My mac app with sandboxed QuickLook extension was rejected from App Store Connect

Question

Created Dec ’23

Replies 2

Boosts 0

Participants 2

I am creating a MacOS app embedding the QuickLook extension in it. The other day, I uploaded it to App Store Connect and had it reviewed.

But it was rejected due to the following reason.

Your app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Please review the included entitlements and sandboxing documentation and resolve this issue before resubmitting a new binary.

com.apple.security.temporary-exception.files.absolute-path.read-only /

This entitlement is also included in my app's meta data on my account page of App Sore Connect. Including it, I can find the following two entitlements related to "temporary-exception" in the meta data.

com.apple.security.temporary-exception.files.absolute-path.read-only: ( "/" )
com.apple.security.temporary-exception.mach-lookup.global-name: ( "com.apple.testmanagerd", "com.apple.dt.testmanagerd.runner", "com.apple.coresymbolicationd" )

To tell the truth, about Sandbox entitlements for QuickLook extension, what I intentionally set on the Xcode project are the next two items only. And actually I have not ever recognized that the entitlements related to "temporary-exception" above are included in my app's bundle.

com.apple.security.app-sandbox: true
com.apple.security.files.user-selected.read-only: true

I think these "temporary-expection" entitlements are essential ones for the QuickLook extension and it looks like that Xcode automatically attached them in the process of creating app's build. If they are forced to be attached by getting the QuickLook extension sandboxed, I don't know what I should do.

Although I explained my thought to the reviewer, but I could not change the situation. Is there no way to get solution besides removing the QuickLook extension from my app ?

Boost

Answer 1

DTS Engineer OP

Apple

Dec ’23

I don’t work for App Review, and thus can’t make definitive statements on their behalf, but my experience is that they take a very dim view of folks using temporary exception entitlements.

I think these "temporary-expection" entitlements are essential ones for the QuickLook extension

That’s not my understanding.

and it looks like that Xcode automatically attached them in the process of creating app's build.

I tested that today and see no evidence for it. Specifically, I created a new project from the macOS > App template, then added a macOS > Quick Look, then built the app and dumped its entitlements:

% codesign -d --ent - Test742984.app 
…
[Dict]
	[Key] com.apple.security.app-sandbox
	[Value]
		[Bool] true
	[Key] com.apple.security.files.user-selected.read-only
	[Value]
		[Bool] true
	[Key] com.apple.security.get-task-allow
	[Value]
		[Bool] true
% codesign -d --ent - Test742984.app/Contents/PlugIns/Test742984Preview.appex 
…
[Dict]
	[Key] com.apple.security.app-sandbox
	[Value]
		[Bool] true
	[Key] com.apple.security.files.user-selected.read-only
	[Value]
		[Bool] true
	[Key] com.apple.security.get-task-allow
	[Value]
		[Bool] true

There’s no sign of this temporary exception entitlement.

The reference to com.apple.testmanagerd suggests that you are perhaps shipping some bit of test infrastructure with your app.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

YasuHRI OP

Dec ’23

I looked over my app's bundle locally using the codesign command which you showed me. I have not ever used that command, but thanks to it I could see details of the bundle's entitlements for several defferent cases.

I agree with your opinion that "temporary-expection" entitlements do not result from the QuickLook extension.

What I did and learned is that:

In spite of removing the QuickLook extension from my app, the "temporary-expection" entitlements remained in the bundle after building my app. (Build configration: Rerease) Next, changing the build configration to Debug and building the same app, the odd ones were cleared. (In both, the same certification was used for code signing.)

From these things, I think there might be wrong settings in the Release configration of the Xcode project file.

Thank you very much for your useful advice.

I might be going to struggle to this issue for a while.

0