Hi,
I'm trying to upgrade my app ready for the mac app store.
After a lot of battles with fitting command line tools into the code signing frameworks required (inside out code signing, etc.) I finally found a way forward. It has literally taken me two years.
Now I'm trying to get the app to run in sandbox.
I'm having trouble accessing shared memory.
The architecture is this: a mac app, with a bundled XPC service (the "build engine") and that has bundled (signed) command line tools it runs.
The tools are in <XPC bundle>/Contents/MacOS as they should be and are code signed manually by a script I wrote with the hardened runtime option and with entitlements like this:
<?xml version="1.0" encoding="UTF-8"?>
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>DELETED FOR PRIVACY</string>
</array>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.device.serial</key>
<true/>
<key>com.apple.security.device.usb</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
The same entitlements for both the XPC and it's bundled command line tools.
The XPC service passes data to the command line tools using shared memory. This should be possible in a sandboxed app with the use of application groups?
The error in the log is like this...
I'm trying to upgrade my app ready for the mac app store.
After a lot of battles with fitting command line tools into the code signing frameworks required (inside out code signing, etc.) I finally found a way forward. It has literally taken me two years.
Now I'm trying to get the app to run in sandbox.
I'm having trouble accessing shared memory.
The architecture is this: a mac app, with a bundled XPC service (the "build engine") and that has bundled (signed) command line tools it runs.
The tools are in <XPC bundle>/Contents/MacOS as they should be and are code signed manually by a script I wrote with the hardened runtime option and with entitlements like this:
<?xml version="1.0" encoding="UTF-8"?>
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>DELETED FOR PRIVACY</string>
</array>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.device.serial</key>
<true/>
<key>com.apple.security.device.usb</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
The same entitlements for both the XPC and it's bundled command line tools.
The XPC service passes data to the command line tools using shared memory. This should be possible in a sandboxed app with the use of application groups?
The error in the log is like this...