Hi, I'm working on an Xcode Source Editor Extension. Currently, I have App Sandbox enabled and everything works as expected. I have some features I'd like to add that would require me to disable the App Sandbox and release the extension and containing app outside of the App Store. However, whenever I remove the App Sandbox capability from my project and re-run the extension, I can no longer see my extension appear in the Editor menu - it's just gone. My question is - are Xcode Source Editor Extensions only limited to sandboxed environments or can they operate out of the sandbox? If so, how come I don't see it in Xcode 15?

Hello, I’m trying to allow my MacOS app written in swift to run a kill command. it works when I test it manually in my terminal but when I run it in the app I get an not permitted error. j was reading about work space authorization and put in a request but i got a response saying I didn’t need that type of authorization for what I’m doing. Any help pointing me in the right direction? https://developer.apple.com/documentation/appkit/nsworkspaceauthorizationtype Thanks!

When we try to run our code that uses the containerURLForSecurityApplicationGroupIdentifier function, the returned value is null if the program was run with root privileges. (when we run the code like a normal user, it is works as expected) The following code was run: NSFileManager* fileManager = [NSFileManager defaultManager]; if(!fileManager) { return “”; } NSURL* containerURL = [fileManager containerURLForSecurityApplicationGroupIdentifier:[NSString stringWithUTF8String:group_name]]; if(!containerURL) { return “”; } -> we will receive the right containerURL: /Users/{user}/Library/Group Containers/{group_name} If the same code will be run with root/admin privileges the containerURL will be NULL. With an older version of MacOS the output result was the following: normal user: /Users/{user}/Library/Group Containers/{group_name} root user : /private/var/root/Library/Group Containers/{group_name}

Hi there, Introduction I have been working on a Finder Sync extension and I would now like to use it to access a file the user has selected. This has been causing me significant issues (and I believe that a lot of other developers have also experienced similar issues with the extension). Because I plan to release my app on the App Store, I need both the main app and the finder sync app to be sandboxed Some example code describing the issue When the user executes the custom finder action in the context menu, I use the following code to extract and access the selected files: guard let target = FIFinderSyncController.default().selectedItemURLs() else { NSLog("Failed to obtain targeted URLs: %@") return }       do { //Read content of the first selected file (example) let text = try String(contentsOf: target[0], encoding: .utf8) }catch {     print("Some error occurred: \(error)") } The problem Though these files should have a sandbox exception (because they are selected by the user), they do not and I get the following error because I seemingly do not have the permission (even though I should have): Error Domain=NSCocoaErrorDomain Code=257 "The file “myfile.txt” couldn’t be opened because you don’t have permission to view it." I know from my thorough research (refer to links) that a lot of other people working with Finder Sync extensions have had this problem in the past and that Apple has not provided an official way to fix this. So essentially I am asking if Apple is planning to fix this bug in the near future or, if not, whether there is a workaround for this problem (while still passing the App Store review) and while keeping the main functionality of a context-menu like Finder Sync Extension. Useful links My previous question concerning the transfer of URLs given in the Finder Sync Extension I already asked a similar question on how to share some file URLs between my Finder Sync Extension and the Main App, to which I received a presumably working answer, which would work if this problem didn't exist. The solution to passing this access between extension and main app is to create a security scoped bookmark. This is not possible as long as I can't even access the files in the context of the extension itself. Here is the link to this aforementioned question I posted last month: Accessing a file in a sandboxed main app, which was selected in a Finder Sync Extension Some people with the same issue (dating back as far as 2016 Someone on the Apple Developer Forum had a similar issue and the respondent suggested a multitude of hacky fixes: Swift file reading permission error on macOS sandbox Here is someone on StackOverflow from someone who had the exact same issue. Multiple people mentioned there that this was a bug in the operating system and have filed multiple bug reports, which were all unanswered by Apple: Read and Write access for FinderSync extension in a sandboxed environment FinderSync Extension runtime error: The file couldn’t be opened because you don’t have permission to view it

