Hi,
I've an OSX app packages up outside of XCode (because it's based on a legacy cross-platform build system). The layout looks like this:
App
App/Contents <- info.plist is here
App/Contents/Frameworks <- Dylibs go here
App/Contents/MacOS <- Main executable and bash startup script go here
App/Contents/Resources <- Non-executable resources.
There are no helper apps, etc that I know of.
info.plist, the Frameworks, Main Executable and App are all signed. The Main Executable includes entitlements with the sandbox entitlements.
On startup, we crash in the usual Sandbox place:
0 libsystem_secinit.dylib 0x7ff811fcc2a5 _libsecinit_appsandbox.cold.9 + 49
1 libsystem_secinit.dylib 0x7ff811fcb636 _libsecinit_appsandbox + 1749
2 libsystem_trace.dylib 0x7ff8044029e9 _os_activity_initiate_impl + 50
3 libsystem_secinit.dylib 0x7ff811fcaf20 _libsecinit_initializer + 67
4 libSystem.B.dylib 0x7ff811fe08a1 libSystem_initializer + 292
5 dyld 0x20905939f invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const::$_0::operator()() const + 185
(Even though I'm not signing the bash startup script, which invokes the main executable, it's still getting signed and has entitlements. And I'm not using --deep.
I've tried setting com.apple.security.inherit - that didn't work.
I've tried explicitly signing the bash startup script - that didn't work.
It fails not matter how I start the app - by clicking on it, command line, just launching the main executable via the command line, and of course using LLDB.
Any ideas? Crash report enclosed.
ProgUhost-2024-02-17-171425.ips
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Post
Replies
Boosts
Views
Activity
I am using TapToPay with stripe it is working fine on the development mode but when i try to create build for app store it shows 2 errors.
I encountered a problem while implementing DNS Proxy for Network Extension.
It consists of MyMyExt, a System Extension that implements DNS Proxy, and MyMyService, a container.
The system extension consists of classes that inherit the NEDNSProxyProvider.
Class has overrided "override init(), override func startProxy(...), override func stopProxy(...) override func handleNewFlow(...)"
Since the manager.loadFromPreferences(...) and manager.saveToPreferences(...) calls, system extensions and DNS Proxy have been added.
However, contrary to expectations, init(), startProxy(...), etc. are not being called.
(In System Settings → Network → Filter, DNS Proxy has been added, but is displayed as "Activated" and a yellow circle)
Here is the information that appears on the console.
... Omitted ...
MyMyService.MyMyExt [Info] DNSProxyManager.swift: 51 [-] DNSProxy: saved
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Adding a connection for client mDNSResponder[167]
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: handleNetworkDetectionNotification <MyMyService.MyMyExt>
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Received a restart command from nesessionmanager[1011]
nesessionmanager Registering session NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Resetting VPN On Demand
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: update configuration
nesessionmanager <NESMServer: 0x13ae0ac90>: <MyMyService.MyMyExt> Register DNS Proxy Session: NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Successfully registered
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: status changed to connecting
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: received start message
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStateIdle
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStatePreparingNetwork
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Failed to create an NEAgent
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStatePreparingNetwork
nesessionmanager NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
... Omitted ...
Perhaps the key is the "Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement" recorded in the log.
But I can't find out what this message is about or how to resolve it.
and, here is my code, more info at my previous post.
I ask for your help.
Thank you, for your attention.
Do I need an entitlement to use the ARWorldTrackingConfiguration and get that data in RoomPlan enhancements being done?
I got approved for ProximityReader APIs for Apple Tap to Tay on iPhone.
The Setting up the entitlement for Tap to Pay on iPhone guide says to look for "Additional Capabilities."
I do not see it under my Certificates, Identifiers & Profiles.
Where should I look?
Hello! Firstly, I am submitting an entitlement request to access the E-sim configuration for the iOS application. While filling out the form, I encountered an issue with providing carrier information. The form is designed for a single carrier, but I have five carriers. Should I list all of them?
Secondly, I have come across numerous discussions online regarding the time it takes to process such requests. Could you please provide me with an estimated timeframe for completion? Our customer is interested in completing the feature within a month.
