I recently reset my machine to factory settings to start the year fresh and installed Xcode 15.1 on my Macbook Air M1. I was trying to run, build, archive a project and ran into a recommended settings pop-up that I unfortunately dismissed. Now I am not sure how to locate it or trigger it back so I can update it appropriately. Can someone advise? Thanks in advance!

Electron app builded successfully with electron forge and @electron/osx-sign. But it crash when startup and get crash log below: Time Awake Since Boot: 320000 seconds Time Since Wake: 9200 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000002, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Trace/BPT trap: 5 Termination Reason: Namespace SIGNAL, Code 0x5 Terminating Process: exc handler [95916] Thread 0 Crashed:: Dispatch queue: com.apple.main-thread if I use custom entitlements, it shows: Time Awake Since Boot: 310000 seconds Time Since Wake: 8600 seconds System Integrity Protection: enabled Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_INSTRUCTION (SIGILL) Exception Codes: 0x0000000000000001, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Illegal instruction: 4 Termination Reason: Namespace SIGNAL, Code 0x4 Terminating Process: exc handler [93221] Application Specific Information: dyld: launch, running initializers /usr/lib/libSystem.B.dylib Could not set sandbox profile data: Operation not permitted (1) Application Specific Signatures: SYSCALL_SET_PROFILE here is entitlement: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.network.client</key> <true/> </dict> </plist> inherit entitlement: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> </plist> what can I do to resolve it?

I'm distributing my app in zip format. But stuck in app update? My app self-detects for the latest version. If yes, then launch other non-appsandbox app that download the latest version, and then replace the old app (in the /Applications directory) with the new one. It works correctly. But once I made the Updater app a Sandbox app, it did not allow me to replace the app. Error: You don’t have permission to save the file “ESPlus” in the folder "Applications.”

I’m trying to implement XPC Rendezvous like Quinn described in many awesome posts on here but I’m now at a stuck point were I just have no idea. I want to communicate with a Safari extension via XPC and also a helper application which led me to XPC Rendezvous (https://developer.apple.com/forums/thread/715338) because a XPC Service in the Extension is scoped to the container. I then made a Command Line Target and added it like its described here (https://developer.apple.com/documentation/xcode/embedding-a-helper-tool-in-a-sandboxed-app ) and also took the xpc test code and inspiration to set up my launch agent from here (https://developer.apple.com/documentation/servicemanagement/updating_your_app_package_installer_to_use_the_new_service_management_api). This command line tool should do the management for the XPC connections because it’s not in the sandboxed container. The tool sets up the xpc connection like in the sample code directly and not in a XPC Service added via a Target template. It exposes the Mach Service. And that looks like its building fine after some fighting but the service just wont start - I saw it trying in console and after running it in Xcode and finally finding the crash report - it brought me there (https://developer.apple.com/forums/thread/706390) I have Process is not in an inherited sandbox. - and thinking about it, it makes sense because I first thought its just because it ran through Xcode, but its crashing this way also as a LaunchAgent. I mean it does make sense - there is nothing to inherit because it’s spawned by launchd - and that’s what I want isn’t it - to make the Rendezvous? Okay I thought now removing com.apple.security.inherit brings it in its own Sandbox (its needs sandboxing) but this also crashes the process because of the sandbox. Also after adding it to the App Group. What am I missing here or what do I want to accomplish? Do I want to inherit the sandbox? I guess not the helper should have its own. The only difference I see in comparison to SMAppServiceSampleCode is it moves the product in Copy Bundle Resources, and I have a Copy Files Phase with Destination: Executables (Like the other sample code said - and that’s looks “more correct” - and well SMAppServiceSampleCode isn’t sandboxed. I then tried making a new Command Line Target and just added App Sandbox Capability and tried to run this fresh one - and that also crashes. This makes me think I’m just ****** somewhere but I have read now everything I could find. I’m happy to provide any Code or crash logs but I dont know what part is really relevant here, It looks like the LaunchAgent gets installed correctly and wants to run but the sandbox is preventing me. The Bundle Identifier and XPC device name of the helper starts with my teamID (I got that from here https://developer.apple.com/forums/thread/703702) What could I be doing wrong? Thanks a lot! Benjamin

