Ventura - not authorised to send apple events to Music

Apologies, you are correct. I didn’t fact in the OCLP did not yet need to factor in M1 chips.
Thanks for testing, appreciate it.

@MrCee I came across this thread after experiencing the same kind of problem with SD8 on Mojave 10.14.6. No way to send AppleEvents to any new application that I haven’t already authorised. Instant error message and no popup to accept or not the control by Script Debugger of any application.
I hadn’t thought that OCLP might be the problem. My MacBookPro 11,1 is booted from an external SSD running Mojave (natively supported), but it’s true that I’ve installed Ventura (successive updates up to 13.3) with OCLP (successive updates up to 0.6.2) on the internal SSD.

I don’t have any machine that natively supports Ventura. For the first versions of Ventura, even with OCLP, there was no problem. With another MacBookPro 11,1 less up to date (Ventura 13.0.1 and OCLP 0.5.1), I could see the authorization popup working normally. Combined with @TimothyMurphy 's post reporting the problem on Monterey, this shows that the problem is with recent versions of OCLP and not macOS. I don’t pretend to understand all the subtleties or implications of OCLP, especially on a system that doesn’t rely on it to work.

However, I have an acceptable workaround. The problem seems to lie solely in the fact that the authorisation popup is no longer triggered for SD. No problem for previously accepted authorisations, which appear correctly in Privacy & Security >>> Automation, and where it is then possible to (de)activate them.

After some research, I learned that the database managing these permissions is this one: ~/Library/Application Support/com.Apple.TCC/TCC.db This is a Sqlite database (which I use a lot in my projects thanks to Shane’s excellent SQLite Lib2). You can create authorisations “by hand” (which is still acceptable as you only have to do it once) by editing the database directly. I use SQLiteStudio but any other editor or even the command line seem perfectly possible. The idea is to trigger the initial control authorisation request by an application other than SD, where popup request shows correctly.

I had a recent need to automate Excel, and chose to go directly through the terminal with a simple command osascript -e 'tell application "Microsoft Excel" to make new document'. After accepting control of Excel via Terminal, I went to the 'access' table in database to investigate the information that would be useful.

Search for rows with value 'kTCCServiceAppleEvents' in the 'service' column. 'client' is the controlling application and 'indirect_object_identifier' is the controlled application. 'csreq' and 'indirect_object_code_identity' are a kind of BLOB fingerprint corresponding to each of the two applications respectively.

I simply duplicated an existing authorisation line for 'com.latenightsw.ScriptDebugger8', replacing the values for 'indirect_object_identifier' and 'indirect_object_code_identity' with those corresponding to Excel in the line 'com.apple.Terminal'. And ensure that the value 'allowed' is 1

Much more detail and technical information (which I didn’t go into because a quick copy and paste was all I needed) here: bash - How to get csreq of macOS application on command line? - Stack Overflow

I hope this helps.

2 Likes

I’m having a similar problem on a new M2 Max 16" with Ventura 13.4. I have Script Debugger listed for Full Disk Access and Accessibility in System Settings, but every time I open Script Debugger, it throws up the alert that I need to grant it Full Disk Access.

I’ve tried removing it and re-adding it to the list, but it hasn’t solved anything. Having trouble compiling anything that uses PrefsStorageLib and I’m unclear if that’s related.

1 Like

A solution that worked for me is here (but add a forward slash between Library and Safari in the first string):

How about adding Script Debugger in “System Preferences → Security & Privacy → Input Monitoring”?

@hongxunming - although this didn’t work for me as is, It was not something I had tried previously. I appreciate the suggestion.
@arnaud This is exactly what I was hoping for, I’m testing it now and will get back to this post.

The problem I encountered was that I granted Accessibility permissions to Script Editor, but it became invalid after a while, and I had to re-authorize it. I tried the following method, and now the system is back to normal.

Open the terminal software on your MacBook, and enter the command to reset Accessibility permissions: “sudo tccutil reset Accessibility”

You can give it a try. Please note:
#1. It is best to take a picture to save the content in Accessibility because all settings will be cleared.
#2. Your computer will crash after executing this command, you need to hold down the power button to shut down and then restart.
#3. After the computer starts, you need to re-authorize the permissions in Accessibility.

