entitlements.plist file in productbuild

I have a bundle file called xxxx.app that works with productbuild to produce xxxx.pkg file and the resulting application works well on my computer. However attemps to upload it to Apple using Application Loader produces the following message:


ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "xxxx.pkg/Payload/xxxx.app/Contents/MacOS/xxxx" )] Refer to App Sandbox page at https://developer.apple.com/devcenter/mac/app-sandbox/ for more information on sandboxing your app.”


I also have a file called entitlments.plist that includes for the sandboxing: com.apple.security.app-sandbox. I have tried including this in the xxxx.app bundle under Contents and also Contents/Resoures but it does not seem to make any difference.

How should the entitlments be incorporated in the productbuild?

The help documents mentioned in the error message do not seem to address this question.

Any suggestions would be appreciated.

Accepted Reply

Your entitlements property list file is not meant to be included in your final build product. Rather, it’s an input to the code signing machinery. If you enable the App Sandbox is the standard way (via the Capabilities tab of the target editor in Xcode), you’ll find that it a) adds the entitlements property list file, and b) sets the Code Signing Entitlements (

CODE_SIGN_ENTITLEMENTS
) building setting to point to that file. Then, when your build your app, you’ll see in the build log two steps, Process product packaging and Sign, that process that file and then use it as part of your code signing.

Finally, to check the actual entitlements of a binary, do this:

$ codesign -d --entitlements :- /path/to/binary

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Your entitlements property list file is not meant to be included in your final build product. Rather, it’s an input to the code signing machinery. If you enable the App Sandbox is the standard way (via the Capabilities tab of the target editor in Xcode), you’ll find that it a) adds the entitlements property list file, and b) sets the Code Signing Entitlements (

CODE_SIGN_ENTITLEMENTS
) building setting to point to that file. Then, when your build your app, you’ll see in the build log two steps, Process product packaging and Sign, that process that file and then use it as part of your code signing.

Finally, to check the actual entitlements of a binary, do this:

$ codesign -d --entitlements :- /path/to/binary

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Mighty Quinn

Thank you Eskimo for a prompt response to my question. I was not able to enable the App Sandbox in the standard way. Nevertheless, your response was helpful. Your description of the code signing machinery gave me some pointers as to what I should try.

The codesign option --entitlements also seemed to work with --sign and solved my immediate problem.

Thank you

Xsec