sudo spctl --add --label "org.macports" /Applications/MacPorts/darktable.app
$ sudo spctl --add --label "org.macports" /Applications/MacPorts/Inkscape.app

$ spctl --assess --verbose /Applications/MacPorts/darktable.app
/Applications/MacPorts/darktable.app: accepted
source=org.macports

$ spctl --assess --verbose /Applications/MacPorts/Inkscape.app
/Applications/MacPorts/Inkscape.app: accepted
source=org.macports

However, even after adding these exceptions - and ensuring the apps are listed in the "Full Disk Access" section of the macOS Security prefpane - file/directory access is still disallowed. (Also tried rebooting afterward - which shouldn't be needed, but figured why not? - but no dice.)