Post

Replies

Boosts

Views

Activity

Mac App Store embedded application fails basic networking (loading a public website)
As a followup to this question... I have a parent app and an embedded child app. This child does nothing but open a WKWebView to a public URL as a test case. In development I have the debug entitlements for Child.app to include: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>         <key>com.apple.security.app-sandbox</key>         <true/>         <key>com.apple.security.network.client</key>         <true/> </dict> </plist> Building and running Child.app does as expected (opens a view and displays a public website). Embedding this Child.app I have the entitlements set in Release as: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>         <key>com.apple.security.app-sandbox</key>         <true/>         <key>com.apple.security.inherit</key>         <true/> </dict> </plist> The parent app that embeds Child.app has these entitlements: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>         <key>com.apple.developer.networking.networkextension</key>         <array>                 <string>packet-tunnel-provider</string>         </array>         <key>com.apple.security.app-sandbox</key>         <true/>         <key>com.apple.security.application-groups</key>         <array>                 <string>group.com.foo</string>         </array>         <key>com.apple.security.automation.apple-events</key>         <true/>         <key>com.apple.security.cs.allow-unsigned-executable-memory</key>         <true/>         <key>com.apple.security.cs.disable-library-validation</key>         <true/>         <key>com.apple.security.device.audio-input</key>         <true/>         <key>com.apple.security.device.bluetooth</key>         <true/>         <key>com.apple.security.device.camera</key>         <true/>         <key>com.apple.security.network.client</key>         <true/>         <key>com.apple.security.network.server</key>         <true/> </dict> </plist> My understanding is that Child.app would inherit all of these entitlements and thus be able to open a website. When I dump the entitlements of what gets installed via TestFlight I can confirm the entitlements are as I expect: Executable=/Applications/Foo One.app/Contents/MacOS/Child.app/Contents/MacOS/Child Warning: Specifying ':' in the path is deprecated and will not work in a future release <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>beta-reports-active</key><true/><key>com.apple.application-identifier</key><string>367***NY2.com.foo.Child</string><key>com.apple.developer.team-identifier</key><string>367***NY2</string><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.inherit</key><true/></dict> I watch Console to see if anything jumps out at me but I don't see any errors yet Child.app displays a blank WKWebView and never even seems to try to connect to the URL.
1
0
1.1k
Jul ’22
ITMS-90286: Invalid Code Signing Entitlements but the application-identifier is exactly what it should be
I have an app that I'm building and signing and deploying for the Mac App Store. I received an email that there were problems with the deployment that make no sense to me. ITMS-90286: Invalid Code Signing Entitlements - Your application bundle's signature contains code signing entitlements that are not supported on macOS. Specifically, value '367****Y2.com.foo.foo-one.electron' for key 'com.apple.application-identifier' in 'Foo One.app/Contents/MacOS/Foo.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib' is not supported. This value should be a string starting with your TEAMID, followed by a dot '.', followed by the bundle identifier . Say what now? This value should be a string starting with your TEAMID, followed by a dot '.', followed by the bundle identifier . But that is exactly what it is set to: 367****Y2.com.foo.foo-one.electron (asterisks just here to obscure our actual TeamID) I have no idea how to proceed. Any advice? Similar to this question thread 698452
3
0
1.6k
Jul ’22
Mac App Store application fails to open child app (crashing in sanbox init) - how can I package a secondary app within my master app for MAS?
I have an app that is packaged for the Mac App Store. It runs great but now I need to package a second app along with it as a supplementary .app. I have constructed a test case with the smallest possible child app. All it does is open a window that says "success". When I archive and distribute through TestFlight the child app crashes on startup. I'm attaching the crash report below, but first, this is how I'm starting the child app from swift:         let url = Bundle.main.bundleURL.path + "/Contents/Plugins/Child.app/Contents/MacOS/Child"         process.executableURL = URL(fileURLWithPath:url)         process.terminationHandler = { (process) in            print("\ndidFinish: \(!process.isRunning)")         }         do {           try process.run()         } catch let error as NSError {             NSLog("Failed to execute %@", error.description)         } The Child.app is being copied to the Plugins folder as part of the Xcode solution. Attached is the crash report, here's a brief summary: Exception Type:        EXC_BAD_INSTRUCTION (SIGILL) Exception Codes:       0x0000000000000001, 0x0000000000000000 Exception Note:        EXC_CORPSE_NOTIFY Termination Reason:    Namespace SIGNAL, Code 4 Illegal instruction: 4 Terminating Process:   exc handler [52231] Application Specific Signatures: SYSCALL_SET_PROFILE Thread 0 Crashed::  Dispatch queue: com.apple.main-thread 0   libsystem_secinit.dylib                 0x7ff810c4b337 _libsecinit_appsandbox.cold.5 + 79 1   libsystem_secinit.dylib                 0x7ff810c4a82f _libsecinit_appsandbox + 2221 2   libsystem_trace.dylib                   0x7ff805be1848 _os_activity_initiate_impl + 51 3   libsystem_secinit.dylib                 0x7ff810c49f41 _libsecinit_initializer + 67 4   libSystem.B.dylib                       0x7ff810c5d8c5 libSystem_initializer + 286 5   dyld                                       0x1180b6d2b invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 182 6   dyld                                       0x1180dd237 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 242 7   dyld                                       0x1180d483a invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 557 8   dyld                                       0x1180a3db3 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 129 9   dyld                                       0x1180d45cb dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 179 10  dyld                                       0x1180dcd8e dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 466 11  dyld                                       0x1180b6c5e dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 144 12  dyld                                       0x1180bd1aa dyld4::PrebuiltLoader::runInitializers(dyld4::RuntimeState&) const + 30 13  dyld                                       0x1180ca3de dyld4::APIs::runAllInitializersForMain() + 38 14  dyld                                       0x1180a837d dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3443 15  dyld                                       0x1180a74d4 start + 388 crash-report.txt
