Apple provides a way for the app developer to migrate app data from previous locations to the Mac App Store app container folder, see Migrating your app’s files to its App Sandbox container.
My question is, it seems this feature only allows us to migrate or move the existing app files into the sandbox folder, however, I'd like to "copy" these files instead of "move" them.
Instead of using the "Move" key in the plist file, I have already tried "Copy" key and it didn't work.
App Sandbox
RSS for tagApp Sandbox is a macOS access control technology designed to contain damage to the system and user data if an app becomes compromised.
Posts under App Sandbox tag
117 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hello everyone, I need help with an issue that is unclear to me. I developed an application with Unity and now I'm using xCode to distribute it both outside the App Store and on the App Store. As for the first option, no problem, I was able to build the app and upload it for validation. However, regarding the App Store, I have a problem with "App Sandbox," which seems to be mandatory in this case. My application is essentially a party game where one part functions as a desktop application and another part as a mobile application. The desktop application launches a parallel process (which I included in a group within xcode and signed with my developer ID) that makes the two parts communicate through a socket on the local network. When I enable App Sandbox, it seems that the process is not launched by the main application. I have also enabled the two options, Incoming Connection (server/client), under App Sandbox, but it still did not work. I thank you in advance for the support.Sandbox app + parallel process + LAN Socket
Is it possible to run multiple instance of an app at the same time such that each instance is running in its own sandbox environment? For eg- Each app should have it's own ~/Library and other shared directories. Maybe something like chroot, but I am not sure it would be possible.
And by sandbox I really mean isolation, not necessarily macOS App Sandbox.
I am trying to understand the mechanics of how iOS/iPadOS apps work on macs with Apple Silicon.
In particular, I'd like to understand the runtime environment of these apps.
I installed one to test it on a mac. I ran codesign --entitlements on a mac, on an iOS app downloaded form the mac app store.
I was very surprised to see the sandbox entitement was NOT present.
On iOS all apps are sandboxed, so I was very surprised to see that the macOS translation was not sandbox. This seems like a significant weakening of the security.
Can anyone shed some light on that?
I am trying to get the list of printers using NSPrinter.printerNames, but it doesn't return any items.
static func getPrinterList() -> [(name: String, isAvailable: Bool)] {
let printerNames = NSPrinter.printerNames
return printerNames.map { name in
let isAvailable = NSPrinter(name: name) != nil
return (name: name, isAvailable: isAvailable)
}
}
The printerNames is a empty string array.
I checked the settings for printers and screens, and there is a printer device listed.
I need to set something else?
I have an Electron app built for macOS, and it was distributed via 'Developer ID' for years, it worked well and I was able to access the photos in the system Photos library. Surely I already have the 'NSPhotoLibraryUsageDescription' key in Info.plist.
Recently we are trying to publish this app to Mac App Store, so I have to turn on the sandbox, after that the app starts giving XPC errors while accessing the Photos library. The errors look like:
PHAuthorizationStatus: Authorized
CoreData: XPC: sendMessage: failed #0
CoreData: XPC: Unable to sendMessage: to server
...
CoreData: XPC: sendMessage: failed #7
CoreData: XPC: Unable to connect to server with options {
NSPersistentHistoryTrackingKey = 1;
NSXPCStoreServerEndpointFactory = "<PLXPCPhotoLibraryStoreEndpointFactory: 0x7fc67e8af370>";
skipModelCheck = 1;
}
CoreData: XPC: Unable to load metadata: Error Domain=NSCocoaErrorDomain Code=134060 "A Core Data error occurred." UserInfo={Problem=Unable to send to server; failed after 8 attempts.}
CoreData: fault: Unable to create token NSXPCConnection. NSXPCStoreServerEndpointFactory 0x7fc67e8af370 -newEndpoint returned nil
CoreData: error: Failed to create NSXPCConnection
It seems the app could detect the current PHAuthorizationStatus which is Authorized, but it can't fetch the photos from the Photos library (using PhotoKit).
