I got a error when validate App as flow
Asset validation failed App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.***.yyy.pkg/Payload/***.app/Contents/MacOS/zzz" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. (ID: dc264017-f236-4e89-a100-e69c7f0fb318)
zzz is a command tool build by make, I need codesign it.
#1. use two lines below, run succes, but get 'App sandbox not enabled' problem
codesign -s "TTT1" -f -v --timestamp --options runtime dist/m_arm64/zzz
codesign -s "TTT1" -f -v --timestamp --options runtime dist/m_x64/zzz
#2. use two lines below, reduce 'App sandbox not enabled' , but run zzz get 'zsh: trace trap'
codesign -s "TTT2" -o runtime --entitlements zzz.entitlements -f dist/debug/zzz
codesign -s "TTT2" -o runtime --entitlements zzz.entitlements -f dist/debug/zzz
lipo -create dist/m_arm64/zzz dist/m_x64/zzz -output dist/zzz lipo -archs dist/zzz otool -L dist/zzz
the zzz.entitlements content is
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> </plist>
the Info.plist embedded in zzz is
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>CFBundleDevelopmentRegion</key> <string>English</string> <key>CFBundleIdentifier</key> <string>zzz</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundlePackageType</key> <string>dSYM</string> <key>CFBundleSignature</key> <string>????</string> <key>CFBundleShortVersionString</key> <string>24.09</string> <key>CFBundleVersion</key> <string>1</string> <key>ITSAppUsesNonExemptEncryption</key> <false/> </dict> </plist>
#codesign both success codesign -d -vvv ./zzz
#use method 2, the sandbox poblem ok codesign --display --entitlements - ./zzz
why when codesign with entitlements, the zzz cant run success? if I upload to appstore, the client will get the zsh error?
Has anyone encountered this kind of problem before?
Reference: https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app
It’s quite hard to read your post. See Quinn’s Top Ten DevForums Tips for info on how to use a Code Block for preformatted text.
why when codesign with entitlements, the zzz cant run success? if I upload to appstore, the client will get the zsh error?
This relates to App Sandbox inheritance. I talk about that in some detail in Resolving Trusted Execution Problems, and specifically Resolving App Sandbox Inheritance Problems.
In short:
-
App Review requires that all code within your app by sandboxed, that is, be signed with the
com.apple.security.app-sandboxentitlement. -
If the code is launched by the system — for example, the main app or an XPC helper — then that’s the only entitlement it needs. The presence of
com.apple.security.app-sandboxcauses the system to set up a new sandbox for the process. -
If the code is spawned as a child process of the main app then it also needs
com.apple.security.inherit. This tells the system that it doesn’t need to set up a new sandbox. Rather, the process inherits its sandbox from app.
It sounds like you’re trying to ship a tool within an App Store app and allow the user to run that tool from Terminal. That’s hard to do well. Specifically, Terminal is not sandboxed so your tool can’t use com.apple.security.inherit; there is no sandox to inherit. But App Store requires that you tool be sandboxed, so the tool must be prepared to work in a new sandbox. That means signing it with com.apple.security.app-sandbox and giving it an embedded Info.plist.
That’ll get the tool working. However, there are some serious caveats:
-
You tool can either be spawnable as child process by your app or runnable from Terminal, not both.
-
Your tool is sandboxed, which prevents it from doing things that are commonly necessary. For example, if the user passes a path to your tool via a command-line argument, the sandbox will likely block access to that both.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
