cocoa sandbox embedded command line not work

Question

I have a third-party command line tool that launches from a main cocoa app which will be distributed in Mac App Store.

I need to sandbox the third-party command line tool, but when I run it (with NSTask), it crashes with error

“Application Specific Signatures: Container object initialization failed: failed to get bundleid for app XXX”

(In the Console I can see the following error message). Here is what I do in the main cocoa app:

NSTask* task          = [[NSTask alloc]init];
NSString* commandPath = [[[NSBundle mainBundle] resourcePath] stringByAppendingPathComponent:@"command"];
task.launchPath       = commandPath;
[task setArguments:args];
[task launch];

And every time I run this, There’s a popup window appears with the information “OS X needs to repair your Library to run applications. Type youre password to allow this.” I’ve signed this command line tool using the command:

codesign --entitlements ./XXX.entitlements -s "3rd Party Mac Developer Application: XXX" ./commandlinetool

To make sure, I double checked it using this command:

codesign --display --entitlements - ./commandlinetool

Here is the information :

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.downloads.read-write</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
</dict>
</plist>

I also checked through this command:

codesign --display --verbose=4 XXX

and got this information:

Identifier=com.XXX.XXX.XXX
Format=Mach-O thin (x86_64)
CodeDirectory v=20100 size=75902 flags=0x0(none) hashes=3786+5 location=embedded
Hash type=sha1 size=20
CDHash=24fdcb9b5444a91f60xxxxx3a66bafa7030109e63fb1c
Signature size=4347
Authority=3rd Party Mac Developer Application: XXX
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=May 10, 2014, 12:04:34 PM
Info.plist=not bound
Sealed Resources=none
Internal requirements count=1 size=216

I also try to add an info.plist file to the command line tool, stepped by this chapter enter link description here but nothing happened, the result of Info.plist still is "no bound".

How to sandbox third-party command line tool and how to add an info.plist file to the command line tool? Did I miss something? Is there anybody can help me on this? Any help or pointer will be very much appreciated.

No not at all. I changed the tags accordingly to give your question some more visibility. — mahal tertin, May 11 '14 at 14:37
I would recommend looking at examples of what other MAS apps have done in a similar situation. Do you use any apps that do what you're trying to do? — Dov, May 13 '14 at 13:11
Could you resolve this issue? I'm facing exactly the same problem. — Alex, Jun 09 '15 at 13:02

score 0 · Answer 1 · answered Dec 21 '18 at 07:02

It's been so long I haven't noticed this question, but there still someone ask me how to do.

According to the Apple development documentation.

If your app employs a child process created with either the posix_spawn function or the NSTask class, you can configure the child process to inherit the sandbox of its parent. However, using a child process does not provide the security afforded by using an XPC service.

So, you should sign your embedded command line with this entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

Now your app works!

cocoa sandbox embedded command line not work

1 Answers1