Difference between Script Editor and osascript when using Keychain to send Apple Events to computer on the network

I have two computers, A and B. When I execute this code

on run
	tell application "Safari"
	--do stuff
		tell application "Finder" of machine "eppc://db@air.local"
			display notification "Sample notification." with title "Message Title" subtitle "Message Subtitle" sound name "Frog"
		end tell
	end tell
end run

I get different results depending on how I execute it:

1. Using Script Editor on B, A displays a notification as expected. The first time I run the code I think I had to approve that Script Editor used a Keychain item.

2. Using osascript on B this dialog appears

bild928×804 54.7 KB

Even if I enter the password and check Add to keychain this dialog again appears on the next run.

3. From A I ssh into B and use osascript

bild928×804 50.9 KB

Note that as opposed to in (2), the username field is not selected - because it is not editable, nor is the password field. Pretty useless! I can check Add to keychain.

I found the Keychain item I think Script Editor uses and added /usr/bin/osascript to Always allow access to these applications under Access control, but it didn’t change anything. Do I need to add Terminal, zsh, sshd or so too?

One weird thing that happened the first time I run osascript using ssh was this:

bild744×776 59.3 KB

bild744×808 62.4 KB

Why does the whole passwordk/Keychain thing behave differently when I use osascript (especially over ssh)? How do I workaround this?

This is probably because the “osascript” command is an execution (runtime) environment that is inferior to the Script Editor, in terms of security.

The execution environment of AppleScript is classified into about 3 classes.

1st Tier: Script Editor, Script Debugger
Environment used for development. The least restrictive environment in terms of security.

2nd Tier: script menu, etc.
Apple genuine AppleScript execution program. Many have GUIs.

3rd Tier: Script runner programs
Switch Control, Folder Action, and many 3rd party Script execution environments are in this class. There are many restrictions.

“osascript” is a third-Tier execution environment. There are many features that are not available, such as GUI Scripting. The 2nd class script menu also uses osascript internally, but meets the conditions for various security permissions from macOS.

Interesting. Can I somehow manually specify that a certain script should be allowed to run with higher permissions or so?

Creating a self signed application didn’t change anything.

I ran into the same problem when I was using remote Apple events. To fix it, all I did was add the password to the URL.

on run
	tell application "Safari"
	--do stuff
		tell application "Finder" of machine "eppc://db:password@air.local"
			display notification "Sample notification." with title "Message Title" subtitle "Message Subtitle" sound name "Frog"
		end tell
	end tell
end run

Hmm…I checked each runtimes avility manually and found each little difference.
Most of scripters does not care about such a investigation.

スクリーンショット 2023-05-14 21.29.061920×1200 412 KB

Saving passwords in source code is less than ideal. One of the main advantages with Keychain is to avoid that.

Please read the question again. The result is different when running osascript from a local shell or a remote shell.

Interesting and extensive, but nothing that applies to Keychain and remote Apple Events?