sandboxed app with additional binaries in app bundle

Question

RobertWelz OP

Created Feb ’20

Replies 2

Boosts 0

Participants 3

Hello,

I am trying to submit my app for review but iTunes Connect shows me some sandboxing problems:

I have an app which contains several cli binaries in its resource folder. These binaries were build with different IDEs, for example one is built with xamarin, others are build as a different Xcode project from a different maintainers.

My question: I thought these binaries would inherit the entitlements from the main app when launched from the main app.
Would it be sufficient to create an entitlement "com.apple.security.app-sandbox true" for each of these binaries or do they have to have the complete set of entitlements like network access and so on?

iTunes Connect tells me:

Dear Developer,

We identified one or more issues with a recent delivery for your app, "ezeep Connector for macOS" 12.2.8 (12.2.8). Please correct the following issues, then upload again.

ITMS-90296: App sandbox not enabled - The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/publish/ez.login.eas.mac", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/.thnumod", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuchk", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuclnt", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuclntd", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnuconf", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnucups", "com.thinprint.ezeep.Connector.pkg/Payload/ezeep Connector.app/Contents/Resources/thnuclnt/thnuclnt/x86_64-darwin/thnurdp" )] Refer to App Sandbox page at https://developer.apple.com/devcenter/mac/app-sandbox/ for more information on sandboxing your app.

Best regards,

The App Store Team

regards,

Robert

Boost

Answer 1

john daniel OP

Feb ’20

They shouldn't be in the resources subdirectory. It looks like some kind of package installer, which probably should be in the App Store to begin with.

1

Answer 2

DTS Engineer OP

Apple

Feb ’20

I have an app which contains several cli binaries in its resource folder.

john daniel is correct that these tools should not be nested in the

Contents/Resources/

directory. You should place them in a directory that’s reserved for nested code (for helper tools this is

Contents/MacOS/

or

Contents/Helpers/

). See my Signing a Mac Product For Distribution post for more packaging advice.

I thought these binaries would inherit the entitlements from the main app when launched from the main app.

If you launch the tool as a child process of your sandboxed app — using

fork

/

exec

,

NSTask

, and so on — the tool must have the

com.apple.security.app-sandbox

and

com.apple.security.inherit

entitlements and no others.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

1