When making a custom System Settings panel, I want the project to automatically move the prefpane file to /Library/PreferencePanes/. With Run Script, the build fails because of denial to perform the operation. Sudo doesn't help, too. PREFPANE_SRC="${BUILT_PRODUCTS_DIR}/App.prefPane" PREFPANE_DST="$HOME/Library/PreferencePanes/" echo "PrefPane source path: $PREFPANE_SRC" echo "PrefPane destination path: $PREFPANE_DST" if [ -d "$PREFPANE_SRC" ]; then echo "Installing preference pane to ${PREFPANE_DST}" cp -R "${PREFPANE_SRC}" "${PREFPANE_DST}" else echo "Preference pane not found: ${PREFPANE_SRC}" exit 1 fi

I'm attempting to create an application that uses a System Extension / Network Extension to implement a PacketTunnelProvider. After creating and configuring the packet device, I want to spawn a child process to do the actual reading and writing of network packets. I want to do this because the child is written in Go (it uses wireguard-go and my company's Go-SDK). When I call posix_spawn from within the System Extension, I get "Operation not permitted" as the error, and sandboxd drops a log with Violation: deny(1) process-exec* /private/var/root/Library/Containers/<my system extension>/Data/Documents/<my-child-binary> Is it possible to execute other processes from within the System Extension sandbox? Do the binaries have to be stored in a particular place, and if so, where? I attempted to build with the App Sandbox removed from the System Extension capabilities, and this seemed to fail before even executing my Network Extension code, so I'm guessing System Extensions are required to be sandboxed, but it would be nice to have that confirmed.

Hi everyone, I'm currently testing my app's subscription feature in the sandbox environment, but I'm encountering an issue where my subscriptions are not appearing in the StoreView. I've implemented the StoreKit configurations and ensured that the product IDs are correctly set up. However, when I try to display the subscriptions in the StoreView, nothing appears. Here are a few details about my setup: I’m using StoreKit to manage auto-renewable subscriptions. The product IDs are correctly registered and match those in App Store Connect. Testing in the sandbox environment. I’ve confirmed that my internet connection is stable, and there are no apparent issues with the request. Despite this, the StoreView remains empty, and I'm unable to see any subscription options. Has anyone else encountered this problem? If so, how did you resolve it? Any help or suggestions would be greatly appreciated! Thanks in advance!

I'm developing an application that uses hardlinks to track certain files created by the app. Initially, before the hardlink is created, the files behave as expected. For example, if the app generates a .number file, I can open and edit it with Numbers without any issues. However, once the hardlink is created, the file appears locked, and Numbers can no longer write to it. Checking the logs in the Console app, I see that Numbers throws an NSCocoaErrorDomain error with code 513. This problem only occurs with sandboxed apps—non-sandboxed apps like Visual Studio Code work fine. I’ve also tried creating the hardlink manually using the ln command in Terminal, but the behavior is the same. I'm currently on a M1 Pro mac running Sonoma 14.2.1. I've also tried on an intel one running Sonoma 14.4 and the behaviour is the exact same. This issue doesn’t occur with symlinks, but my application specifically requires hardlinks, and I haven't been able to find a workaround. Does anyone have any suggestions?

When I was making sandbox payments in the testing environment, I made a normal recharge, but I received multiple purchase callbacks at the same time. Has anyone encountered the same situation? Does this situation only occur in sandbox environments?

Hi, we have quite a headache around wanting to transfer one of our applications to a new Apple Developer Organization. The macOS Application is sandboxed and is bundled with a Safari Extension. The two must be in an App Group in order to share data (as per official Apple documentation). Now this also means, according to this documentation from Apple that this App cannot be transferred, because it has made use of App Groups. If I read correctly online, even if we were to remove this entitlement from the Application, we wouldn't be able to transfer it. Is this all there is to know? I find it rather hard to believe there isn't a workaround for this. Is there maybe a way to transfer the Application and the Safari Extension to the new organization at once, together? I don't mind moving the App Group as well. Can a technical support incident be requested for this type of issue? I'm happy to talk this through with someone from Apple if there is a one-by-one basis (maybe a manual transfer with help from Apple) way to solve this. Why this is a problem, you might ask. First and largest problem is the continuous service for our existing subscribers to the premium version of our application. If we can't move the app, we need to recreate it in the new organization with a new bundle id, new subscription items, everything. I haven't found a straightforward way to move these subscriptions over to another app. I thought about creating an Introductory/Promotional offer, only shown to users with subscriptions in old app. But the length of their subscriptions vary, and offers have a fixed with. Is there anything else I haven't looked at? Thanks in advance!

