Cant run binary in sandboxed macos app

Code Signing General
PixelPlex OP
Created Aug ’23
Replies 1
Boosts 1
Views 681
Participants 2

I have a Flutter app that should be sandboxed for Appstore and this app should run a binary that I build with make. I sign that binary with Developer ID certificate:

codesign -v -f --options=runtime --entitlements "./macos/Runner/binary_sandboxed.entitlements" --sign "Developer ID Application: ..." ./path/to/binary

here is binary_sandboxed.entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.application-groups</key>
        <array>
            <string>$(TEAM_ID).$(PRODUCT_BUNDLE_IDENTIFIER)</string>
        </array>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
</dict>
</plist>

and the main app runned with entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.inherit</key>
    <true/>
	<key>com.apple.security.application-groups</key>
	<array>
        <string>Q7Q43CUMWT.$(PRODUCT_BUNDLE_IDENTIFIER)</string>
	</array>
	<key>com.apple.security.cs.allow-jit</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
	<key>com.apple.security.network.client</key>
    <true/>
	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)</string>
	</array>
</dict>
</plist>

When I run app I get an error ProcessException: Operation not permitted
In console log I see this message:

denied since it was quarantined by Main app and created without user consent, qtn-flags was 0x00000086

if delete quarantine flag binary in Containers

xattr -d com.apple.quarantine  /Users/appuser/Library/Containers/com.bin/Data/Library/Application Support/com.bin/binary

I got an error when run binary

zsh: illegal hardware instruction
failed: Unable to get bundle identifier because code signature information has no Info.Plist.

What did I do wrong? And what should I do?

Replies  1
Boosts  1
Views  681
Participants  2
DTS Engineer OP
Apple
Aug ’23

There are many potential issues here. If you were using Xcode, you could follow the instructions in Embedding a command-line tool in a sandboxed app. The second section, Embed an externally built tool covers your specific case.

One good option is to run through that process with a small test project. Once you get things working there, you can look at how Xcode set things up and then replicate that in your third-party build system.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Cant run binary in sandboxed macos app
First post date Last post date
 
 
Q