I learned from here that I could look for errors from the sandboxd daemon, so I did that, here is what I saw:
Sandbox: Picture Keeper(32625) deny(1) mach-lookup com.apple.photos.service
Violation: deny(1) mach-lookup com.apple.photos.service
Process: Picture Keeper [32625]
Path: /Applications/Picture Keeper.app/Contents/MacOS/Picture Keeper
Load Address: 0x103bd3000
Identifier: com.simplifieditproducts.picturekeepermas
Version: 4575 (4.5.75)
Code Type: x86_64 (Native)
Parent Process: Picture Keeper [1]
Responsible: /Applications/Picture Keeper.app/Contents/MacOS/Picture Keeper
User ID: 501
Date/Time: 2024-08-26 16:16:14.645 EDT
OS Version: macOS 14.5 (23F79)
Release Type: User
Report Version: 8
MetaData: {"process_path":["Users","Kevin","Projects","Electron","picturekeeper-electron","dist","picturekeeper","mas-dev","Picture Keeper.app","Contents","MacOS","Picture Keeper"],"apple-internal":false,"primary-filter":"global-name","policy-description":"Sandbox","flags":5,"platform-policy":false,"build":"macOS 14.5 (23F79)","process-path":"\/Applications\/Picture Keeper.app\/Contents\/MacOS\/Picture Keeper","responsible-process-path":"\/Applications\/Picture Keeper.app\/Contents\/MacOS\/Picture Keeper","primary-filter-value":"com.apple.photos.service","platform_binary":"no","responsible-process-signing-id":"com.simplifieditproducts.picturekeepermas","hardware":"Mac","target":"com.apple.photos.service","action":"deny","mach_namespace":1,"checker-pid":1,"container":"\/Users\/Kevin\/Library\/Containers\/com.simplifieditproducts.picturekeepermas\/Data","binary-in-trust-cache":false,"team-id":"LU744924UY","process":"Picture Keeper","global-name":"com.apple.photos.service","platform-binary":false,"pid":32625,"summary":"deny(1) mach-lookup com.apple.photos.service","checker":"launchd","responsible-process-team-id":"xxxxx","operation":"mach-lookup","normalized_target":["com.apple.photos.service"],"errno":1,"uid":501,"profile-flags":0,"profile-in-collection":false,"sandbox_checker":"launchd","signing-id":"com.simplifieditproducts.picturekeepermas","release-type":"User"}
I believe I already have the necessary entitlements for the Photos library, see:
codesign -d --entitlements - /Applications/Picture\ Keeper.app/Contents/MacOS/Picture\ Keeper
[Dict]
[Key] com.apple.application-identifier
[Value]
[String] xxxx.com.simplifieditproducts.picturekeepermas
[Key] com.apple.developer.team-identifier
[Value]
[String] xxxx
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] xxxx.com.simplifieditproducts.picturekeepermas
[Key] com.apple.security.assets.movies.read-only
[Value]
[Bool] true
[Key] com.apple.security.assets.music.read-only
[Value]
[Bool] true
[Key] com.apple.security.assets.pictures.read-write
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-dyld-environment-variables
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-jit
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-unsigned-executable-memory
[Value]
[Bool] true
[Key] com.apple.security.cs.disable-executable-page-protection
[Value]
[Bool] true
[Key] com.apple.security.cs.disable-library-validation
[Value]
[Bool] true
[Key] com.apple.security.device.usb
[Value]
[Bool] true
[Key] com.apple.security.files.bookmarks.app-scope
[Value]
[Bool] true
[Key] com.apple.security.files.bookmarks.document-scope
[Value]
[Bool] true
[Key] com.apple.security.files.downloads.read-only
[Value]
[Bool] true
[Key] com.apple.security.files.user-selected.read-write
[Value]
[Bool] true
[Key] com.apple.security.network.client
[Value]
[Bool] true
[Key] com.apple.security.network.server
[Value]
[Bool] true
[Key] com.apple.security.personal-information.location
[Value]
[Bool] true
[Key] com.apple.security.personal-information.photos-library
[Value]
[Bool] true
By the way, the Photos library related code was built into a .node file (which is a dylib), and it will be loaded by the main executable during runtime.
Anything I missed? Thank you!
We have a cross platform App available on Mac, iOS & soon tvOS. We are adding a new App Group to be used by this app.
We also have a as yet unpublished future Mac Catalyst app that will need access to the App Group.
The Apple docs suggest prefixing app groups on Mac with the team ID but not on other platforms.
We would like to avoid prefixing with the team ID because:
my understanding is that Mac Catalyst apps don't use the team ID and we would like to support that use case to communicate between our current cross platform app and the future catalyst app.
Having a single code base but different group container IDs per platform means a bunch of extra conditional logic in the project we would rather avoid.
So with that context our aim is to have an app group that is named consistently across platforms and meets sandboxing requirements for App Store distribution.
However when developing using the non-team prefixed app group name on macOS Sequioa I see the following alert every time I launch the app.
I have the App Group listed correctly in the entitlements file and if I change the app group name on macOS from group.com.example to (TEAMID).com.example then it works as expected so I think the rest of the setup is correct.