SELECT service,
       client,
       client_type,
       auth_value,
       auth_reason,
       auth_version,
       csreq,
       policy_id,
       indirect_object_identifier_type,
       indirect_object_identifier,
       indirect_object_code_identity,
       flags,
       last_modified
FROM access
WHERE service = 'kTCCServiceAppleEvents'
ORDER BY client ASC;

I have been working with this in a few different ways and using some methods that you have outlined have enabled apps and scripts for the first time in the Ventura System Settings >>> Privacy & Security >>> Automation. I would like to clarify here for anyone else stuck in my situation; I was only able to achieve this by modifying the ~/Library/Application Support/com.Apple.TCC/TCC.db using CLI sqlite3 / SQLiteStudio (the latter much easier if you are testing)

I did take a quick shortcut by using a similar command: osascript -e 'tell application "Script Debugger" to make new document' without using Excel as the go-to app for obtaining said blobs from the database I have been working with tonight.
It’s added nicely. At this stage, after a few hours of trying, I still cannot find a way to enable Script Debugger to work with Apple Events, which are then sent to Music.app.

I believe I have added everything I can to Privacy & Security >>> Automation (Music.app, Script Debugger, actual Apple.scpt file also), but I’m sure I’m missing something.

What I can tell you is that MacOS native Script Editor shows as this in the database if we were to convert to .app:

service kTCCServiceAppleEvents
client com.apple.ScriptEditor.id.MYSCRIPTNAME
client_type 0
auth_value 2
auth_reason 3
auth_version 1
csreq ��
policy_id
indirect_object_identifier_type 0
indirect_object_identifier com.apple.Music
indirect_object_code_identity ��
flags
last_modified 1688852179

Now towards the end of my script (converted to an app) towards the end I invoke System events. So we also have a new entry:

service kTCCServiceAppleEvents
client com.apple.ScriptEditor.id.MYSCRIPTNAME
client_type 0
auth_value 2
auth_reason 3
auth_version 1
csreq ��
policy_id
indirect_object_identifier_type 0
indirect_object_identifier com.apple.systemevents
indirect_object_code_identity ��
flags
last_modified 1688852580

In this one example which may help all of us understand more (I’m hoping)… Does anyone have a further suggestion? I’ll be able to test more tomorrow.

@arnaud Thanks very much for your suggestion.

Everything now works perfectly by running this simple workaround code once:

#!/bin/zsh

osascript -e 'tell application "Script Debugger" to make new document'

# Replace client: com.apple.Terminal with com.latenightsw.ScriptDebugger8
# Replace indirect_object_identifier: com.latenightsw.ScriptDebugger8 with com.apple.Music
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db "UPDATE access SET client = 'com.latenightsw.ScriptDebugger8', indirect_object_identifier = 'com.apple.Music' WHERE service = 'kTCCServiceAppleEvents' AND client = 'com.apple.Terminal' AND indirect_object_identifier = 'com.latenightsw.ScriptDebugger8'"

I’d be interested if this also works for anyone else?

Okay, happy to say this is done in zsh and ~/Library/Application Support/com.Apple.TCC/TCC.db using sqlite3 is updated exactly as it would normally be by MacOS should a pop-up occur.

#!/bin/zsh

# CHANGE APP PATHS HERE:    (Specify the app paths for generating blobs)
client_app_path="/Applications/Script Debugger.app"
indirect_app_path="/System/Applications/Music.app"
#______________ thats all that needs to be edited_________________________________

# Handle tilde in paths 
client_app_path=${client_app_path/#\~/$HOME}
indirect_app_path=${indirect_app_path/#\~/$HOME}

# Generate csreq blobs for the client
REQ_STR=$(codesign -d -r- "$client_app_path" 2>&1 | awk -F ' => ' '/designated/{print $2}')
echo "$REQ_STR" | csreq -r- -b /tmp/csreq.bin
csreq_hex=$(xxd -p /tmp/csreq.bin | tr -d '\n')