我创建了一个macos 应用，应用开启了沙盒功能，我有一个shll脚本和一个嵌入的可执行命令行工具位于/Users/Library/Containers/com.***/Data/Library/Application Support/***/下面，用于拷贝工作，我发现我并不能执行成功，总是被拒绝，有人知道原因吗，

macOS application Mulligan's Eagle (403115926) macOS deployment - macOS 10.14 (Mojave) through Sonoma 14.5 macOS targets - Mac App Store, ad hoc direct drag-to-install image Xcode version 15.4, various development Macs (Intel, M1, M2) Eagle delivered since pre-Mac App Store days - derived from System 7 MacApp development. App most recently delivered with min system Mac OS 10.12 through current Sonoma 14.5, dual target for Mac App Store automatically signed with Apple Development credentials and for outside release automatically signed with Developer ID credentials. Recent revisions to the software to bump min system to 10.14 (Mojave) with typical continuing development for tech, reqm'ts, etc. Updates (a couple since previous release) to Xcode - now using version 15.4, which recommended some config changes that made sense, except min system. Popular application with lots of older (uh... elder) users running Macs servicing golfers. The application is ready to distribute with automatic signing, but wasn't able to do so with Developer ID credentials, but Xcode note (and reading of tips in this forum and my poor understanding) managed to submit for notarization - failed. Tried to manually sign... and reviewed signing info in Xcode... So I reviewed Certificate(s) etc. that should have been used when previously signing Dev ID for notarization and release. I have (I think) six Developer ID Application certs and six Developer ID Installer certs and I can't find any combination of those certificates - some with duplicate dates or expirations - that allows me to use one to automatically sign code to notarization or delivery. What do I do? I've lived a peaceful solo developer life for 25 years delivering and signing code for the Mac and as long as iOS has existed. I'm terrified about this issue however... My early Mac OS using customers (since Lion - pre sandbox) still have serial numbers for this software and have bought a Mac every 6 - 10 years so they could get my latest release. We've never required that they re-purchase from the App Store... they have a perpetual license. Sandboxing was a shock they never felt - we kept delivering updates to them and if they decided sandboxing mattered, they purchased from Apple and we included the container-migration entitlement in the App Store version to move their data to the new sandbox. Pretty slick. Until we built an install disk to test it on an unsandboxed version of Eagle in our office. It "lost" its data - vanished by remaining in the old Application Support directory while the new hardened runtime version looked for it in the sandbox - finding nothing. Just imagine encountering that if you're 80 years old running a golf league. How can I "reset" the futzed-up certificate Developer ID mess? I have multiple machines, all with varying subsets of what seem to be good certificates. And Xcode builds new provisioning profiles just for the heck of it, it seems. I'm afraid to revoke or throw out any certificates because I can't tell which ones are good, bad or duplicates - they're all valid. And I can't create any more Developer ID certs because there's a max to control certificate-miscreants like me (yes, I've read Quinn's protection of your Dev ID note - I screwed it up with only 1 employee). I depend on automatic signing because I'm still, after 58 years of coding, just a novice. Is it true that I should still specify in my build settings that I'm using Developer ID credentials for my ad hoc development and distribution schemes? And that the proper settings for those should NOT enable hardened runtime or app sandboxing? Sorry for my intensity here.... It's been 2 weeks since App Review bonked an initial submission with just an "it's broken" reject message, and DTS decided this is not such an emergency that the Developer Forum shouldn't be able to handle it. I'm truly hoping it's so.

Hello macOS gurus, I am writing an AUv3 plug-in and wanted to add support for additional formats such as CLAP and VST3. These plug-ins must reside in an appropriate folder /Library/Audio/Plug-Ins/ or ~/Library/Audio/Plug-Ins/. The typical way these are delivered is with old school installers. I have been experimenting with delivering theses formats in a sandboxed app. I was using the com.apple.security.temporary-exception.files.absolute-path.read-write entitlement to place a symlink in the system folder that points to my CLAP and VST3 plug-ins in the bundle. Everything was working very nicely until I realize that on my Mac I had changed the permissions on these folders from to The problem is that when the folder has the original system permissions, my attempt to place the symlink fails, even with the temporary exception entitlement. Here's the code I'm using with systemPath = "/Library/Audio/Plug-Ins/VST3/" static func symlinkToBundle(fileName: String, fileExt: String, from systemPath: String) throws { guard let bundlePath = Bundle.main.resourcePath?.appending("/\(fileName).\(fileExt)") else { print("File not in bundle") } let fileManager = FileManager.default do { try fileManager.createSymbolicLink(atPath: systemPath, withDestinationPath: bundlePath) } catch { print(error.localizedDescription) } } So the question is ... Is there a way to reliably place this symlink in /Library/... from a sandboxed app using the temporary exception entitlements? I understand there will probably be issues with App Review but for now I am just trying to explore my options. Thanks.