I am creating a MacOS app embedding the QuickLook extension in it. The other day, I uploaded it to App Store Connect and had it reviewed. But it was rejected due to the following reason. Your app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Please review the included entitlements and sandboxing documentation and resolve this issue before resubmitting a new binary. com.apple.security.temporary-exception.files.absolute-path.read-only / This entitlement is also included in my app's meta data on my account page of App Sore Connect. Including it, I can find the following two entitlements related to "temporary-exception" in the meta data. com.apple.security.temporary-exception.files.absolute-path.read-only: ( "/" ) com.apple.security.temporary-exception.mach-lookup.global-name: ( "com.apple.testmanagerd", "com.apple.dt.testmanagerd.runner", "com.apple.coresymbolicationd" ) To tell the truth, about Sandbox entitlements for QuickLook extension, what I intentionally set on the Xcode project are the next two items only. And actually I have not ever recognized that the entitlements related to "temporary-exception" above are included in my app's bundle. com.apple.security.app-sandbox: true com.apple.security.files.user-selected.read-only: true I think these "temporary-expection" entitlements are essential ones for the QuickLook extension and it looks like that Xcode automatically attached them in the process of creating app's build. If they are forced to be attached by getting the QuickLook extension sandboxed, I don't know what I should do. Although I explained my thought to the reviewer, but I could not change the situation. Is there no way to get solution besides removing the QuickLook extension from my app ?

We're doing some disaster recovery management / risk management and a point-of-failure for our app is if we lose access to our bundle id. From my understanding, secure keychain items are scoped to your bundle ID as well as iCloud files stored under the app with 'hidden' scope. Losing our bundle ID is a scenario we want to eliminate completely from our threat/disaster modelling. Is this a realistic concern we should have?

Context I'm using the NSFileCoordinator &amp; NSFilePresenter in a sandboxed application to access SQLite database files and their secondary files (e.g. WAL or journal files) as per https://developer.apple.com/documentation/foundation/nsfilepresenter/1415415-primarypresenteditemurl E.g. something similar to this: var presenters: [NSFilePresenter] = ["wal", "journal", "shm"].map { ext in let presenter = SQLiteTempFilePresenter(databaseId: databaseContext.id, sqliteMainFile: url, newExt: ext) // addFilePresenter needs to be balanced with a `removeFilePresenter`. See SQLiteTempFilePresenter#deinit NSFileCoordinator.addFilePresenter(presenter) return presenter } That way there will be a NSFilePresenter for each possible secondary SQLite file (e.g. with the main file being foo/bar/database.sqlite there will be presenter for each of the secondary files foo/bar/database.sqlite-shm and foo/bar/database.sqlite-wal) Using NSFilePresenter to work with SQLite files within the Sandbox environment works as expected. Desired change I'd like to expand the usage of NSFileCoordinator to react to changes to the SQLite files that happen outside of the application. To achieve that I added an additional NSFilePresenter for the main file (e.g. foo/bar/database.sqlite) that has a func presentedItemDidChange() method. That method does get called when I change the corresponding SQLite file (e.g. by using the sqlite3 command line tool). So far so good. But in WAL mode (https://www.sqlite.org/wal.html), changes to the SQLite file don't immediately change the file itself but get written to the write-ahead-log first (e.g. foo/bar/database.sqlite-wal in this example). Only when the outside connection is closed, will the changes be committed to the main SQLite file itself. At which point the NSFilePresenter#presentedItemDidChange() method will be called. So I also like to be notified when the secondary files change. Adding a presentedItemDidChange() callback method to the SQLiteTempFilePresenter instances for the secondary files does not seem to work, the method never gets called even though the corresponding secondary files change. Questions If I add another instance of the NSFilePresenter for each of the secondary files, the callback presentedItemDidChange() gets called for the secondary files as well. Having two different instance of the NSFilePresenter for a single URL (one for sandboxing purposes, the other for being notified of file changes) seems a bit fishy though. Is that the intended (or at least an acceptable) way of using NSFilePresenter? The documentation for NSFilePresenter states that "If another process uses a file coordinator for the same file or directory, your presenter objects are similarly notified whenever the other process makes its changes." I do get notified though when using the sqlite3 command line tool which does not use a NSFileCoordinator. Is there any documentation that explains that behaviour? I mean it's great that it seems to work but I'd like to understand why.

I've encountered an issue while working on a macOS project involving Camera extension, specifically related to NSPasteboard. I want to use NSPasteboard for sending string type data from app to Camera Extension. Strangely, the exact same code that works flawlessly with NSPasteboard in a DAL plugin doesn't seem to work when implemented in a camera extension. To clarify, I can access the exact same pasteboard using the identical code in the DAL plugin and in an App, but when attempting the same in the camera extension, it doesn't behave as expected. Below is the code snippet I'm using in the camera extension: let pasteboardExtension = NSPasteboard(name: NSPasteboard.Name(rawValue: "com.example.myextension")) if let items = pasteboardExtension.readObjects(forClasses: [NSString.self], options: nil) as? [String] { NSLog("Received items in extension: \(items)") } else { NSLog("No items received in extension") } I've thoroughly reviewed the documentation without finding a resolution. Has anyone else faced a similar discrepancy between NSPasteboard behavior in DAL plugins and camera extensions? I'm reaching out for advice, insights, or potential workarounds from the community. If you have successfully addressed a similar issue or have any information that might shed light on this situation, your input would be greatly appreciated. Does Camera Extension support NSPasteBoard?

