CryptoTokenKit extension calling an external command

I've developed a crypto token kit extension using the Xcode template. I've successfully added the certificate and its corresponding private key to the keychain. However, when attempting to sign with this certificate, I need to call a command-line interface (CLI) that I've created.

The CLI is located at ~/Applications/mycli/cli_executable. My issue arises because the extension is sandboxed, prohibiting direct communication with the CLI. I attempted to remove the sandbox, but that didn't resolve the problem (the extension wasn't being registered without the app sandboxed). Additionally, the CLI relies on a database, so simply copying the file to the app container folder isn't a feasible solution (unless it's a symlink – I'm unsure if this is possible).

How can I effectively address this problem and enable communication between the sandboxed extension and my CLI (GoLang app)?

Thank you.

The CLI is located at ~/Applications/mycli/cli_executable.

That’s definitely going to be blocked by the App Sandbox. For testing purposes, try signing your app extension with a temporary exception entitlement that allows access to that directory. For the details, see App Sandbox Resources. Does that get things working?

IMPORTANT There are two reasons that might not work:

  • Every appex runs in a sandbox that’s similar to the App Sandbox, but not exactly the same. Some appex sandboxes prevent them from spawning a child process. I’ve never actually tried this in a CTK appex, so I’m not sure if its sandbox is set up to allow or block this.

  • Your command-line tool will inherit a standbox from your CTK appex, and it’s possible that your tool won’t work in that sandbox. If that’s the case, you’ll have to fix the code in your command-line tool to be sandbox compatible.

If your test shows that your CTK appex is allowed to spawn a child process, then the long-term fix is for you to embed this command-line tool into your appex. See Placing Content in a Bundle for information about where to put it.

If you plan to distribute this app via the Mac App Store, you’ll need to sign your command-line tool with the sandbox inheritance entitlements. Embedding a command-line tool in a sandboxed app explains how to do this with Xcode. You’ll have to apply its lessons to your third-party tooling.

If you’re planning to distribute your app directly, using Developer ID signing, then you don’t need to do this. The sandbox inheritance entitlements are only required by the App Store.

In that case you can add a symlink from ~/Applications/mycli/cli_executable to the executable within your CTK appex, so that Terminal users can continue to use it. That only works if your tool has no entitlements. If it has the sandbox inheritance entitlements then you can’t run it from Terminal.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for your response.

I tried using a temporary exception as you suggested, but it didn't work. Below, I've included the code (Objective-C) and the entitlements used. I'm relatively new to macOS programming, so the issue could be with my implementation.

Entitlements in the token project/extension:

Executed code:

Result:

So with the above implementation, I couldn't connect with the CLI/script.

My main 2 questions are:

  1. Is it not possible to remove the app sandbox from the token extension? This application will not be in the Mac App Store, so it's not a requirement to have the sandbox enabled.
  2. Is there any other possible way to allow communication? For instance, having the CLI in another file/location that is copied to the container and is visually good for the user.

The issue with embedding the CLI inside the project is that the CLI has a self-update mechanism, which downloads zips and changes a few files. So if I put it inside the app, the signature of the application will not be valid anymore, right?

Thank you!

CryptoTokenKit extension calling an external command
 
 
Q