MAS com.apple.security.app-sandbox in entitlements crashes the application
See original GitHub issue- Version: 22.4.1
- Target: mas
Sandbox entitlement is crashing the mas build on startup. The application works fine if I do not include <key>com.apple.security.app-sandbox</key><true/>
, but it is refused by Mac Store. I tried using both mac and mas plist.
I even tried a workaround proposed in [https://github.com/electron/electron-osx-sign/issues/192](this issue) to add to node_modules/app-builder-lib/templates/entitlements.mac.plist
the sandbox entitlement. The app crashes.
Here is my build config:
"build": {
"productName": "xxxxx",
"appId": "com.xxx.xx",
"artifactName": "${productName} Setup-${version}.${ext}",
"mac": {
"entitlementsInherit": "build/entitlements.mac.plist",
"category": "public.app-category.business",
"extraResources": [
{
"from": "./preconfigMac",
"to": "preconfig",
"filter": [
"*.sh"
]
}
]
},
"directories": {
"output": "release"
},
"files": [
"dist/",
"package.json"
],
"protocols": {
"name": "Test protocol",
"role": "Viewer",
"schemes": [
"test"
]
},
"mas": {
"type": "distribution",
"provisioningProfile": "embedded.provisionprofile",
"entitlements": "build/entitlements.mas.plist",
"entitlementsInherit": "build/entitlements.mas.inherit.plist"
},
"afterSign": "scripts/notarize.js"
},
I identified the problem by checking the entitlements of the output. It seems that when I add sandbox entitlement it completely messes up the xml.
Here is the output of codesign -d --entitlements :- Test.app
when entitlements do not include sandbox:
Executable=xxxxxx
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
That is exactly the xml that I have in my entitlements.mas.plist.
However, when I add the sandbox entitlement to mas.plist or to mas.inherit.plist, this is the output:
Executable=xxxxx
bplist00?
_ com.apple.application-identifier_#com.apple.developer.team-identifier_com.apple.security.app-sandbox_%com.apple.security.application-groups_com.apple.security.cs.allow-jit_6com.apple.security.cs.allow-unsigned-executable-memory_0com.apple.security.cs.disable-library-validation_xxxxxx ? :`???7U`acdef%
As you can see the entitlements are completely messed up because of the sandbox. Seems that there is some issue in how the entitlements are created during the build.
Any suggestions of what might be wrong?
Issue Analytics
- State:
- Created 4 years ago
- Reactions:11
- Comments:27 (9 by maintainers)
Top GitHub Comments
One of the many critical issues solved by the great stale bot! 🥳
Same here (