Hello, I am trying to create a dmg file by launching hdiutil through my swift program. This swift program is sandboxed. Here is what i've done: let hdd_file:String = NSHomeDirectory() + "hdd.dmg.sparseimage" let process = Process() process.launchPath = "/usr/bin/hdiutil" process.arguments = ["create", "-size", "30g", "-fs", "'APFS'", "-volname", "myvolume", "-type", "SPARSE", hdd_file] let pipe = Pipe() process.standardOutput = pipe process.launch() let data = try pipe.fileHandleForReading.readToEnd() print(data) I get this error: hdiutil: create failed - Device not configured I don't understand why i get this error because the dmg file is created in application's sandbox home directory. Or maybe hdiutil is forbidden but i am just creating a dmg file. I am not trying to mount a device. Do you have any idea of how i can create a dmg file from my sandboxed application ? Thanks

Context I have an app that uses the container for two things: store a realm database, and store a log.txt file with some debugging logs for myself. The realm database path is set via Realm.Configuration.defaultConfiguration The log.txt file path is set with FileManager.default.urls(for: .documentDirectory, in: .userDomainMask)[0].appendingPathComponent("log.txt") I already have released and distributed the version 1 to a few users. Given the complexity around signing an app in Xcode, the app was released and distributed unsigned. And now I'm trying to release the version 2 signed, but here's when I'm getting this weird issue. All unsigned apps (version 1, and the unsigned version 2) are using as container the path ~/Library/Containers/com.dgrcode.{appName}/Data. The signed version 2, however, is using ~/ as the container. So for example log.txt is located at: unsinged apps: ~/Library/Containers/com.dgrcode.{appName}/Data/Documents/log.txt. signed app: ~/Documents/log.txt Realm's default.realm file is located at: unsigned apps: ~/Library/Containers/com.dgrcode.{appName}/Data/Library/Application Support/default.realm signed app: I haven't found it yet 😓 The obvious problem is that any user from version 1 that installs version 2 signed, will start using a new database instead of continuing using the existing database. And obviously having my app's data spread through their ~/ directory is far from ideal. Here's what I get when I run codesign -v -d on the first version (everything between {} has been redacted for clarity: Executable={/path/to/app} Identifier=com.dgrcode.{appName} Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=56564 flags=0x10002(adhoc,runtime) hashes=1757+7 location=embedded Signature=adhoc Info.plist entries=29 TeamIdentifier=not set Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=2 Internal requirements count=0 size=12 Where I think the most relevant part is the Signature=adhoc and TeamIdentifier=not set. Now I archive a version 2 of the app. I make a copy and I sign only one of them using codesign -v --sign. I package them inside a .dmg (not sure if this affects anything, but just in case), and check the .app inside each of the .dmg after mounting them. Here's the result of codesign -v -d for each one: unsigned: Executable={path/to/app} Identifier=com.dgrcode.{appName} Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20400 size=57452 flags=0x2(adhoc) hashes=1785+7 location=embedded Signature=adhoc Info.plist entries=31 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=4 Internal requirements count=0 size=12 signed Executable={path/to/app} Identifier=com.dgrcode.{appName} Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20400 size=57335 flags=0x0(none) hashes=1785+3 location=embedded Signature size=4798 Signed Time=13 Nov 2023 at 12:17:24 Info.plist entries=31 TeamIdentifier=2W564BCY7Z Sealed Resources version=2 rules=13 files=4 Internal requirements count=1 size=188 The unsigned app works as expected. When I open the unsigned app, it continues using the realm database in the previous location ~/Library/Containers/com.dgrcode.{appName}/Data, and I can see the log.txt update its content. The signed app, however, doesn't use the same database, and is no longer writing to the log.txt file at ~/Library/Containers/com.dgrcode.{appName}/Data, but it's writing at ~/Documents/log.txt instead. It does use a database, but I have no clue where it is. Questions How can I make the signed app use the path ~/Library/Containers/com.dgrcode.{appName}/Data/ as its container lcoation? How can something like this happen just by signing the .app?

My app has the App Sandbox enabled and the File Access to Downloads folder is set to Read / Write in XCode. Upon clicking on a button the app should open the Finder displaying the Downloads folder. The following code snippet is used to launch the Finder if let inspirationsDirectory = FileManager.default.urls(for: .downloadsDirectory, in: .userDomainMask).first{ NSWorkspace.shared.open(inspirationsDirectory) } On my MacOS it works well. After releasing the app to the AppStore and installing it on another Mac the following message is received upon clicking the button: The application does not have permission to open "Downloads" Which would be the solution to launch the Finder successfully ? Is it possible to launch the Finder showing the Downloads folder sorted by the Date Added column descending ?

