How can I launch ffmpeg from a sandboxed app.

Question

Created Sep ’17

Replies 5

Boosts 0

Views 2.4k

Participants 2

I've built a video processing app that I wish to distribute via MAS. It's an electron app and works great using spawn to exec ffmpeg to caption/watermark etc.

However, when building for the Appstore - i.e after sandboxing I get an 'process-exec deny' in the log at run time.

Is there an entitlement I can set or any way of signing the ffmpeg binary that'll allow me to achieve this or will I have to distribute this app outside of the MAS?

Thanks.

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’17

I can’t speak to

ffmpeg

directly but, in general, a Mac App Store app is allowed to launch helper tools embedded within the app. There are, however, some gotchas:

The tool, and any libraries or frameworks it depends on, must be correctly placed within your bundle. See the Nested Code section of Technote 2206 macOS Code Signing In Depth.
The tool must be set up to inherit its sandbox from the parent. See the Enabling App Sandbox Inheritance section of the Entitlement Key Reference.
The tool must actually work in that sandboxed environment.
Passing user-selected files to the tool can be a challenge. See the discussion of static versus dynamic entitlements in the Enabling App Sandbox Inheritance section of the doc I referenced above.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

gideonfromharlesden OP

Sep ’17

Thanks eskimo1

I believe I set this up as you suggested. However, I get an error when executing the 'spawn' command.

Can anyone confirm if the 'spawn' is allowed within a sandbox environment? If it is, I'll battle through the remaining issues.

Thanks,

0

Answer 3

DTS Engineer OP

Apple

Sep ’17

Can anyone confirm if the 'spawn' is allowed within a sandbox environment?

Yes it is. This is covered under my earlier statement: “in general, a Mac App Store app is allowed to launch helper tools embedded within the app.” It doesn’t matter how you launch the helper tool;

NSTask

,

posix_spawn

and

fork

/

execve

all work.

I recommend that you create your own dummy helper tool and get that working first. That’ll isolate you from the complexities of

ffmpeg

.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

gideonfromharlesden OP

Sep ’17

Thanks Eskimo, That's exactly the answer I was looking for.

I'll persevere.

Best Regards

Gid.

0

Answer 5

DTS Engineer OP

Apple

Sep ’17

Oh, and btw, if you’re working with Xcode 9 you might be running into the gotcha described here. I haven’t personally investigate this myself but it’s easy for you to check for yourself whether it’s affecting you.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0