How to get tcc database csreq blob programmatically?

tomf
New Contributor

In macOS, at least in the latest versions, the security permissions of apps are set in the gui of system preferences in the security - privacy section.

To modify them programmatically by script there are two databases:

DATABASE_SYSTEM="/Library/Application Support/com.apple.TCC/TCC.db"

for accessibility settings

DATABASE_USER="/Users/"$USER"/Library/Application Support/com.apple.TCC/TCC.db"

for other app settings and automation (mojave).

Both need to be altered by sqlite3 commands, the system database additionally needs sudo.
If you add an app via gui when it asks for permission (e.g. accessibility) the app gets added including a long string that starts with X'fade0c...'. This string is specified as csreq blob in the database table.

For all systems prior to mojave it was not necessary to know this string of each app when modifying the tcc databases. On mojave I couldn`t get the automation security permissions to work without the csreq blob. This example allows the terminal to make changes to the system preferences.

# working without csreq, but does not show settings in gui of system preferences
sqlite3 "$DATABASE_USER" "REPLACE INTO access VALUES('kTCCServiceAppleEvents','com.apple.Terminal',0,1,1,?,NULL,0,'com.apple.systempreferences',?,NULL,?);"

# NOT working, but shows correct entry in gui of system preferences
sqlite3 "$DATABASE_USER" "REPLACE INTO access VALUES('kTCCServiceAppleEvents','com.apple.Terminal',0,1,1,'UNUSED',NULL,0,'com.apple.systempreferences','UNUSED',NULL,?);"

# working and showing in gui of system preferences with csreq
sqlite3 "$DATABASE_USER" "REPLACE INTO access VALUES('kTCCServiceAppleEvents','com.apple.Terminal',0,1,1,X'fade0c000000003000000001000000060000000200000012636f6d2e6170706c652e5465726d696e616c000000000003',NULL,0,'com.apple.systempreferences',X'fade0c00000000380000000100000006000000020000001b636f6d2e6170706c652e73797374656d707265666572656e6365730000000003',NULL,?);"

For a longer time I`m working on a project for making as much of the system preferences in macos scriptable as possible.

https://github.com/tiiiecherle/osx_install_config

What I came up with regarding this issue is a script including all csreq blobs taken from the tcc database manually.

https://github.com/tiiiecherle/osx_install_config/blob/master/11_system_and_app_preferences/11a_syst...

This works but I couldn`t find out how to get the csreq blob with a command in a script and would appreciate any help.

Thanks in advance

0 REPLIES 0