I have a sandboxed/hardened app that is distributed outside of the MacAppStore. I want to allow the app to auto-update itself. I currently have the ability in the app to figure out if there is a newer version which then informs the user and gives them an option to download the app (currently it downloads to ~/Downloads in the app container). The app comes as a simple zip file that only includes the app itself. Once downloaded, then NSWorkspace.shared.open(URLtoDownloadedUpdate) will expand the zip and place the app in ~/Downloads. What I want is it to replace the current version of the app w/ this newly downloaded version. Is this possible? First, how do I find out where the old app is stored? And then how do I replace it with the new version when the old app is still running? I realize many people use Sparkle to do this instead of rolling their own. I simply do not want to depend on a third party.

Hello, I have sandboxed mac app which is launching a helper app. The main app has sandbox enabled and has get-task-allow entitlement. From main app I launch[1] a helper which is an application bundle located in Contents/Helpers of the main bundle. The helper has sandbox enabled and com.apple.security.inherit entitlement. Currently I have a problem attaching debugger to helper process or getting access to location services from it (but that's probably different issue). I checked the responsible process and it seems to set up to correct PID of the main application. The Xcode is reporting "Not allowed to attach to process" error and I see the same in the log: macOSTaskPolicy: (com.apple.debugserver) may not get the task control port of (com.****) (pid: 31628): (com.****) is hardened, (com.****) doesn't have get-task-allow, (com.apple.debugserver) is a declared debugger(com.apple.debugserver) is not a declared read-only debugger To add a more of the context what I'm trying to achieve is that we run certain parts of our app in separate child processes so we can restart then if anything goes wrong [2]. So I have few questions: Do I need to launch the helper (child) process a particular way to be able to attach debugger to it? Is there a tool to inspect sandboxes (rules applied and the inheritance)? Do I really need to explicitly enable sandboxing and inheritance on the helper app, doesn't it run in the parent' s sandbox anyway? Thank you. [1] We use boost::child_process for launching the helper, which is using popen behind the scene, but I have the same experience with NSTask. [2] I know that's what XPCServices are for but don't ask :-)

Hello! I'm curious about how com.apple.developer.hid.virtual.device entitlement works with apps. So the documentation hints that it should only be used within a driver. However, on macOS 13 I can successfully compile an app and create a virtual HID device. On earlier versions, such as macOS 12, the app crashes on launch and there's a message in the console: ASI found [libsystem_secinit.dylib] (sensitive) 'failed to compile sandbox profile /System/Library/Sandbox/Profiles/application.sb:1010:15: unbound variable: iokit-user-client-class-name ' Everything seems to be working with the sandbox turned off. Is there a way to use the aforementioned entitlement in a sandboxed app or should I fall back to DriverKit?

An iOS app running in simulator has complete access to the Mac's file system: // Files in protected directory like Desktop, Documents, Calendar, etc will need additional permissions. let filesInSystem = FileManager.default.enumerator(at: .currentDirectory(), includingPropertiesForKeys: nil)?.allObjects This isn't the case when running in device as the app is sandboxed. Is the same possible when running in simulator? More specifically, is there a way to restrict access to the Mac's file system when running an app in the Simulator? This is particularly useful when trying out binaries/frameworks that are not open sourced.

Hello, I have an app in the App Store that is your typical cleaner app. The app searches for files from deleted apps and can remove them. Under macOS Sonoma the app does no longer work. When deleting files, the following message appears in the Console: System Policy: App(1636) deny(1) file-write-unlink The app has scoped bookmarks for the folder and additionally I added Full Disk Access for my app - it still does not work? Is there another layer on top of that? The app works perfectly fine on Big Sur, Monterey and Ventura. Regards, Sascha

