Embedding a command-line tool in a sandboxed app for NativeMessaging

When following this guide https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app I cannot run the embedded binary.

I'm getting this error: "zsh: trace trap"

I would like to be able to use the embedded binary for NativeMessaging with for example Chrome but I can't figure out how to allow it to be executable even with sandboxing enabled.

How are Strongbox able to do this with their afproxy executable?

Answered by DTS Engineer in 787034022

When following this guide … I cannot run the embedded binary.

Are you trying to run this tool from your app, by spawning a child process?

Or are you trying to run it from the shell?

That matters because of sandbox inheritance:

  • If you want to run the tool as a child of your app, you must sign your code with both the com.apple.security.app-sandbox and com.apple.security.inherit entitlements, as described in that doc.

  • If you want to run the tool from a shell, you must sign it with com.apple.security.app-sandbox only.

The latter is tricky, because you have to give your tool a bundle ID so the system knows how to create its container. You can do in one of two ways:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

When following this guide … I cannot run the embedded binary.

Are you trying to run this tool from your app, by spawning a child process?

Or are you trying to run it from the shell?

That matters because of sandbox inheritance:

  • If you want to run the tool as a child of your app, you must sign your code with both the com.apple.security.app-sandbox and com.apple.security.inherit entitlements, as described in that doc.

  • If you want to run the tool from a shell, you must sign it with com.apple.security.app-sandbox only.

The latter is tricky, because you have to give your tool a bundle ID so the system knows how to create its container. You can do in one of two ways:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Embedding a command-line tool in a sandboxed app for NativeMessaging
 
 
Q