How embed sqlite3 binary into my app?

Question

Created Aug ’16

Replies 8

Boosts 0

Views 2.8k

Participants 2

My app utilizes a custom build of sqlite3 (shell) to do some tasks. I have a copy file phase in project Build Settings to copy it along with a tool.sh script into Frameworks destination. The relevant code works during debugging. However when I submit the app for review, I got an email that says:

App sandbox not enabled - The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list. Refer to the App Sandbox page for more information on sandboxing your app.

net.neolib.BingDailyWallpaper.pkg/Payload/Daily Wallpaper Changer for Bing.app/Contents/Frameworks/sqlite3

I wonder why it needs an entitlement. But I have to workaround this problem. Any suggestions will be appreciated.

Answered by DTS Engineer in 161316022

The following is for Xcode 7.3.1:

Create
```
MyApp
```
project.
In the project build settings, set Strip Debug Symbols During Copy (
```
COPY_PHASE_STRIP
```
) to No.
Set up the
```
MyApp
```
target’s code signing in the usual way:
- set Signing and Team ID in the General tab
- enable App Sandbox via the Capabilities tab
Create a
```
MyTool
```
target within the
```
MyApp
```
project.
In the
```
MyTool
```
group, create a property list file called
```
MyTool.entitlements
```
.
In that file, add to entries:
- ```
com.apple.security.app-sandbox
```
- ```
com.apple.security.inherit
```
both as Booleans with the value set to YES.
IMPORTANT Do not add the file to any targets.
In the
```
MyTool
```
build settings, set Code Signing Entitlements (
```
CODE_SIGN_ENTITLEMENTS
```
) to
```
MyTool/MyTool.entitlements
```
.
Build the tool.
In the
```
MyApp
```
target, create a custom Copy Files build phase and:
- set Destination to Executables
- add MyTool to the list of items to copy
- make sure Code Sign On Copy is checked
Build the app.

Now check the entitlements of each item. First, the tool before it was copied into the app.

 $ codesign -d --entitlements :- build/Debug/MyTool
Executable=/Users/quinn/Desktop/MyApp/build/Debug/MyTool
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

Next, the tool within the app.

 $ codesign -d --entitlements :- build/Debug/MyApp.app/Contents/MacOS/MyTool
Executable=/Users/quinn/Desktop/MyApp/build/Debug/MyApp.app/Contents/MacOS/MyTool
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

Finally, the app itself.

 $ codesign -d --entitlements :- build/Debug/MyApp.app
Executable=/Users/quinn/Desktop/MyApp/build/Debug/MyApp.app/Contents/MacOS/MyApp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
</dict>
</plist>

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’16

Does your app use the

sqlite3

tool directly (sublaunching it via NSTask, for example)? If so, you should sandbox the tool and set the

com.apple.security.inherit

entitlement. That will cause the tool to inherit its entitlements from your app, which is probably what the want and will make App Review happy.

The only fly in that ointment is if you also want the user to be able to run the

sqlite3

tool from Terminal. In that case

com.apple.security.inherit

causes problems because there’s no app sandbox to inherit from. If that’s the case, please post back explaining the expected use cases for this

sqlite3

tool.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

imneo OP

Aug ’16

I am in the first case - the sqlite3 binary is only called by my app via a BASH script by using NSTask .

Another problem is I don't quite understand how to 'sandbox the tool and set

com.apple.security.inherit

entitlement'. The sqlite3 binary is a plain console program, how to entitle it?

0

Answer 3

DTS Engineer OP

Apple

Aug ’16

I am in the first case - the sqlite3 binary is only called by my app via a BASH script by using NSTask .

OK, that’s actually good news, in that there is a well understood, albeit a little complex, solution.

The sqlite3 binary is a plain console program, how to entitle it?

Last I checked Xcode does not display it’s user friendly code signing interface for command line tools. You will have to set up code signing via the build settings, specifically:

Code Signing Entitlements (
```
CODE_SIGN_IDENTITY
```
)
Code Signing Identity (
```
CODE_SIGN_ENTITLEMENTS
```
)

IMPORTANT When you set up the Copy Files build phase to copy your tool into your app, make sure you copy it to the ‘executables’ directory (

Contents/MacOS

). See the Nested Code section in Technote 2206 OS X Code Signing In Depth for details.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

imneo OP

Aug ’16

Thanks for your reply. But I'm still not able to grasp anything.