Thanks
Hello everyone!
Since iOS 17.4, it's now easier to set up an eSIM from a browser/email or with a link. We can now longpress the QR code to get the option to add an eSIM. Is it still required to have that private entitlement to enable the same functionality in-app but not in a browser? Seems odd. I can store QR codes on Imgur to install eSIM but can't do the same with my native app by CTCellularPlanProvisioning.addPlan method. Redirecting users to the browser seems like a workaround, but it creates a noticeable discrepancy in usability.
I might have overlooked some SDK updates or new methods. Are there any new approaches to enable in-app eSIM setup with the latest update?
Secondly, in the "Other eSIM activation methods" section of this page, a special link is mentioned, but I couldn't find any examples or resources for that.
Thanks
I have a macOS app which contains a dext. I'd like to distribute it to external testers using TestFlight, so it has to pass Mac App Store review. It failed, because the App Sandbox entitlement was missing.
I checked the app, it has the entitlement, but the dext does not. However, the .entitlements file used by the dext does contain App Sandbox set to true.
I tried adding a "fake-entitlement" value to the .entitlements file, and that made it into the dext's code signature, but the App Sandbox entitlement appears to be stripped out by the build process?
For a dext target, it isn't possible to add the App Sandbox capability in Xcode's Signing and Capability section. I have to add the entitlement manually in the .entitlement file (or it was put there by the Xcode driver template, I don't remember).
I've tried clean building several times, I've tried Xcode 15.0.1, 15.2 and 15.3, but the result is always the same. I'm inspecting the entitlements using
codesign -dvvv --entitlements -
Does anyone know what I can do to put the App Sandbox entitlement into my dext's signature? Is this happening to anyone else?
I requested the com.apple.developer.device-information.user-assigned-device-name entitlement on Feb 11 and received an email reply stating "We’ll contact you within a few weeks with your request status." However, it's been more than a month without any updates.
Can anyone chime in with their experience RE: how long it took for Apple to review their request for this entitlement?
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_device-information_user-assigned-device-name
After updating to Xcode 15.3 and Sonoma, I started getting an error when packaging my app:
Provisioning profile failed qualification
Profile doesn't include the com.apple.developer.mail-client entitlement.
There is no indication in the documentation that this has anything to do with the provisioning profile, and there is no capacility that needs to be added.
I was given the "com.apple.developer.mail-client" entitlement from Apple over a year ago as documented in: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_mail-client, and it worked fine until now.
Hi All,
I submitted a Family Controls Request Form but haven't heard back. I didn't get any case id when I submitted the request, so how do you track it and know when It is approved?
I'm currently developing an app that requires the main target and also the app extension to both use Family Controls. Does this mean I need to request forms for both app bundles separately or just the main app?
This is really worrying for us as our project is almost ready and we are unable to launch it :( . Would appreciate any responses.
Thanks,
Hey, I am trying to use Family Controls in Mac Catalyst. On the iOS app it works fine. On macOs using Mac Catalyst it builds fine but I get following console output.
Failed to get service proxy: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named com.apple.FamilyControlsAgent was invalidated: failed at lookup with error 159 - Sandbox restriction." UserInfo={NSDebugDescription=The connection to service named com.apple.FamilyControlsAgent was invalidated: failed at lookup with error 159 - Sandbox restriction.}`
When i try to open the FamilyActivityPicker on the macOs app following error is displayed in the GUI.
The operation could not be completed. (FamilyControls.ActivityPickerRemoteView Error error 2.)
Do I need a familyControls capability for macOs? If yes, I only find it for iOS.
Thanks for hints and help :)
Hello,
I am writing a Desktop application for macOS with XCode.
This application will be available on app store. So, i have to put sandbox entitlement.
So, this application won't be able to access Desktop folder. It will be jailed into a specific directory to store datas.
I have installed a macOS application from appstore. When I launched this application, I got a TCC prompt, asking me to allow this application to access Desktop (or Downloads I don't remember). How can this be possible ?
