Presumably your helper tool is signed with
com.apple.security.inherit
so that it inherits its sandbox from its parent. If so, you’re running into a limitation of sandbox inheritance, namely that it only inherits the static sandbox. To quote the docs:
Note: This property causes the child process to inherit only the static rights defined in the main app’s entitlements file, not any rights added to your sandbox after launch (such as PowerBox access to files).
If you need to provide access to files opened after launch, you must either pass the data to the helper or pass a bookmark to the child process. The bookmark need not be a security-scoped bookmark, but it can be, if desired.
In situations like this I generally have the helper work entirely within my app’s container and then, when it’s done, have the main app move (or copy) the results to where they need to be.
ps If you respond back again, please answer my question about whether you plan to deploy via the Mac App Store or not.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"