Helper-Tool of an App has no Access to Files

To quote the documentation for the

com.apple.security.inherit

entitlement in Entitlement Key Reference:

This property causes the child process to inherit only the static rights defined in the main app’s entitlements file, not any rights added to your sandbox after launch (such as PowerBox access to files).

.

If you need to provide access to files opened after launch, you must either pass the data to the helper or pass a bookmark to the child process. The bookmark need not be a security-scoped bookmark, but it can be, if desired.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

How do I transfer the Bookmark to the CLI-Helper-Tool?

A bookmark is just an

NSData

object (

Data

in Swift), which models an arbitrary sequence of bytes. You can transfer that to your tool via whatever channel you’re using for communication between your app and your tool. If, for example, you want to pass it via a command line argument, you could write the bookmark to a temporary file and then pass your tool the path to that file.

Note Because temporary files are in a part of the file system that’s accessible via a static right, your tool will be able to access it based on

com.apple.security.inherit

.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So, is there a way to wrap a generic Unix app in something that would receive such a bookmark, enable the child process to access the file, and then launch the helper with that file’s path in its command line arguments?

Are you concerned about:

• Just files? Or directory hierarchies as well?

• Inputs? Or outputs? Or both?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"