Need custom file access for developer tool. What can I do?

Hi,

I have a developer tool that often needs access to files outside of the file the user has selected. For example, they can easily select a file that contains a reference to an include file NOT in the current folder or a descendent. But I still need access to that file.

How do I handle this, on the latest version of MacOS? Right now it just fails to give me access to the file, making it look like our Mac version is WAY BEHIND the Windows version.

Oh and this needs to be in the App Store eventually, but right now I need it to be available outside of it, so I have to use my Developer ID and notarized. I think I've got all of that nailed down, but I'm still having file permission issues.

My entitlements currently (which doesn't work): <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/>

Thank you, -Chilton

Up vote post of Chilton Down vote post of Chilton
420 views
Posted by
Chilton
Reply
Add a Comment

Replies

For example, they can easily select a file that contains a reference to an include file NOT in the current folder or a descendent.

A key decision point here is whether you’re sandboxing your app. With the sandbox disabled, there should be no roadblocks to you solving this in the most obvious way. With the sandbox enabled, things get trickier.

The canonical way to solve this in a sandboxed app is to not reference these files using a path but instead referenced them using a document-relative security-scoped bookmark. You can then resolve that bookmark to gain access to the file.

However, this approach has significant caveats. The main one is that it only works if these documents are built with your. If you want to work with documents created by other apps, and specifically with documents created on other platforms, you can’t really use the bookmark approach.

ps You wrote:

My entitlements currently

You’re disabling key elements of the hardened runtime:

  • com.apple.security.cs.disable-library-validation

  • com.apple.security.cs.disable-executable-page-protection

I recommend against doing that without very good reason. Specifically:

  • Disabling library validation makes it harder to pass Gatekeeper. Only do that if you need to load in-memory plug-ins from other third-party developers.

  • Disabling executable page protection is never a good option. If your app needs to JIT code, use com.apple.security.cs.allow-jit.

Regardless, none of these have any impact on the sandbox.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • I really want to do this the "right" way since I'm well, a Mac developer and this app is written on a Mac :)

    -Chilton

    Chilton
Add a Comment

I am currently experiencing a problem where it appears that some of my plugins are not loading in the main app. Third party plugins are working just fine.

Of course everything works fine on my system. It only fails on the test system with no debugger.

I'm looking through your other documentation now.

-Chilton

Posted by
Chilton
Up vote reply of Chilton Down vote reply of Chilton
Add a Comment