sandboxed app with additional binaries in app bundle

Hello,


I am trying to submit my app for review but iTunes Connect shows me some sandboxing problems:


I have an app which contains several cli binaries in its resource folder. These binaries were build with different IDEs, for example one is built with xamarin, others are build as a different Xcode project from a different maintainers.


My question: I thought these binaries would inherit the entitlements from the main app when launched from the main app.
Would it be sufficient to create an entitlement "com.apple.security.app-sandbox true" for each of these binaries or do they have to have the complete set of entitlements like network access and so on?


iTunes Connect tells me:


Dear Developer,

We identified one or more issues with a recent delivery for your app, "ezeep Connector for macOS" 12.2.8 (12.2.8). Please correct the following issues, then upload again.

ITMS-90296: App sandbox not enabled - The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/publish/ez.login.eas.mac", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/.thnumod", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuchk", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuclnt", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuclntd", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuconf", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnucups", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnurdp" )] Refer to App Sandbox page at https://developer.apple.com/devcenter/mac/app-sandbox/ for more information on sandboxing your app.

Best regards,

The App Store Team


regards,

Robert

Up vote post of RobertWelz Down vote post of RobertWelz
838 views
Posted by
RobertWelz
Reply
Add a Comment

Replies

They shouldn't be in the resources subdirectory. It looks like some kind of package installer, which probably should be in the App Store to begin with.

Posted by
john daniel
Post not yet marked as solved Up vote reply of john daniel Down vote reply of john daniel
Add a Comment

I have an app which contains several cli binaries in its resource folder.

john daniel is correct that these tools should not be nested in the 

Contents/Resources/
directory. You should place them in a directory that’s reserved for nested code (for helper tools this is 
Contents/MacOS/
or 
Contents/Helpers/
). See my Signing a Mac Product For Distribution post for more packaging advice.

I thought these binaries would inherit the entitlements from the main app when launched from the main app.

If you launch the tool as a child process of your sandboxed app — using 

fork
/ 
exec
, 
NSTask
, and so on — the tool must have the 
com.apple.security.app-sandbox
and 
com.apple.security.inherit
entitlements and no others.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment