Hello,I am trying to submit my app for review but iTunes Connect shows me some sandboxing problems:I have an app which contains several cli binaries in its resource folder. These binaries were build with different IDEs, for example one is built with xamarin, others are build as a different Xcode project from a different maintainers.My question: I thought these binaries would inherit the entitlements from the main app when launched from the main app.Would it be sufficient to create an entitlement "com.apple.security.app-sandbox true" for each of these binaries or do they have to have the complete set of entitlements like network access and so on?iTunes Connect tells me:Dear Developer,We identified one or more issues with a recent delivery for your app, "ezeep Connector for macOS" 12.2.8 (12.2.8). Please correct the following issues, then upload again.ITMS-90296: App sandbox not enabled - The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/publish/ez.login.eas.mac", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/.thnumod", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuchk", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuclnt", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuclntd", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuconf", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnucups", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnurdp" )] Refer to App Sandbox page at https://developer.apple.com/devcenter/mac/app-sandbox/ for more information on sandboxing your app.Best regards,The App Store Teamregards,Robert
Post
Replies
Boosts
Views
Activity
Hello @eskimo (or whoever can help): our company builds a product which is delivered outside the app store as pkg. It contains a launch daemon which is a .NET build on an external build server and signed. Then the whole pkg is notarized.
The build server is macOS 10.15.7 (Catalina)
On macOS 13.x I can launch the daemon in Terminal without problem, but on Sonoma public beta I get "killed by Signal:9" and in Console I get:
"standard 07:44:53.694349-0700 kernel ASP: Security policy would not allow process: 1377, /Library/PrivilegedHelperTools/com.ThinPrint.TPACCloud/TPACCloud.Service"
This happens on both Intel and Apple CPU VMs.
Besides, when I disable SIP the error does not show up anymore and the binary runs like a charm.
What has changed between macOS 13 and macOS 14 ?
The binary entitlements:
com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.cs.disable-executable-page-protection
com.apple.security.cs.allow-dyld-environment-variables
com.apple.security.cs.disable-library-validation
The command to code sign:
/usr/bin/codesign --force --options=runtime --timestamp --entitlements "#{absolutePathToEntitlement}" --sign "#{applicationCertname}" "#{tPACCLOUD_ARTEFACTS_X64}/#{item}"
where #{item} are the binaries and .dylibs