1
0
1.4k
Jul ’22
How to enable AppleScript between Parent and Child applications within sandbox for Mac App Store?
I have a parent app that contains a child app in the bundle. The child app uses applescript to trigger some events in the parent app. Now that I'm preparing for App Store I have sandboxed the apps and I am missing something with the entitlements that I don't understand. In the parent app I have defined the .sdef and I can dump it with sdef /Applications/Parent.app once installed from TestFlight and I see: <!DOCTYPE dictionary SYSTEM "file://localhost/System/Library/DTDs/sdef.dtd"> <dictionary title="Parent">     <suite name="Parent Suite" code="prnt" description="Parent Scripts">         <command name="is_first_run" code="prntisfr" description="Is this the first time running the app?">             <cocoa class="MyScriptInterface"/>         </command>         <command name="activation_complete" code="prntWRac" description="Activation is complete">             <cocoa class="MyScriptInterface"/>         </command>         <command name="sign_out" code="prntWRso" description="Sign out and delete local credentials">             <cocoa class="MyScriptInterface"/>         </command>         <command name="get_version" code="prntgetv">             <cocoa class="MyScriptInterface"/>             <direct-parameter type="text" description="None"/>             <result type="text"/>         </command>     </suite> </dictionary> In the parent app I have the following included in the .plist: <key>NSAppleEventsUsageDescription</key>         <string>AppleEvents needed to communicate between components</string>         <key>NSAppleScriptEnabled</key>         <true/>         <key>OSAScriptingDefinition</key>         <string>Parent.sdef</string> In the Parent entitlements I include the following key parts: <key>com.apple.security.automation.apple-events</key>         <true/> <key>com.apple.security.scripting-targets</key>         <dict>                 <key>com.foo.parent</key>                 <array>                         <string>com.foo.parent.is_first_run</string> <string>com.foo.parent.activation_complete</string>                         <string>com.foo.parent.sign_out</string>                         <string>com.foo.parent.get_version</string>                 </array>                 <key>com.foo.parent.child</key>                 <array>                         <string>com.foo.parent.is_first_run</string>                       <string>com.foo.parent.activation_complete</string>                         <string>com.foo.parent.sign_out</string>                         <string>com.foo.parent.get_version</string>                 </array>         </dict> In the Child app I have only this key: <key>NSAppleScriptEnabled</key>         <true/> And in the Child entitlements I have only this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>         <key>com.apple.security.app-sandbox</key>         <true/>         <key>com.apple.security.inherit</key>         <true/> </dict> </plist> I am not getting something. When I install the app and watch Console output I see a combination of errors: For the Parent app: AppleEvents/sandbox: Returning errAEPrivilegeError/-10004 and denying dispatch of event prnt/isfr from process '<private>'/0x0-0x7dccdc5, pid=95806, because it is not entitled to send an AppleEvent to this process. For the Child app from sandboxd: Violation:       deny(1) appleevent-send com.apple.systemevents MetaData: {"platform-binary":false,"build":"macOS 12.3.1 (21E258)","sandbox_checker":"appleeventsd","process-path":"\/Applications\/Parent.app\/Contents\/MacOS\/Child.app\/Contents\/MacOS\/Child","profile-in-collection":false,"platform_binary":"no","primary-filter-value":"com.apple.systemevents","primary-filter":"appleevent-destination","checker":"appleeventsd","platform-policy":false,"policy-description":"Sandbox","summary":"deny(1) appleevent-send com.apple.systemevents","binary-in-trust-cache":false,"responsible-process-team-id":"367******2","target":"com.apple.systemevents","hardware":"Mac","pid":95806,"appleevent-destination":"com.apple.systemevents","flags":5,"responsible-process-signing-id":"com.foo.parent","apple-internal":false,"normalized_target":["com.apple.systemevents"],"checker-pid":359,"profile-flags":0,"operation":"appleevent-send","errno":1,"action":"deny","uid":501,"responsible-process-path":"\/Applications\/Parent.app\/Contents\/MacOS\/Parent","signing-id":"com.foo.parent.child","team-id":"367******2","container":"\/Users\/spartygw\/Library\/Containers\/com.foo.parent\/Data","process":"Child","release-type":"User"}
7
0
2.1k
May ’22
Is it possible to distribute a macOS Network Extension app outside the Mac AppStore without having to use a System Extension?
In reference to this related question: forum question 678260 I have an application that is codesigned and notarized to install a VPN extension using the NextworkExtension plugin. It works great in Xcode in debug. In release builds that are notarized the network extension is rejected when I try to load it. The only way we were able to get the extension to load is by going through the system extension API. **Quinn, is it possible to distribute Developer ID-signed apps that install NetworkExtension components outside the App Store without having to use System Extension? ** The 4 UIs that the user has to jump through to allow System Extensions is going to be a huge problem for non-technical user base. CONSOLE output when installed from a notarized pkg: NEVPNTunnelPlugin(com.foo.bar[inactive]): Validation of the extension failed and Provider com.foo.bar validation failed: Error Domain=NEFilterErrorDomain Code=1 "(null)"
1
0
885
May ’22
Is there an ObjC or Swift method to query installed System Extensions similar to `systemextensionctl list`?
I have an app which is installing a system extension. On startup I want to know if it's already been installed or not (because if it hasn't I want to show some information to the user). I have not been able to find an ObjC or Swift method that allows me to ask if a given extension has been installed. I know I can run systemextensionctl list and parse the output but I don't want to have to fork a shell command if I don't have to.
1
0
786
May ’22