source/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-02-09 05:19:32 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
fix/state-dir-hardcoded-paths
openclaw/docs/platforms/mac/permissions.md

2.2 KiB
Raw Permalink Blame History

summary, read_when, title
summary read_when title
macOS permission persistence (TCC) and signing requirements
Debugging missing or stuck macOS permission prompts
Packaging or signing the macOS app
Changing bundle IDs or app install paths
macOS Permissions

macOS permissions (TCC)

macOS permission grants are fragile. TCC associates a permission grant with the app's code signature, bundle identifier, and on-disk path. If any of those change, macOS treats the app as new and may drop or hide prompts.

Requirements for stable permissions

  • Same path: run the app from a fixed location (for OpenClaw, dist/OpenClaw.app).
  • Same bundle identifier: changing the bundle ID creates a new permission identity.
  • Signed app: unsigned or ad-hoc signed builds do not persist permissions.
  • Consistent signature: use a real Apple Development or Developer ID certificate so the signature stays stable across rebuilds.

Ad-hoc signatures generate a new identity every build. macOS will forget previous grants, and prompts can disappear entirely until the stale entries are cleared.

Recovery checklist when prompts disappear

  1. Quit the app.
  2. Remove the app entry in System Settings -> Privacy & Security.
  3. Relaunch the app from the same path and re-grant permissions.
  4. If the prompt still does not appear, reset TCC entries with tccutil and try again.
  5. Some permissions only reappear after a full macOS restart.

Example resets (replace bundle ID as needed):

sudo tccutil reset Accessibility bot.molt.mac
sudo tccutil reset ScreenCapture bot.molt.mac
sudo tccutil reset AppleEvents

Files and folders permissions (Desktop/Documents/Downloads)

macOS may also gate Desktop, Documents, and Downloads for terminal/background processes. If file reads or directory listings hang, grant access to the same process context that performs file operations (for example Terminal/iTerm, LaunchAgent-launched app, or SSH process).

Workaround: move files into the OpenClaw workspace (~/.openclaw/workspace) if you want to avoid per-folder grants.

If you are testing permissions, always sign with a real certificate. Ad-hoc builds are only acceptable for quick local runs where permissions do not matter.

Reference in New Issue View Git Blame Copy Permalink