I have some scripts running on a 10.14 Mojave machine. I don’t have this problem on other Macs, so I don’t know if this is a Mojave specific issues, or of its something else gone wrong on this machine.
But the issue is that every single time I run a script, it makes me explicitly “allow” the script to talk to Finder, then again to System Events.
Run the script 5 seconds later, same thing. Run another script, same thing.
Now if I go into Privacy settings on my Mac, into Automation, I see my scripts with checkboxes next to “Finder” and “System Events”. And they are checked. So shouldn’t I NOT be getting prompted each time? Is there a way to fix this?
If you are talking about a script application, make sure it is code-signed or the script otherwise made read-only. The script editors should code-sign for local use, but you might double-check.
Do your scripts have property commands? Even if you don’t modify them during the script’s run, I believe they get saved after each run, modifying the app. I believe that breaks its identity for the authorization.
Use alternatives instead of property declarations. I think global are okay, although I rarely use them. If you need to save modified values, use defaults or property list commands to store them outside of the app/script itself.
I’ve never used codesign for my scripts to be able to retain permissions like this, but using a property definitely has caused repeated re-auth dialogs.
A regular AppleScript saves all properties and global variables, including those in the run handler (implied or explicitly declared), in the script itself - the file is actually changed. This is how persistent properties have been implemented historically, but with current OS security models this can run into accessibility permission issues. Modifying an application will essentially discard the permissions associated with it (and/or break any code signing), so the system then sees it as a different application, one that hasn’t been given any permissions.
The script editors in current systems will code sign for local use, but I don’t recall if they do that in Mojave. A quick way to test if this is an issue is to make the application’s script read-only (not run-only). This can be done by using Finder’s Get Info window and changing the privilege to “Read only”.
While you are in the application package, you can check if it has a code signature - in the Contents folder, there will be a _CodeSignature folder if it is code signed. You can also use the codesign utility in the Terminal to show the signature info by using the codesign -dv command followed by a space and an escaped or quoted POSIX path (you can also drag the application file into the Terminal window, which will paste an escaped path after the command).
To code sign, you need a signing certificate. If you have an Apple Developer Certificate you can use that, otherwise you can create an ad-hoc signature using Xcode or the Keychain Access app, although Gatekeeper doesn’t recognize those since there isn’t a way to check the validity (where the certificate came from). Applications signed with self-issued certificates can still be run by having an admin override the GateKeeper authentication. With a certificate, you can then use something like the codesign utility from the Terminal, for example the command codesign -fs __yourDeveloperIdentity__ followed by a space and an escaped or quoted POSIX path (or dragging the application file into the Terminal window). Like making the script read-only, code signing also keeps the script from being modified.