A dialog appears each installations to allow App Sandbox Data Container access since macOS 14 Sonoma

[mtgto]

Description

Since macOS 14 Sonoma, Installer shows the dialog when you choose to install "SKK-JISYO.L" to App Sandbox Data Container.

It seems to relate with App Sandbox changes in macOS Sonoma.
https://developer.apple.com/documentation/security/app_sandbox/accessing_files_from_the_macos_app_sandbox

Investigation

pkg is signed with same team id W3A6B7FDC7

❯ pkgutil --check-signature /Volumes/macSKK/macSKK-0.9.1.pkg
Package "macSKK-0.9.1.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Notarization: trusted by the Apple notary service
   Signed with a trusted timestamp on: 2023-10-08 01:11:41 +0000
   Certificate Chain:
    1. Developer ID Installer: Satoshi Gotou (W3A6B7FDC7)
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           4B 04 F9 16 DA 30 68 EC 00 BC 5B B5 F6 E2 C4 88 FC 22 A3 F7 F3 1B
           A1 A5 06 B7 54 27 01 0B 37 12
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
           68 C5 BE 91 B5 A1 10 01 F0 24

❯ codesign -dvv ~/Library/Input\ Methods/macSKK.app
Executable=/Users/user/Library/Input Methods/macSKK.app/Contents/MacOS/macSKK
Identifier=net.mtgto.inputmethod.macSKK
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=5128 flags=0x10000(runtime) hashes=149+7 location=embedded
Signature size=9046
Authority=Developer ID Application: Satoshi Gotou (W3A6B7FDC7)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Oct 8, 2023 at 10:11:39
Info.plist entries=34
TeamIdentifier=W3A6B7FDC7
Runtime Version=14.0.0
Sealed Resources version=2 rules=13 files=7
Internal requirements count=1 size=220

Perhaps the reason is /System/Library/CoreServices/Installer.app does not have write permission to the sandbox of macSKK…?

[mtgto]

It seems to be happened in Developer environment only.
rel. https://developer.apple.com/forums/thread/739602

How to reproduce

1. Build adhoc signature app (choose "Sign to Run Locally" in Xcode) and launch
2. The app shows a dialog “macSKK” is from an unidentified developer and differs from previously opened versions. Are you sure you want to open it? after accessing App Container (?)
3. Choose "Open Anyway", it changes the owner of App Container (?)
4. Open pkg via Installer.app, it shows the dialog “Installer” would like to access data from other apps..

To avoid the dialog shows, use common Team ID certificate in development and release app.
It does not get along with OSS. Because collaborator does not have my Team ID certificate in common case...