Looking at the Sequoia Beta release notes it states:
Specifically, the app must use FileManager to get the app group container path and meet one of the following requirements: the app is deployed through Mac App Store; the app group identifier is prefixed with the app’s Team ID; or the app group identifier is authorised by a provisioning profile embedded within the app.
I am using Xcode managed signing and looking at the provisioning profiles I can see that the iOS one includes the app group but the macOS one does not. I assume that if I could somehow get the app group correctly add to the macOS provisioning profile then all would be good.
But I am now stuck on how to get the app group added to the macOS provisioning profile. It seems whatever I try Xcode does not want to add it. Presumably this is because it expects you to instead use a team ID prefixed app group which would not need to be added.
Is there any magic I can do to make this work with automatic signing?
If not then how would I go about setting it up manually and is that the best solution?
We have an app that is published both on iOS and macOS (Catalyst).
Now, the iOS app is sharing group containers between app extension and main app target, but it's not sandboxed.
The macOS Catalyst app is sandboxed but the group containers were removed a week ago with the latest AppStore submission.
We are facing the same issue and still seeing the error message saying "You can only transfer sandboxed apps that are not sharing a group container." when transferring the app.
It's not clear why we are having that message as the group containers were removed from the macOS app.
Can anyone from Apple give a bit more details what can we do to fix that?
Hi,
I'm writing a sandboxed Daemon that I register from my sandboxed application via SMAppService.
The registration is successful, and the daemon is called based on logs.
However when I'm trying to save a keychain item into the keychain, I see entries like this in the logs:
(Security) SecItemAdd
[com.apple.securityd:atomicfile] create /Library/Keychains/System.keychain.sb-1c133873-RPL9wo: Operation not permitted
[com.apple.securityd:security_exception] UNIX error exception: 1
[com.apple.securityd:security_exception] CSSM Exception: 100001 UNIX[Operation not permitted]
[com.apple.securityd:security_exception] CSSM Exception: 100001 UNIX[Operation not permitted]
I'm attempting to create the item with the regular SecItemAdd function call:
var query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrLabel as String: "[redacted string]",
kSecAttrAccount as String: "[redacted string]",
kSecAttrService as String: "[redacted string]",
kSecValueData as String: secretData
]
SecItemAdd(query as CFDictionary, nil)
I'm guessing this is because the System keychain is outside of the sandbox for the daemon.
Is there a way to create items for the System Keychain from a sandboxed daemon?
multiprocessing.Queue() method of python getting "PermissionError: [Errno 1] Operation not permitted" error if it is sandboxed:
CODE:
import multiprocessing
tensorflow_coordinates_queue = multiprocessing.Queue()
ERROR:
./test_temp9
Traceback (most recent call last):
File "/Applications/test_temp9.app/Contents/MacOS/test_temp9.py", line 4, in <module>
File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/context.py", line 103, in Queue
File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/queues.py", line 43, in __init__
File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/context.py", line 68, in Lock
File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/synchronize.py", line 162, in __init__
File "/Applications/test_temp9.app/Contents/MacOS/multiprocessing/synchronize.py", line 57, in __init__
PermissionError: [Errno 1] Operation not permitted
BUNDELED WITH NUITKA:
echo *** | sudo -S python3.9 -m nuitka --run --standalone --macos-disable-console --macos-create-app-bundle --macos-app-mode=ui-element --enable-plugin=pyside6 --macos-app-icon=icons/app_icon.png --include-data-dir=icons=icons test_temp9.py
SIGNED WITH FOLLOWING SH:
sign.txt
sign2.txt
ENTITLEMENTS:
app.entitlements.txt
When using the following API, is it expected that the app would require both incoming and outgoing permissions with App Sandbox?
public func sendto(_: Int32, _: UnsafeRawPointer!, _: Int, _: Int32, _: UnsafePointer<sockaddr>!, _: socklen_t) -> Int
Since I'm only sending UDP broadcasts, I would have expected outgoing to be sufficient.
Thanks!
When making a custom System Settings panel, I want the project to automatically move the prefpane file to /Library/PreferencePanes/. With Run Script, the build fails because of denial to perform the operation. Sudo doesn't help, too.
PREFPANE_SRC="${BUILT_PRODUCTS_DIR}/App.prefPane"
PREFPANE_DST="$HOME/Library/PreferencePanes/"
echo "PrefPane source path: $PREFPANE_SRC"
echo "PrefPane destination path: $PREFPANE_DST"
if [ -d "$PREFPANE_SRC" ]; then
echo "Installing preference pane to ${PREFPANE_DST}"
cp -R "${PREFPANE_SRC}" "${PREFPANE_DST}"
else
echo "Preference pane not found: ${PREFPANE_SRC}"
exit 1
fi
I'm attempting to create an application that uses a System Extension / Network Extension to implement a PacketTunnelProvider.