Hello, Currently my macOS application registers itself as a login item in the AppDelegate applicationDidFinishLaunching method (see code below) However, I'm running into a problem that if the user is auto upgraded (internal 3rd party implementation) that the .pkg postinstall script runs, the last step which is launching the GUI application. Because of this, if a user unselects our app as a LoginItem, when it is relaunched, it will add itself back. I have checked the SMAppService statuses (.enabled, .notRegistered, .notFound) and discovered that when a user disables the app as a login item, the status is returned as .notFound. I am trying to find a way to detect if the user previously removed our app from login items and not register the app as a login item back, but for the first time the user opens the app the app is registered as a login item. Would checking if the status is .notRegistered work in this case for a first time install? What should i do differently? func applicationDidFinishLaunching(_ aNotification: Notification) { ... guard !Runtime.isDebug else { self.logger.debug("Detected Xcode host; Skipping installation of helper components.") return } self.logger.info("Setting UI login item") if mainApp.status != .enabled { //old code, incorrect. What should go here? do { try mainApp.register() } catch { logger.error("Failed to initialize UI login item: \(error.localizedDescription)") } } }

Hello, I am using sandbox_init_with_parameter API to enable sandbox on current process. This API returns 0. But when I use sandbox_check to check whether current process is sandboxed, it returns false. It only happens on a few user devices. I am wondering what could be wrong?

I have developed a backup application in Java. In it, users can configure whether they want it to autostart or not. If they do, a plist file is being written to ~/Library/LaunchAgents so that my app starts at login. This works perfectly so far. I've not submitted it to the Mac App Store. But for that, it needed to be sandboxed. And with that, I had to add a "com.apple.security.temporary-exception.files.home-relative-path.read-write=/Library/LaunchAgents/" to my entitlements so that the plist file could still be written to ~/Library/LaunchAgents. However, they do not approve this. Is there another solution to launch my application at login? Must work with sandbox-mode Must work from Java/Shell/... (I found "SMAppService", but this seems only available in Swift/Objective-C)

I have an XPC service that embeds Python. It executes a python script on behalf of the main app. The app and xpc service are sandboxed. All seems to work just fine in the development environment but the script fails in the released version. I disabled writing pycache by setting the PYTHONDONTWRITEBYTECODE environment variable because pycache tries to write inside my app bundle which fails (I believe I can redirect the pycache directory with PYTHONPYCACHEPREFIX and may experiment with that later). Specifically this line fails in the release version only (not from Xcode): PyObject *pModule = PyImport_Import(moduleNameHere); if (pModuleOwnedRef == NULL) { // this is null in release mode only. } Any ideas what can be going wrong? Thanks in advance.

We have a product which uses a Network Extension (a socket filter and a packet content filter). The application contains the network extension, as well as an un-sandboxed LaunchDaemon which connects to the service at the NEMachServiceName. Occasionally, usually after an upgrade where the system extension is swapped for the new version, our un-sandboxed process isn't able to contact the network extension. From the logging, we receive the following XPC error (libxpc.dylib) [com.apple.xpc:connection] [0x7fd6d0307f40] failed to do a bootstrap look-up: xpc_error=[3: No such process] in the unsandboxed process. Eventually, we receive an invalidated callback on the XPC connection with the error Couldn’t communicate with a helper application.. We have confirmed that an appropriate service is running via the launchctl command, and the network extension process appears to have initialised correctly. We don't see any indication of a received connection at the Network Extension process however (probably not surprising given the error). Once a system enters this state, repeated attempts to connect are unsuccessful and continue to produce the same error. We've also confirmed that there are no XPC codec exceptions apparent that might cause the connection to fail. I'm at a bit of a loss to explain why this failure might be occurring, other than a problem in the bootstrap/launchd being able to find the appropriate service. Is there possibly some problem with unsandboxed processes accessing the sandboxed network extension via XPC? They are both provisioned in an app group together. Is there possibly some issue where attempting to connect at a critical point during network extension installation causes it to become inaccessible? We've observed this specifically on macOS 14.5 (23F79), however this is something we've noticed on other versions of macOS and our code. The problem isn't systematic, and systems end up in this state only occasionally. We do seem to find some customers have more instances of this problems than others, but we haven't been successful at teasing out any common thread that might explain why.