First, CODE_SIGN_IDENTITY and CODE_SIGN_ENTITLEMENTS is already there because I think when I select Team profile in Build Settings they are done automatically by Xcode. And moreover, the app has been submitted to App Store, I think there should be no mistake about this.

Second, I still do not know how to entitle the sqlite3 console binary. In your first reply, "If so, you should sandbox the tool and set the

com.apple.security.inherit

entitlement." I think maybe I should create an app bundle from source of sqlite3 and this way I will be able to add entitlements, but it is an overkill. According to your reply, I guess it must be an easy way (via configuration).

Is it possible for you to take some trouble to list detailed procedures on how to do this?

0

Answer 5

DTS Engineer OP

Apple

Aug ’16

Accepted Answer

The following is for Xcode 7.3.1:

Create
```
MyApp
```
project.
In the project build settings, set Strip Debug Symbols During Copy (
```
COPY_PHASE_STRIP
```
) to No.
Set up the
```
MyApp
```
target’s code signing in the usual way:
- set Signing and Team ID in the General tab
- enable App Sandbox via the Capabilities tab
Create a
```
MyTool
```
target within the
```
MyApp
```
project.
In the
```
MyTool
```
group, create a property list file called
```
MyTool.entitlements
```
.
In that file, add to entries:
- ```
com.apple.security.app-sandbox
```
- ```
com.apple.security.inherit
```
both as Booleans with the value set to YES.
IMPORTANT Do not add the file to any targets.
In the
```
MyTool
```
build settings, set Code Signing Entitlements (
```
CODE_SIGN_ENTITLEMENTS
```
) to
```
MyTool/MyTool.entitlements
```
.
Build the tool.
In the
```
MyApp
```
target, create a custom Copy Files build phase and:
- set Destination to Executables
- add MyTool to the list of items to copy
- make sure Code Sign On Copy is checked
Build the app.

Now check the entitlements of each item. First, the tool before it was copied into the app.

 $ codesign -d --entitlements :- build/Debug/MyTool
Executable=/Users/quinn/Desktop/MyApp/build/Debug/MyTool
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

Next, the tool within the app.

 $ codesign -d --entitlements :- build/Debug/MyApp.app/Contents/MacOS/MyTool
Executable=/Users/quinn/Desktop/MyApp/build/Debug/MyApp.app/Contents/MacOS/MyTool
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

Finally, the app itself.

 $ codesign -d --entitlements :- build/Debug/MyApp.app
Executable=/Users/quinn/Desktop/MyApp/build/Debug/MyApp.app/Contents/MacOS/MyApp
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
</dict>
</plist>

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 6

imneo OP

Aug ’16

Great thanks for your detailed reply.

But I'm really sorry to say that I'm still not able to get it working. What is the type of MyTool target? Should it be a "Command Line Tool", or "Cocoa Application", or a Bundle? I tried to build the target with SQLITE3 source code with all of the above 3 types, but to no avail.

I'm not sure if I asked my question properly. Suppose I only have the binary (already compiled) sqlite3, is it possible to sandbox it?

0

Answer 7

DTS Engineer OP

Apple

Aug ’16

What is the type of MyTool target?

Command Line Tool

Suppose I only have the binary (already compiled) sqlite3, is it possible to sandbox it?

Yes, but the process becomes more complex because Xcode’s code signing infrastructure works best when building things from source.

At this point I’m going to recommend that you open a DTS tech support incident so that you can get one-on-one help from one of our tools experts.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 8

imneo OP

Aug ’16

Thanks for your time and patience. I'll try it again, maybe I made some rudimentary mistakes when following your steps.

0

	$ codesign -d --entitlements :- build/Debug/MyTool
	Executable=/Users/quinn/Desktop/MyApp/build/Debug/MyTool
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.inherit</key>
	<true/>
	</dict>
	</plist>