# Generate csreq blobs for the indirect object
REQ_STR=$(codesign -d -r- "$indirect_app_path" 2>&1 | awk -F ' => ' '/designated/{print $2}')
echo "$REQ_STR" | csreq -r- -b /tmp/indirect.bin
indirect_hex=$(xxd -p /tmp/indirect.bin | tr -d '\n')

# Variables
service="kTCCServiceAppleEvents"
client=$(mdls -name kMDItemCFBundleIdentifier -r "$client_app_path")
client_type="0"
auth_value="2"
auth_reason="3"
auth_version="1"
policy_id=""
indirect_object_identifier_type="0"
indirect_object_identifier=$(mdls -name kMDItemCFBundleIdentifier -r "$indirect_app_path")

# Update TCC.db
sqlite3 ~/Library/Application\ Support/com.apple.TCC/TCC.db <<EOF
INSERT OR REPLACE INTO access (service, client, client_type, auth_value, auth_reason, auth_version, csreq, policy_id, indirect_object_identifier_type, indirect_object_identifier, indirect_object_code_identity, flags)
VALUES ("$service", "$client", "$client_type", "$auth_value", "$auth_reason", "$auth_version", x'$csreq_hex', "$policy_id", "$indirect_object_identifier_type", "$indirect_object_identifier", x'$indirect_hex', "");
EOF

# Restart the application using AppleScript
osascript -e "tell application id \"$indirect_object_identifier\" to quit"
sleep 1
osascript -e "tell application id \"$indirect_object_identifier\" to activate"
1 Like

I substituted com.apple.Music with com.apple.Numbers
I got the error message on Terminal:
–Error: in prepare, near “kTCCServiceAppleEvents”: syntax error (1)

I also keep on getting the request from SD to enable universal disk access, despite the fact that it has already been enabled. I guess this is what is creating the problems sending apple events whether to Numbers, Keynote, Mail, Music etc.

The annoying thing is that it all works just fine in Script Editor - the problem with me is not that I can’t use my scripts, but that I can’t do it with SD and therefore can’t use the additional enhancements and frameworks that SD provides and that I paid for.

Fixed the issue.
Here is the fix and its easy if you are running anything below Ventura.

Open OCLP application, select Settings then Security. Uncheck “Disable AMFI” then build and install Open Core application again. Reboot.

If you were running Late Night Software’s Script Debugger (me, v 8.0) and were having problems sending Apple Events to Numbers, Keynote, Music etc. this is now also fixed. You need to run a simple script for each application (eg Tell application “Numbers/Keynote/Pages/Finder/System events etc; set aList to name of every document; end tell”
You will get a prompt each time you run one of these simple scripts asking if you want to grant access to Numbers, Keynote Pages etc. accept and the scripts will run. You only need to do this once.

If you were running Logi Options+ for your mouse or keyboard and were suffering from the Bluetooth permissioning idiocy which prevented the application from launching (and therefore customising your mouse and keyboard) this problem will now disappear if you launch Logi Options+ - While similar to the SD message issue with granting Full Disk Access, it is maybe a different issue. I fixed this based on suggestions in that thread, but the SD error sending Apple Events remained as did the Logi Options + Bluetooth permissioning block.

You can then upgrade OCLP if you want and reboot. Both LogiOptions and SD will work fine.

AMFI is Apple Mobile File Integrity and is a part of MacOS that handlers entitlements, code signing etc. by default it is disabled when OCLP is installed. If your OS is running fine, apart from problems like the above, then disabling this should not create any problems - this is fine for Monterey but not Ventura.

And if you are on Ventura, Here is the fix for AMFI.kext

AMFI

Hope this helps

1 Like

Thanks Lucky…all the best!

For those not familiar with OCLP - Open Core Legacy Patcher- this is an open source (very well developed and stable) system patch that allows say a 2012 MacBook Pro “unsupported MacBook” in AppleSpeak, that would be capped at Mac OS Catalina, to run the latest OS version and all applications.
The only issue I found were the two above which seemed obscure, but which are easily understood and fixed. There is very good support via their Discord server.