I’ve been wondering, does SD Notary code sign all scripts in a bundle ?

The log for signing my applet says "Signing main file ‘~/Desktop/MyApp - Working/MyApp.app’ …

Is the “main file” the main.scpt file ? If so, does it mean that the other scripts are not signed ?

All the scripts are mentioned in the “_CodeSignature/CodeResources” file but, I’m not sure what that means.

I also have a question on Entitlements. I always leave the various entitlements unticked (e.g. access to Calendar, Audio input, Camera, Photos, Address Book, Location are off). But, the info.plist file in my signed applet includes these permissions:

<key>NSCalendarsUsageDescription</key>
<string>This script needs access to your calendars to run.</string>
<key>NSCameraUsageDescription</key>
<string>This script needs access to your camera to run.</string>
<key>NSPhotoLibraryUsageDescription</key>
<string>This script needs access to your photos to run.</string>
<key>NSMicrophoneUsageDescription</key>
<string>This script needs access to your microphone to run.</string>

There are a whole lot more permissions in the plist e.g. music, HomeKit, reminders, Siri. None of these seem to be controllable.

Thanks.

Scripts don’t need to be signed separately – they’re not executable code. They’re covered as part of /Contents/Resources/.

They’re essentially overruled by notarization.

Actually, they’re all controllable. Choose File -> Bundle & Export Settings…, then click on the Privacy & Security tab. Turn off any you want to stop.

Shane, many thanks.

I can’t use SD8 because I can’t add it to Automation permissions [because SIP is disabled to enable my late 2009 iMac to run Catalina]. So, I’ll just leave things as they are for the time being.

Cheers.