Post

Replies

Boosts

Views

Activity

code signature in [app] not valid for use in process using library validation: library load disallowed by system policy.
I have an Electron app that uses a SQLite database, and has as a dependency the Sqlite3 npm package. I am building it as a sandboxed app to be distributed in the Mac App Store. When I build the app and try to open it I immediately get an error that says appName cannot be opened because developer cannot be identified. Then a more detailed error appears that includes: code signature in [app] not valid for use in process using library validation: library load disallowed by system policy.If I build it for distribution outside the app store (with hardened runtime and notarization) it works as long as I include the entitlement:com.apple.security.cs.disable-library-validationBut it appears there is no similar entitlement for sandbox apps and that sandbox apps will just ignore this entitlement. The app itself is signed with a valid certificate. And it opens fine if I don't require the sqlite3 library/package. What steps do I need to take to fix this?
11
0
9.3k
Jan ’20
Sandboxed MacOS app with user-selected read-write entitlement won't allow me to write to SQLite database files.
My app allows users to create, read, update, and delete one or more sqlite database files. It reads from the db file but it won't allow writing to it. The logs give this error when trying to write to myFile1.sqlite (I am using ".sqlite" as the file extension):Sandbox: MyApp Helpe(16378) deny(1) file-write-create /Users/steve/Documents/myFile1.sqlite-journalViolation: deny(1) file-write-create /Users/steve/Documents/myFile1.sqlite-journalWhen writing to a SQLite database, behind the scenes it creates (then deletes) a temporary file with the same name as the database file but with "-journal" appended to the extension. So if the db file name is myFile.sqlite, a temporary myFile.sqlite-journal file will be created then deleted when I write to the database. It is this file that causes the issue because it is not added to the sandbox because the user did not select it. This is a known issue that has a resolution documented below.I built the app with Electron.js not with XCode. I can add properties to info.plist but I can't figure out exactly what to add if anything.----------------------------------------------------------------------------------------------------------------------------------------------Relevant docs referencing sqlite journal file:https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.htmlScroll about half way down to the section called "Related Items". I've copy/pasted the relevant text below.RELATED ITEMSThe related items feature of App Sandbox lets your app access files that have the same name as a user-chosen file, but a different extension. This feature consists of two parts: a list of related extensions in the application’s Info.plist file and code to tell the sandbox what you’re doing.There are two common scenarios where this makes sense:Scenario 1: (unrelated to my issue)Scenario 2:Your app needs to be able to open or save multiple related files with the same name and different extensions (for example, to automatically open a subtitle file with the same name as a movie file, or to allow for a SQLite journal file).To gain access to that secondary file, create a class that conforms to the NSFilePresenter protocol. This object should provide the main file’s URL as its primaryPresentedItemURL property, and should provide the secondary file’s URL as its presentedItemURL property.After the user opens the main file, your file presenter object should call the addFilePresenter: class method on the NSFileCoordinator class to register itself.Note: In the case of a SQLite journal file, beginning in 10.8.2, journal files, write-ahead logging files, and shared memory files are automatically added to the related items list if you open a SQLite database, so this step is unnecessary.In both scenarios, you must make a small change to the application’s Info.plist file. Your app should already declare a Document Types (CFBundleDocumentTypes) array that declares the file types your app can open.For each file type dictionary in that array, if that file type should be treated as a potentially related type for open and save purposes, add the key NSIsRelatedItemType with a boolean value of YES.
3
0
1.2k
Jan ’20