Cannot access file XYZ via secure bookmark

First of all let I'd like to say that I'm evaluating this software and I really like it so far. I will certainly buy it if I can get this issue resolved.

I found two other topics related to this issue, but following the steps suggested in those topics didn't resolve the problem for me.

I'm using MacBook Pro 2021 with MacOS 12.1.

When opening an mp3 file from the ~/Downloads folder everything works just fine. But when I move that file to the other folder, which is also located on the internal drive (APFS) I'm getting the following error:

Cannot access file "/System/Volumes/Data/Data/Audio/myfile.mp3" via secure bookmark

To my understanding the "Data" here represents a separate volume mounted on "/System/Volumes/Data", whereas the Downloads folder would be located on the root volume (under /Users). I have to admit that I'm not confident about that volume structure and I'm not an expert in APFS, but this is what I deduce from the "df" mount points overview, which was in turn created by the migration assistant while migrating from an older system.

When running the following command from the target ("Audio") folder I get an empty list:

$defaults read app.mp3tag.Mp3tag SecurityScopedBookmarks
{
}

I tried opening the file and the whole folder via Cmd+O, but that didn't create any new SecurityScopedBookmarks records. I also tried deleting the SecurityScopedBookmarks property, but that didn't change anything either (I'm not getting any new SecurityScopedBookmarks records created after reopening the program).

Here is what I get in the console log:

error	14:00:31.915978-0500	Mp3tag	Found NO secure bookmark for file:///System/Volumes/Data/Data/Audio/myfile.mp3
error	14:00:31.916147-0500	Mp3tag	cannot open file at line 45340 of [d24547a13b]
error	14:00:31.916162-0500	Mp3tag	os_unix.c:45340: (2) open(/var/db/DetachedSignatures) - No such file or directory
default	14:00:31.933624-0500	Mp3tag	Created secure bookmark for file:///System/Volumes/Data/Data/Audio/myfile.mp3
error	14:00:31.935468-0500	Mp3tag	Error resolving secure bookmark: Error Domain=NSCocoaErrorDomain Code=256 "Couldn't issue sandbox extension for the resolved URL" UserInfo={NSDebugDescription=Couldn't issue sandbox extension for the resolved URL}
error	14:00:31.936883-0500	Mp3tag	Error resolving secure bookmark: Error Domain=NSCocoaErrorDomain Code=256 "Couldn't issue sandbox extension for the resolved URL" UserInfo={NSDebugDescription=Couldn't issue sandbox extension for the resolved URL}
default	14:00:31.942651-0500	Mp3tag	Adding presenter 740445AD-2A81-4789-B029-AFF9BA827359 for URL: <private>
error	14:00:37.755390-0500	Mp3tag	Found NO secure bookmark for file:///System/Volumes/Data/Data/Audio/myfile.mp3
default	14:00:37.759129-0500	Mp3tag	Created secure bookmark for file:///System/Volumes/Data/Data/Audio/myfile.mp3
error	14:00:37.762571-0500	Mp3tag	Error resolving secure bookmark: Error Domain=NSCocoaErrorDomain Code=256 "Couldn't issue sandbox extension for the resolved URL" UserInfo={NSDebugDescription=Couldn't issue sandbox extension for the resolved URL}
error	14:00:37.766413-0500	Mp3tag	Error resolving secure bookmark: Error Domain=NSCocoaErrorDomain Code=256 "Couldn't issue sandbox extension for the resolved URL" UserInfo={NSDebugDescription=Couldn't issue sandbox extension for the resolved URL}
default	14:00:37.766490-0500	Mp3tag	Cannot access write file file:///System/Volumes/Data/Data/Audio/myfile.mp3 via secure bookmark
error	14:00:37.772293-0500	Mp3tag	Cannot access file "/System/Volumes/Data/Data/Audio/myfile.mp3" via secure bookmark (accessDenied(file:///System/Volumes/Data/Data/Audio/myfile.mp3))

Thanks for your help.

Did you have a look at this thread and the carried out the solution there?

Yes, I tried all those steps, I believe I mentioned that already.

Thanks for the detailed documentation of the steps you've already taken and for providing the corresponding log entries.

It seems like Mp3tag cannot obtain any secure bookmarks for the file location and also cannot write to the settings. Are other preferences stored persistently, e.g., when changing something at Preferences → General and restarting the app?

This certainly looks like a more broader issue. However, if everything else is working fine on your Mac, I assume that it's local to Mp3tag.

Are you using latest Mp3tag for Mac from Download – Mp3tag: the universal Tag Editor for Mac or did you obtain it from a different source?

Thank you for getting back to me.

I tried changing the "File List" Preferences, like it was suggested in another ticket, and it worked: after restarting the application the change was saved as expected.

Just like you mentioned, Mp3tag is the only application affected by this issue.

