Is there any way to disable sandboxing/notarization/codesigning on an existing app? (already built)

He wants to take his own sandboxed build and disable sandboxing/notarization/codesigning on it

These three things are different, and so the answers vary. I’m going to tackle them one at a time, and out of order (-:

• Code signing — It’s possible to remove a code signature (using codesign with the --remove-signature argument) but that’s generally not a good idea. Rather, you would normally change the code signature to be the way you want it to be by re-signing the app (replacing the old signature using -f argument).

  Be aware that if your app uses entitlements that are authorised by a provisioning profile, your re-signing with a different signing identity or a different App ID entitlement will also require a new profile.

• App Sandbox — The sandbox is controlled by an entitlement. The entitlements are part of the code signature. If you re-sign the app, you can change them at will.

  If you re-sign an app to disable the App Sandbox it’s likely to continue working. Not so much if you try going the other way (-:

• Notarisation — Notarisation isn’t something you enable but rather something you do. When you build a product for distribution, you send it to Apple to notarise. The resulting ticket is keyed to your code signature (specifically, the code directory hash, aka cdhash, in your code signature). If you re-sign an app you get a new cdhash and thus you would have to notarise it again. That’s not really “disabling notarisation” per se, but it has kinda the same effect.

For more background on this stuff, see:

• Signing a Mac Product For Distribution

• What exactly is a provisioning profile?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks, Quinn.

"The entitlements are part of the code signature. If you re-sign the app, you can change them at will."

How is this done on an already-compiled (re-signed) app though?

There is no entitlements file in the app bundle to delete/edit.

How is this done on an already-compiled (re-signed) app though? There is no entitlements file in the app bundle to delete/edit.

The .entitlements file is an input to the code signing machinery. It doesn’t actually ship with the resulting code. Rather, the entitlements end up getting baked into the code signature.

I'm getting an empty response from codesign -d --entitlements :- PATHTOAPP. Is that sufficient to know that it's out of the sandbox … ?

Yes. A sandboxed app will show something like this:

% codesign -d --entitlements - /Applications/PCalc.app          
Executable=/Applications/PCalc.app/Contents/MacOS/PCalc
[Dict]
    [Key] com.apple.security.app-sandbox
    [Value]
        [Bool] true
    …

Note that modern versions of codesign don’t render the entitlements as XML. To do that, add the --xml flag. And then run the result through a pretty printer:

% codesign -d --entitlements - --xml /Applications/PCalc.app | plutil -convert xml1 -o - -
…
<dict>
    …
    <key>com.apple.security.app-sandbox</key>
    <true/>
    …
</dict>
</plist>

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"