My goal is to implement a moving background in a virtual camera, implemented as a Camera Extension, on macOS 13 and later. The moving background is available to the extension as a H.264 file in its bundle. I thought i could create an AVAsset from the movie's URL, make an AVPlayerItem from the asset, attach an AVQueuePlayer to the item, then attach an AVPlayerLooper to the queue player. I make an AVPlayerVideoOutput and add it to each of the looper's items, and set a delegate on the video output. This works in a normal app, which I use as a convenient environment to debug my extension code. In my camera video rendering loop, I check self.videoOutput.hasNewPixelBuffer , it returns true at regular intervals, I can fetch video frames with the video output's copyPixelBuffer and composite those frames with the camera frames. However, it doesn't work in an extension - hasNewPixelBuffer is never true. The looping player returns 'failed', with an error which simply says "the operation could not be completed". I've tried simplifying things by removing the AVPlayerLooper and using an AVPlayer instead of an AVQueuePlayer, so the movie would only play once through. But still, I never get any frames in the extension. Could this be a sandbox thing, because an AVPlayer usually renders to a user interface, and camera extensions don't have UIs? My fallback solution is to use an AVAssetImageGenerator which I attempt to drive by firing off a Task for each frame each time I want to render one, I ask for another frame to keep the pipeline full. Unfortunately the Tasks don't finish in the same order they are started so I have to build frame-reordering logic into the frame buffer (something which a player would fix for me). I'm also not sure whether the AVAssetImageGenerator is taking advantage of any hardware acceleration, and it seems inefficient because each Task is for one frame only, and cannot maintain any state from previous frames. Perhaps there's a much simpler way to do this and I'm just missing it? Anyone?

I have an application running in the sandbox which launches an application bundle using NSTask. The main app entitlements enable sandbox add the User Selected File Read/Write permission. <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> </dict> The child app entitlements enable sandbox and inherit. <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> When invoke NSSavePanel *savePanel = [NSSavePanel savePanel] in the child process, system will throw the error.The error message prompt that missing the User Selected File Read/Write permission. However, I have already added this permission in the main app, and I have set up the inherit in the child-process as well. The child process cannot add the User Selected File Read/Write permission again because it add sandbox and inherit in entitlements by the doc EnablingAppSandbox . It appears that the system is not inheriting this permission for the child process. panel[60195:2499353] [OpenSavePanels] Unable to display save panel: your app is missing the User Selected File Read/Write app sandbox entitlement. Please ensure that your app's target capabilities include the proper entitlements. And the error stack. [miscellany] CLIENT ERROR: remote view delegate NSSavePanel lacks method which can react to the details of Error Domain=com.apple.ViewBridge Code=14 "(null)" UserInfo={com.apple.ViewBridge.error.hint=-[NSViewServiceMarshal bootstrap:withReply:] caught NSInternalInconsistencyException '+[NSOpenAndSavePanelService loadViewToService:isOpenPanel:appCentric:] : failed entitlements check' with backtrace ( "0 CoreFoundation __exceptionPreprocess + 242", "1 libobjc.A.dylib objc_exception_throw + 48", "2 CoreFoundation -[NSException raise] + 9", "3 com.apple.appkit.xpc.openAndSavePan com.apple.appkit.xpc.openAndSavePan + 16852", "4 AppKit -[NSViewController _loadViewIfRequired] + 72", "5 AppKit __24-[NSViewController view]_block_invoke + 27", "6 AppKit NSPerformVisuallyAtomicChange + 132", "7 AppKit -[NSViewController view] + 123", "8 ViewBridge -[NSViewServiceMarshal _bootstrap:replyData:completion:] + 1826", "9 ViewBridge -[NSViewServiceMarshal bootstrap:withReply:] + 245", "10 CoreFoundation __invoking___ + 140", "11 CoreFoundation -[NSInvocation invoke] + 305", "12 CoreFoundation -[NSInvocation invokeWithTarget:] + 70", "13 ViewBridge -[NSVB_ViewServiceImplicitAnimationDecodingProxy forwardInvocation:] + 178", "14 CoreFoundation ___forwarding___ + 756", "15 CoreFoundation _CF_forwarding_prep_0 + 120", "16 CoreFoundation __invoking___ + 140", "17 CoreFoundation -[NSInvocation invoke] + 305", "18 CoreFoundation -[NSInvocation invokeWithTarget:] + 70", "19 ViewBridge -[NSVB_QueueingProxy forwardInvocation:] + 321", "20 CoreFoundation ___forwarding___ + 756", "21 CoreFoundation _CF_forwarding_prep_0 + 120", "22 CoreFoundation __invoking___ + 140", "23 CoreFoundation -[NSInvocation invoke] + 305", "24 CoreFoundation -[NSInvocation invokeWithTarget:] + 70", "25 CoreFoundation ___forwarding___ + 756", "26 CoreFoundation _CF_forwarding_prep_0 + 120", "27 CoreFoundation __invoking___ + 140", "28 CoreFoundation -[NSInvocation invoke] + 305", "29 ViewBridge __deferNSXPCInvocationOntoMainThread_block_invoke + 142", "30 ViewBridge __wrapBlockWithVoucher_block_invoke + 37", "31 ViewBridge kNotRunningOnAppKitCompatibleThread_block_invoke + 323", "32 CoreFoundation __CFRUNLOOP_IS_CALLING_OUT_TO_A_BLOCK__ + 12", "33 CoreFoundation __CFRunLoopDoBlocks + 398", "34 CoreFoundation __CFRunLoopRun + 2015", "35 CoreFoundation CFRunLoopRunSpecific + 560", "36 HIToolbox RunCurrentEventLoopInMode + 292", "37 HIToolbox ReceiveNextEventCommon + 657", "38 HIToolbox _BlockUntilNextEventMatchingListInModeWithFilter + 64", "39 AppKit _DPSNextEvent + 858", "40 AppKit -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1214", "41 ViewBridge __77-[NSViewServiceApplication vbNextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke + 111", "42 ViewBridge -[NSViewServiceApplication _withToxicEventMonitorPerform:] + 114", "43 ViewBridge -[NSViewServiceApplication vbNextEventMatchingMask:untilDate:inMode:dequeue:] + 151", "44 ViewBridge -[NSViewServiceApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 99", "45 AppKit -[NSApplication run] + 586", "46 AppKit NSApplicationMain + 817", "47 libxpc.dylib _xpc_objc_main + 867", "48 libxpc.dylib xpc_main + 96", "49 ViewBridge xpc_connection_handler + 0", "50 ViewBridge NSViewServiceMain + 1789", "51 com.apple.appkit.xpc.openAndSavePan main + 178", "52 dyld start + 1903" ), com.apple.ViewBridge.error.description=NSViewBridgeErrorServiceBootstrap}