I'm encountering an intermittent issue while trying to run safaridriver on macOS Sonoma. Here are the details of the problem: I ran sudo /usr/bin/safaridriver -p0 --enable in the beginning. After that when I run this multiple times /usr/bin/safaridriver -p0, I sometimes receive an "Operation not permitted" error, but not consistently. This issue seems to occur intermittently. I've checked the sudo logs, and I see the following error message: kernel: (Sandbox) Sandbox: com.apple.WebDriver.HTTPService(2049) deny(1) user-preference-write com.apple.WebDriver.HTTPService cfprefsd: (CoreFoundation) [com.apple.defaults:cfprefsd] rejecting write of key(s) MobileDeviceRemoteXPCEnabled in { com.apple.WebDriver.HTTPService, nimish, kCFPreferencesAnyHost, /Users/nimish/Library/Preferences/com.apple.WebDriver.HTTPService.plist, managed: 0 } from process 2049 (com.apple.WebDriver.HTTPService) because setting these preferences requires user-preference-write or file-write-data sandbox access cfprefsd: (CoreFoundation) [com.apple.defaults:cfprefsd] Couldn't open parent path due to [2: No such file or directory kernel: (Sandbox) Sandbox: com.apple.WebDriver.HTTPService(2049) deny(1) network-bind local:*:7055 com.apple.WebDriver.HTTPService: (WebDriver) [com.apple.WebDriver:WebService] Error starting HTTP server listening on localhost:0: Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedDescription=Operation not permitted, NSLocalizedFailureReason=Error in bind() function} com.apple.WebDriver.HTTPService: (WebDriver) [com.apple.WebDriver:XPCService] Client connection invalidated for some reason I am getting this on Mac Os Sonoma Can anybody please help on this?

Hi everyone, I've been trying for a few days and still getting the same errors..so any help would be appreciated!! I've got the app to pass the Validation in XCode Organizer, but after I uploaded to Apple Store Connect through the Organizer, I'd get an email with errors, ITMS-90238: Invalid Signature, mentioning a long list of plugins, and then ITMS-90296: App sandbox not enabled. I'm not sure how to investigate these problems, so I've been just blindly trying everything. I've added the Sandbox capability in Xcode and have the entry in the entitlement file. The app even shows Sandbox Yes in Activity Monitor. This is an Qt app. I generated an Xcode project using qmake, then use Xcode to sign and upload. I tried both manually selecting the profile and letting Xcode manage signing automatically. I've tried both Distribution profiles and Development profiles. It was giving build errors in signing unless I used the --deep flag in Other Code Signing Flags. Then I read online that it's not recommended. So I've tried using the -codesign option in the Qt's mac deployment tool, macdeployqt. It passed the validations but still gives the same error. I suspect it's doing a codesign --deep internally. This is how I'm using macdeployqt macdeployqt myapp.app -qmldir="$SOURCE_DIR"/qml -always-overwrite -appstore-compliant -codesign="$SIGNING_CERT" Any advice would be much appreciated!! I'm on macOS Sonoma 14.0, Apple M2, Qt 6.5.3

The old one is "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture"

Hello, I currently am designing a data backup solution, and have an unsandboxed launch agent written in DotNet 6 that needs read access to files in order to back them up. It is configured together with its own App Group (with the sandboxed GUI). However, this Launch Agent cannot access files or enumerate directories in ~/Library/Group Containers/com.apple.notes whatsoever (even after enabling full disk access for the calling app, the files are not restricted either). I am trying to access the NoteStore.sqlite and similar files so that the Launch Agent can read the file and upload it to S3. Is there some entitlement I need to add, or access prompt? It seems like there is additional security layers for Sandboxed folders for apps that I'm trying to bypass. What is the recommended solution for my use case? (For Ventura and Sonoma users)

I`m trying create simple http sever, when I do it in main target of my macOS app then it works, but when I do it in uitests target it fails (result == -1 (Operation not permitted)). Interestingly when I run it in iOS uiTests target then it works. let sockfd = socket(AF_INET, SOCK_STREAM, 0) var serverAddress = sockaddr_in(sin_len: __uint8_t(MemoryLayout<sockaddr_in>.size), sin_family: sa_family_t(AF_INET), sin_port: CFSwapInt16HostToBig(8080), sin_addr: in_addr(s_addr: inet_addr("127.0.0.1")), sin_zero: (0, 0, 0, 0, 0, 0, 0, 0)) let result = withUnsafePointer(to: &serverAddress) { $0.withMemoryRebound(to: sockaddr.self, capacity: 1) { Darwin.bind(sockfd, $0, socklen_t(MemoryLayout<sockaddr_in>.size)) } } I've got set in my main target entitlements: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> What can be reason that it fails? how can I fix it?