Is there a shorthand way of referring to "apps that are distributed through the App Store apps"
Mac App Store apps.
and "apps that are not distributed through the App Store"?
Developer ID apps.
Still voting for a flag in the entitlements.plist to tell the system to log entitlement violations as they occur and detail what exact entitlement is missing.
Voting with Radar? Or voting here? Because the former is more likely to receive the attention of the engineering team responsible.
Having said that, there is already a fairly comprehensive sandbox violation reporting mechanism. To see such violations, run the Console app and set up a search for log entries with the subsystem of
com.apple.sandbox.reporting
and the category of
violation
.
This isn’t exactly what you want, for a couple of reasons:
It just reports the violation and doesn’t tell you exactly what entitlement you need.
It only reports sandbox violations, which won’t help if your app is not sandboxed. Hardened runtime violations are also reported in the system log, but they are harder to spot.
Reporting the entitlement is tricky because of the interaction between layers in the system. However, it’s still reasonable to file an enhancement request for the features you’d like to see. I encourage you to include specific examples in your bug report, that is, create a test project that deliberately violates these restrictions, show how that’s reflected in the system log, and then explain how you’d like to see that improved.
Please post any bug numbers here, just for the record.
Let me see if I am understanding.
You’re statements are essentially correct but there are some points I’d like to clarify:
You wrote:
sandbox=false
You would never do this. If you want to create an app that’s not sandboxed, you would simply not include the
com.apple.security.app-sandbox
entitlement at all. Including it, but set to false, should work but it’s definitely not the well-trodden path and it’s possible there might be some pitfalls on the way.Your analysis assumes that there are only two possibilities, Mac App Store apps, which are sandboxed, and Developer ID apps, which are not. The other two options also exist
It’s possible to have a Mac App Store app that’s not sandboxed. App Review requires that all new apps be sandboxed, but there’s still a bunch of non-sandboxed apps in the store.
It’s also possible, indeed recommended, for a Developer ID app to opt in to sandboxing. Most Developer ID apps don’t do this, but there are some exceptions.
So if I understand correctly, a hardened [Developer ID] app that includes the codesign terminal command
--option=runtime
, can read and write to any disk files with an entitlements file of:
Yes. However, per my first bullet above, I would leave off the
com.apple.security.app-sandbox
entitlement because the default is false.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"