macOS Granting full-disk access to sandboxed app not working

Question

I'm experimenting with full-disk access and can't make it working. Here is list of steps I did:

1. Sandbox is turned ON. In fact the entitlements file looks like:

<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.bookmarks.app-scope</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>

2. I created archive of the app and tried to distribute it using boths Developer ID or Development methods
3. I placed the binary of my app to /Applications folder
4. I went to System Preferences -> Security & Privacy -> Privacy -> Full Disk Access and added access to my app in /Applications folder
5. Of course I'm NOT attached to the app with Xcode

I'm testing it in Xcode 11 and on Catalina. It's dummy app, opening NSOpenPanel to let user select archives to decompress and tries to decompress it in the same directory.

In fact it's not about NSOpenPanel, the question is:

What is necessary to do to make sandboxed app using full-disk access?

Any hints? Am I doing anything wrong?

Answer 1

Here is solution found for iTerm2 (it is worth read how solution was found). It just adds this to application plist:

<key>NSSystemAdministrationUsageDescription</key>
<string>I want to read all your files</string>

Documentation is a bit fuzzy.

Sadly this solution doesn't work for launchctld daemons (this is what I need). I think daemons are an exception since the do not see UI at all.

But for regular applications it should work like a charm (didn't test it yet).