I'm using Mp3tag version 1.3.2 (54) in trial mode, downloaded (yesterday) from the "mp3tag.app" web site (as opposed to the App Store).

Thanks for confirming the correct version and source of the app download.

Can you check if you see any errors from sandboxd around the Mp3tag errors in console log?

I don't see any messages from sandboxd, however there are some messages with the Sandbox keyword, for example:

Sandbox: com.apple.WebKit(40935) deny(1) mach-lookup com.apple.diagnosticd

There is also two identical messages from ScopedBookmarkAgent right next to the Mp3tag messages, which seems relevant:

sandbox_extension_issue_file error: [1: Operation not permitted]

I've did some more experiments and tried to created the environment which produces the error. It seems that I cannot create any additional Data folder at /System/Volumes/Data/ due to what is called SIP or System Integrity Protection on macOS (starting from Catalina).

However, doing so as root user via

cd /System/Volumes/Data/
sudo mkdir -p Data/Audio

did work and I've copied some example files (also as root user). Trying to write to those files from within Mp3tag produced a permission denied error. I've changed the owner to my local username and group via

sudo chown -R florian:staff Data/Audio

and was able to reproduce the error you're getting. It really seems to be the macOS sandbox preventing access to files stored at this location — I can create secure bookmarks, but I'm not able to resolve them back to a file URL, resulting in the errors you've posted initially.

This is only meant as an update. I'll continue investigating this and keep you posted.

Thank you for the update. I would like to emphasize that /System/Volumes/Data/ is not just a regular folder, it's a mount point:

df | grep disk3s5
/dev/disk3s5 1942700360 1228210360 678836128 65% 4322676 3394180640 0% /System/Volumes/Data

And here are the permissions:

$pwd
/System/Volumes

$ls -l | grep Data
drwxr-xr-x@ 21 root wheel 672 Dec 15 00:46 Data

Yes, it's also a mounted APFS volume on my system and contains, e.g., the Users folder where access to files works without problem. What doesn't seem to work as intended is access to files in folders at /System/Volumes/Data/ other than Users, e.g., Data/Audio as per your example.

I've now posted a corresponding question on the Apple Developer Forums with the hope to get some input to the nature and cause of this issue: Error `sandbox_extension_issue_fil… | Apple Developer Forums

Thank you very much. As part of the troubleshooting, may I suggest adding the necessary records to the defaults manually? Just to confirm that fixing/working around the path resolution issue would actually fix the problem.

The data to store there cannot be constructed manually, it's binary data that is provided by the macOS ScopedBookmarkAgent and can only be obtained via opening files or folders via an Open/Save panel or drag and drop.

I've also posted this on Twitter and one response suggested to just move the folder to your User's folder. It doesn't resolve the original problem, but would certainly work around the issue.

Is it correct to assume that ScopedBookmarkAgent should display a pop-up window asking for the user's confirmation providing the application access to that specific folder? I have never got such requests from any applications except for the access to folders inside the home folder, like "Desktop", "Downloads", etc.

I'm just confused because I never had this kind of problems with any other applications. For example, I previously I used the MusicBrainz Picard for mp3 tagging and I was always able to access this specific folder. I started looking for alternative software because I want something that works with Apple silicon natively.

No, it's usually done transparently by Mp3tag itself by creating the bookmarks for folders that are either opened via an Open Panel or by drag and drop. In both ways, macOS provides secure access to the app because it ensures that the user intended to access the files through this app.

One exception is when the user only open or drags files (not folders) and later wants to rename the files, because renaming files requires secure access to the parent folder. In this instance, Mp3tag asks for secure access by showing an open panel with a short explanation.

MusicBrainz Picard doesn't use the macOS sandbox system. This is only required for apps distributed via the Mac App Store (which Mp3tag is). Other apps might employ specific workarounds for the issue you're having and I've spent the past week finding one of those.

I've now created a beta version which potentially allows for editing the files in this special folder and I'll sent a link to this version shortly via PM. Please let me know how it goes.

Thank you for explaining the nature of this problem, I really appreciate it. And I should confirm that I prefer to purchase software directly from the manufacturer rather then via App Store (where possible), so it is absolutely possible that non-AppStore versions that I install do not use the sandbox system (I remember I've seen this information somewhere already that AppStore versions are slightly different).

And the good news is, I tested the beta version and it worked as expected! Thank you so much! I'm planning to make my purchase a bit later today. Do you think this update will be released any time soon?

Excellent! Happy it's working now.

I hope to release a official version including the workaround by the end of the month (at the latest) and you can use the beta till then. This way, you can be sure it's working for you and you don't need to hurry.

Thanks for your patience!

Thank you for your support, much appreciated. I purchased my license and will be looking forward for the official release. Please close this ticket.

Many thanks for your patience and for supporting my work!