I have a Flutter app that should be sandboxed for Appstore and this app should run a binary that I build with make. I sign that binary with Developer ID certificate: codesign -v -f --options=runtime --entitlements "./macos/Runner/binary_sandboxed.entitlements" --sign "Developer ID Application: ..." ./path/to/binary here is binary_sandboxed.entitlements: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.inherit&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.application-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;$(TEAM_ID).$(PRODUCT_BUNDLE_IDENTIFIER)&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.security.cs.allow-jit&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.server&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.client&lt;/key&gt; &lt;true/&gt; &lt;/dict&gt; &lt;/plist&gt; and the main app runned with entitlements: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;com.apple.security.app-sandbox&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.inherit&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.application-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;Q7Q43CUMWT.$(PRODUCT_BUNDLE_IDENTIFIER)&lt;/string&gt; &lt;/array&gt; &lt;key&gt;com.apple.security.cs.allow-jit&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.server&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.apple.security.network.client&lt;/key&gt; &lt;true/&gt; &lt;key&gt;keychain-access-groups&lt;/key&gt; &lt;array&gt; &lt;string&gt;$(AppIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)&lt;/string&gt; &lt;/array&gt; &lt;/dict&gt; &lt;/plist&gt; When I run app I get an error ProcessException: Operation not permitted In console log I see this message: denied since it was quarantined by Main app and created without user consent, qtn-flags was 0x00000086 if delete quarantine flag binary in Containers xattr -d com.apple.quarantine /Users/appuser/Library/Containers/com.bin/Data/Library/Application Support/com.bin/binary I got an error when run binary zsh: illegal hardware instruction failed: Unable to get bundle identifier because code signature information has no Info.Plist. What did I do wrong? And what should I do?