After creating and configuring the packet device, I want to spawn a child process to do the actual reading and writing of network packets. I want to do this because the child is written in Go (it uses wireguard-go and my company's Go-SDK).
When I call posix_spawn from within the System Extension, I get "Operation not permitted" as the error, and sandboxd drops a log with
Violation: deny(1) process-exec* /private/var/root/Library/Containers/<my system extension>/Data/Documents/<my-child-binary>
Is it possible to execute other processes from within the System Extension sandbox? Do the binaries have to be stored in a particular place, and if so, where?
I attempted to build with the App Sandbox removed from the System Extension capabilities, and this seemed to fail before even executing my Network Extension code, so I'm guessing System Extensions are required to be sandboxed, but it would be nice to have that confirmed.
Hi everyone,
I'm currently testing my app's subscription feature in the sandbox environment, but I'm encountering an issue where my subscriptions are not appearing in the StoreView. I've implemented the StoreKit configurations and ensured that the product IDs are correctly set up. However, when I try to display the subscriptions in the StoreView, nothing appears.
Here are a few details about my setup:
I’m using StoreKit to manage auto-renewable subscriptions.
The product IDs are correctly registered and match those in App Store Connect.
Testing in the sandbox environment.
I’ve confirmed that my internet connection is stable, and there are no apparent issues with the request.
Despite this, the StoreView remains empty, and I'm unable to see any subscription options. Has anyone else encountered this problem? If so, how did you resolve it?
Any help or suggestions would be greatly appreciated!
Thanks in advance!
I'm developing an application that uses hardlinks to track certain files created by the app. Initially, before the hardlink is created, the files behave as expected. For example, if the app generates a .number file, I can open and edit it with Numbers without any issues. However, once the hardlink is created, the file appears locked, and Numbers can no longer write to it.
Checking the logs in the Console app, I see that Numbers throws an NSCocoaErrorDomain error with code 513. This problem only occurs with sandboxed apps—non-sandboxed apps like Visual Studio Code work fine. I’ve also tried creating the hardlink manually using the ln command in Terminal, but the behavior is the same.
I'm currently on a M1 Pro mac running Sonoma 14.2.1. I've also tried on an intel one running Sonoma 14.4 and the behaviour is the exact same.
This issue doesn’t occur with symlinks, but my application specifically requires hardlinks, and I haven't been able to find a workaround. Does anyone have any suggestions?
When I was making sandbox payments in the testing environment, I made a normal recharge, but I received multiple purchase callbacks at the same time. Has anyone encountered the same situation? Does this situation only occur in sandbox environments?
Hi,
we have quite a headache around wanting to transfer one of our applications to a new Apple Developer Organization.
The macOS Application is sandboxed and is bundled with a Safari Extension. The two must be in an App Group in order to share data (as per official Apple documentation).
Now this also means, according to this documentation from Apple that this App cannot be transferred, because it has made use of App Groups. If I read correctly online, even if we were to remove this entitlement from the Application, we wouldn't be able to transfer it.
Is this all there is to know? I find it rather hard to believe there isn't a workaround for this.
Is there maybe a way to transfer the Application and the Safari Extension to the new organization at once, together? I don't mind moving the App Group as well.
Can a technical support incident be requested for this type of issue? I'm happy to talk this through with someone from Apple if there is a one-by-one basis (maybe a manual transfer with help from Apple) way to solve this.
Why this is a problem, you might ask. First and largest problem is the continuous service for our existing subscribers to the premium version of our application. If we can't move the app, we need to recreate it in the new organization with a new bundle id, new subscription items, everything.
I haven't found a straightforward way to move these subscriptions over to another app. I thought about creating an Introductory/Promotional offer, only shown to users with subscriptions in old app. But the length of their subscriptions vary, and offers have a fixed with.
Is there anything else I haven't looked at?
Thanks in advance!