Hello, I use setCodeSigningRequirement: in sandboxed XPCService and it seems that no matter what I always get errSecCSNoSuchCode[1] when the app is signed with development certificate. The same application signed with DeveloperID is fine. I use following CSR for development signed builds. identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and certificate leaf[field.1.2.840.113635.100.6.1.12] exists But also tried to simplify to identifier com.example.app or just true. If I validated the CSR with codesign -R I get "explicit requirement satisfied". I spotted this log line: Sandbox: com.example.app(67058) deny(1) file-read-data /Users/(...)/example-app/build/arm64-mac/src/mac/app/Debug/Example App.app/Contents/MacOS/ExampleApp So I disabled the sandbox for XPCService and now everything works. But then why the DeveloperID signed build works with XPCService sandboxed? ...or does it really? :) Just for completeness the CSR which I use in production build are: identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = EXAMPLE

Hello guys, Is there any API developers can use to get advantage of the new windows resize and placement feature for macOS Sequoia? And of course I'm not talking about resizing the windows from your own app, but the windows from other apps. Thank you.

Dear Apple Developers, I am working on a macOS project where the container app acts as a server and communicates with a command-line program developed by my colleagues via a Unix domain socket. The macOS part was written using the new Network Framework. Here is a snippet of the code: let params = NWParameters() let socketFile = URL(fileURLWithPath: socketPath) params.defaultProtocolStack.transportProtocol = NWProtocolTCP.Options() params.requiredLocalEndpoint = NWEndpoint.unix(path: socketFile.path) params.allowLocalEndpointReuse = true self.listener = try! NWListener(using: params) listener?.newConnectionHandler = ... listener?.start() When my colleague's program needs to send data, it connects to the socket created by the macOS app, and the data is received perfectly—unless the macOS app is sandboxed. I have added outgoing and incoming connections entitlements to the macOS app. I tested my colleague's program both embedded in the macOS app and separately, ensuring to add the com.apple.security.inherit entitlement as well. However, it still doesn't work when the macOS app is sandboxed. The socket file's permission is srwxr-xr-x@ and is located in the containers folder when sandboxed, and srwxr-xr-x and HOME/Library/Application Support/MyApp when not sandboxed. What could be going wrong? Does the Network Framework support this use case, or do I need to revert to using AF_UNIX? Thank you for your assistance. Best regards. ps. My colleagues' program was written in go, using a standard function conn, err := net.Dial("unix", "socket_path_in_container"). It outputs invalid argument error when the macOS App is sandboxed.

It fails in a sandboxed app. I found a couple suggestions. One was to add a NSAppleEventsUsageDescription pair to the Info.plist so the user would be asked to grant permission for AppleEvents. But that never happens for showSearchResultsForQueryString. The next was to add the com.apple.security.temporary-exception.apple-events entitlement and provide com.apple.finder as the app. This DOES work, but Apple is rejecting my app because of it, even though I've said it's the only way to make showSearchResultsForQueryString work. I'm still waiting for them to tell me how to do it in a more correct way. This is obviously a bug, because an app should be able to use any NSWorkspace method without jumping through security hoops. Has anyone else found a way to make it work and get their app on the App Store?

I'm having trouble opening files residing on a custom filesystem implemented as a kext via sandboxed apps. Preview.app is one such example. The app launches, but it won't display file contents. In system log files I'm seeing entries related to com.apple.foundation.filecoordination:claims with no error messages to indicate a possible reason why file contents aren't being displayed. Non-sandboxed apps, such as GoogleChrome.app do not exhibit such behaviour. The kext is unsigned and running in an environment with SIP disabled and Security Mode reduced to Permissive. What is required for a 3rd party filesystem kext to integrate with sandboxed apps? Any pointers and/or assistance would be greatly appreciated.

I am creating a new macOS application that requires access to files outside of the sandbox. It needs to be docked in a silent state and packaged using the Electron Builder application. I have configured the relevant permissions as com.apple.security.memory-exception.files.absolute path.read-only, It can be accessed normally in the local version of mas dev. The configuration parameters are as follows: <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key> <array> <string>/Volumes/NO NAME/</string> <string>/Volumes/NO NAME 1/</string> <string>/Volumes/NO NAME 2/</string> </array> But during the review period of the app store, some people said it was not of legal value. The following is the original statement: Your application is not properly sandboxed, or it contains one or more rights with invalid values. Before resubmitting the new binary file, please review the included rights and sandbox documentation and resolve this issue. com.apple.security.temporary-exception.files.absolute-path.read-only True If there is a com.apple.security.memory-exception.files.absolute path.read-only authorization, will the app store accept it? What do I need to do to access it?