gio-x: notify on macos requests UNAuthorizationOptionCriticalAlert and fails because it requires an Apple-issued entitlement

Attempting to use gioui.org/x/notify on macOS fails both with my own app and in the example gioui/gio-example/notify/example.app app

Looking into this it appears that the notify code requests the ability to raise critical alerts (UNAuthorizationOptionCriticalAlert):


However, this is documented by Apple as requiring a special entitlement to have been issued and signed by Apple for the bundle (https://developer.apple.com/documentation/usernotifications/unauthorizationoptions/unauthorizationoptioncriticalalert)

I don't know if this is a new requirement on macOS Ventura, but it fails with the following output:

% Contents/MacOS/example
2023-07-10 18:08:34.886 example[79016:26540158] Getting application bundle
2023-07-10 18:08:34.886 example[79016:26540158] Bundle ID: org.gioui
2023-07-10 18:08:34.886 example[79016:26540158] Getting notification center
2023-07-10 18:08:40.315 example[79016:26540162] Creating notification
2023-07-10 18:08:40.316 example[79016:26540162] Creating request
2023-07-10 18:08:40.316 example[79016:26540162] Requesting authorization
2023-07-10 18:08:40.316 example[79016:26540165] Granted = false
2023-07-10 18:08:40.316 example[79016:26540165] Error = Error Domain=UNErrorDomain Code=1 "Notifications are not allowed for this application" UserInfo={NSLocalizedFailureReason=UNAuthorizationOptionCriticalAlert requires an entitlement to use, NSLocalizedDescription=Notifications are not allowed for this application}
Assigned to
9 months ago
8 months ago
No labels applied.

~gedw99 8 months ago


The link you have is broken. I this is the right one i guess: https://developer.apple.com/documentation/usernotifications/unauthorizationoptions/unauthorizationoptioncriticalalert

Did you sign the App as part of your build ? https://github.com/gioui/gio-cmd/blob/main/gogio/macosbuild.go#L207C22-L207C33

I did find this:https://lessons.livecode.com/m/4071/l/1293515-entitlements-for-signed-and-notarized-apps#include-the-entitlements-file-when-you-sign-your-app, so maybe we need to modify the GIOUI build cmd to sign the entitlements. Have you checked ?

Also, Plist entitlements for things like Notifications, can be generated thanks the same work being done for DeepLink: https://github.com/gioui/gio-cmd/pull/9

For example on MAC: https://github.com/gioui/gio-cmd/pull/9/files#diff-3cdb5e0038190e34780420eb1c686e074f46f2662163ca7a0b97d046e4d856c4

So we can generate the Plist entitlements for Notifications to match: https://github.com/gioui/gio-example/blob/main/notify/example.app/Contents/Info.plist, rather than hand code per project. This will make things more automated and less error prone.

Once Deeplink PR goes in, the same build automation for Notifications can be done.

BTW there is a golang Notifications sending system here: https://github.com/binwiederhier/ntfy, that is kind os useful It can send notifications, using various means, and the docs are a good resource too: https://docs.ntfy.sh/publish/

~gedw99 8 months ago

nfty golang server docs also document the Notification Profile flow: https://github.com/binwiederhier/ntfy/blob/main/docs/develop.md#apple-setup

"Download the newly created key (should have a file name similar to AuthKey_ZZZZZZ.p8, where ZZZZZZ is the Key ID)"

~dnwe 8 months ago*

Thanks for taking a look. There's a lot of different links there, but I think you may have gone a bit off-piste :)

Yes the app is signed and yes the .plist is correct.

The key bit is that gio-x cannot ask for the UNAuthorizationOptionCriticalAlert entitlement via requestAuthorizationWithOptions unless the user's application has the explicit entitlement:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">

This isn't included in the entitlements generated by gio-cmd: https://github.com/gioui/gio-cmd/blob/4128f253e857270fdc59a4e9a9d4b10f454c2935/gogio/macosbuild.go#L158-L167

However, I personally think gio-x should just omit UNAuthorizationOptionCriticalAlert from its request so no special entitlements are needed. It shouldn't need/want to ignore the user's Do Not Disturb preference

~gedw99 8 months ago

sounds like your way ahead of me - I was learning myself, as i am working on Notifications with that nfty project.

will defer this one to the maintainers as i dont know enough about the best decision for gio.

~whereswaldon 8 months ago

I agree with ~dnwe's assessment. Notify does not need the critical priority for the simple use cases that it targets. I'll remove it.

~whereswaldon REPORTED FIXED 8 months ago

Chris Waldon referenced this ticket in commit 4b62720.

Register here or Log in to comment, or comment via email.