我创建了一个macos 应用,应用开启了沙盒功能,我有一个shll脚本和一个嵌入的可执行命令行工具位于/Users/Library/Containers/com.***/Data/Library/Application Support/***/下面,用于拷贝工作,我发现我并不能执行成功,总是被拒绝,有人知道原因吗,
macOS application Mulligan's Eagle (403115926)
macOS deployment - macOS 10.14 (Mojave) through Sonoma 14.5
macOS targets - Mac App Store, ad hoc direct drag-to-install image
Xcode version 15.4, various development Macs (Intel, M1, M2)
Eagle delivered since pre-Mac App Store days - derived from System 7 MacApp development. App most recently delivered with min system Mac OS 10.12 through current Sonoma 14.5, dual target for Mac App Store automatically signed with Apple Development credentials and for outside release automatically signed with Developer ID credentials.
Recent revisions to the software to bump min system to 10.14 (Mojave) with typical continuing development for tech, reqm'ts, etc. Updates (a couple since previous release) to Xcode - now using version 15.4, which recommended some config changes that made sense, except min system. Popular application with lots of older (uh... elder) users running Macs servicing golfers.
The application is ready to distribute with automatic signing, but wasn't able to do so with Developer ID credentials, but Xcode note (and reading of tips in this forum and my poor understanding) managed to submit for notarization - failed.
Tried to manually sign...
and reviewed signing info in Xcode...
So I reviewed Certificate(s) etc. that should have been used when previously signing Dev ID for notarization and release. I have (I think) six Developer ID Application certs and six Developer ID Installer certs and I can't find any combination of those certificates - some with duplicate dates or expirations - that allows me to use one to automatically sign code to notarization or delivery. What do I do? I've lived a peaceful solo developer life for 25 years delivering and signing code for the Mac and as long as iOS has existed. I'm terrified about this issue however...
My early Mac OS using customers (since Lion - pre sandbox) still have serial numbers for this software and have bought a Mac every 6 - 10 years so they could get my latest release. We've never required that they re-purchase from the App Store... they have a perpetual license. Sandboxing was a shock they never felt - we kept delivering updates to them and if they decided sandboxing mattered, they purchased from Apple and we included the container-migration entitlement in the App Store version to move their data to the new sandbox. Pretty slick. Until we built an install disk to test it on an unsandboxed version of Eagle in our office. It "lost" its data - vanished by remaining in the old Application Support directory while the new hardened runtime version looked for it in the sandbox - finding nothing. Just imagine encountering that if you're 80 years old running a golf league.
How can I "reset" the futzed-up certificate Developer ID mess? I have multiple machines, all with varying subsets of what seem to be good certificates. And Xcode builds new provisioning profiles just for the heck of it, it seems. I'm afraid to revoke or throw out any certificates because I can't tell which ones are good, bad or duplicates - they're all valid. And I can't create any more Developer ID certs because there's a max to control certificate-miscreants like me (yes, I've read Quinn's protection of your Dev ID note - I screwed it up with only 1 employee). I depend on automatic signing because I'm still, after 58 years of coding, just a novice.
Is it true that I should still specify in my build settings that I'm using Developer ID credentials for my ad hoc development and distribution schemes? And that the proper settings for those should NOT enable hardened runtime or app sandboxing?
Sorry for my intensity here.... It's been 2 weeks since App Review bonked an initial submission with just an "it's broken" reject message, and DTS decided this is not such an emergency that the Developer Forum shouldn't be able to handle it. I'm truly hoping it's so.
Hello macOS gurus, I am writing an AUv3 plug-in and wanted to add support for additional formats such as CLAP and VST3. These plug-ins must reside in an appropriate folder /Library/Audio/Plug-Ins/ or ~/Library/Audio/Plug-Ins/. The typical way these are delivered is with old school installers.
I have been experimenting with delivering theses formats in a sandboxed app. I was using the com.apple.security.temporary-exception.files.absolute-path.read-write entitlement to place a symlink in the system folder that points to my CLAP and VST3 plug-ins in the bundle. Everything was working very nicely until I realize that on my Mac I had changed the permissions on these folders from
to
The problem is that when the folder has the original system permissions, my attempt to place the symlink fails, even with the temporary exception entitlement.
Here's the code I'm using with systemPath = "/Library/Audio/Plug-Ins/VST3/"
static func symlinkToBundle(fileName: String, fileExt: String, from systemPath: String) throws {
guard let bundlePath = Bundle.main.resourcePath?.appending("/\(fileName).\(fileExt)") else {
print("File not in bundle")
}
let fileManager = FileManager.default
do {
try fileManager.createSymbolicLink(atPath: systemPath, withDestinationPath: bundlePath)
} catch {
print(error.localizedDescription)
}
}
So the question is ... Is there a way to reliably place this symlink in /Library/... from a sandboxed app using the temporary exception entitlements? I understand there will probably be issues with App Review but for now I am just trying to explore my options.
Thanks.