I have tried to write a sandboxed application which tries to access to Desktop folder. I didn't get any TCC prompt: My access was rejected.
How can I ask to access Desktop folder from I sandboxed application ?
Thanks a lot
**Why does using CameraPicker require user authorization through a pop-up? **
Why don't ImagePicker or PhotoPicker require additional pop-up authorizations for accessing the photo library? All of these are implemented using UIImagePickerController, so why does one require a pop-up and the others do not?
Additionally, I thought that by configuring the picker, I would theoretically not need any permissions. If permissions are still required, wouldn’t it make more sense to directly request camera permissions and utilize the native camera functionality? What then are the advantages of using the picker?
How to add Additional capabilities in Certificates, Identifiers & Profiles on app store account to Enable the Tap to Pay on iPhone capability.
Hi,
Can a single domain serve a /.well-known/apple-app-site-association file for multiple apps from different developers?
We currently have our own domain, let's say example.com,
which serves https://example.com/.well-known/apple-app-site-association
which lists our app, let's say "ABCDEFG.com.example.AppA" for path "/app/a".
We're talking with another developer who has another app on the store.
Can we add their app, "MNOPQR.com.different.AppB" on our site, https://example.com/.well-known/apple-app-site-association, add their app ID for path "/app/b",
ask them to add our example.com domain in their associated-domains entitlement,
and would it work?
I mean would https://example.com/app/a open our app "ABCDEFG.com.example.AppA" and https://example.com/app/b open their app "MNOPQR.com.different.AppB" ?
We want to open https://example.com/redirect/app redirect to either /app/a or /app/b depending on the query parameters and launch our or their app.
Thanks in advance!
We have a legacy app written in a mix of C, ObjC, C++ and ObjC++ with .xib files. It is not sandboxed.
It sends an Apple Event to TV (the app of that name from Apple, not a physical TV) using /usr/bin/osascript, calling a compiled Apple Script which is in our app bundle's Resources directory with parameters which we generate in our app at runtime. The first time it does this on a fresh system, the OS puts up a dialog asking for permission to control TV, and after the user clicks Allow, our app appears under Security and Privacy in the Automation section.
That's all fine, but what is unexpected is that the app has no Apple Events entitlement (com.apple.security.automation.apple-events), and it doesn't have a NSAppleEventsUsageDescription string either. The documentation at https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_automation_apple-events says
Your app doesn’t need the Apple Events Entitlement if it only sends Apple events to itself or to other processes signed with the same team ID.
but we're not on the Apple team.
When I filter the log for messages from tccd pertaining to our app, it does indeed complain :
Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=<our bundle id>”
But despite those complaints, everything works - I can send the event, and TV acts upon it. Is this working only by accident, and might fail in some minor future OS update?
tccd also complains about the microphone
Prompting policy for hardened runtime; service: kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for requesting={TCCDProcess: identifier=<our bundle ID>
but we don't use the microphone
tccd complains about this too
<path-to-our-app> attempted to call TCCAccessRequest for kTCCServiceAccessibility without the recommended com.apple.private.tcc.manager.check-by-audit-token entitlement
What does that mean, and should we be concerned?
Hi,
My application doesn't start playback anymore after signing it with entitlements.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.microphone</key>
<true/>
<key>com.apple.security.assets.music.read-write</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
regards, Joël
I need to obtain the user's EID within my app.
We are a mobile network operator and have also applied for Apple's eSIM development.
Does Apple provide a certified developer access to an API for obtaining EID? I understand that there is no public API available, but I'm unsure if approved operators can access EID. If so, how can I apply for this private API?
I'm looking to automate device provisioning using App Store Connect API.
Two things are snagging me:
Updating Profiles API: Adding a new device seems clunky (read-all-devices, save, delete profile, recreate with a new device). Is there a simpler way to do it? I looked over the documentation and it seems like there's no streamlined way to do it, am I correct?
Entitlements API: Not public yet? Does anyone know about any plans to open it up soon? I asked Apple Support and they didn't provide any information on this. Specifying entitlements during provisioning is an important step.
Thanks for any help!