the problem concerns the Sandbox and the execution of processes outside of the main one. It is a desktop application (created in Unity) that, upon execution, requires another process to be executed (an executable created with another technology). The main application exchanges data via socket with a mobile application through this second process, which serves as a local server.
I built the project in Unity, created the xCode project, and entered all my developer account details in xCode. I also added the Hardened Runtime property, and up to this point, everything worked perfectly. The application started, the second process (server) was also executed, and I could connect and exchange data with the mobile application. However, when I tried to publish it on the Mac App Store, I received a warning that I needed to enable the Sandbox as well. I went back to the project and enabled the Sandbox property along with both Network checks (Incoming Connection Server/Client).
At this point, I ran a test, but the second application, which acts as a server, seems to be executed and then immediately “killed” by the Sandbox.
The external application was signed this way:
codesign -f -s "DeveloperID Application: XXX" --entitlements entitlements.plist -o runtime externalApplicationName
entitlements.plist:
com.apple.security.cs.allow-jit = true
com.apple.security.cs.allow-unsigned-executable-memory = true
Thanks in advance !!!
Matteo Guerra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
I managed to get it working. I’ll share the solution in case someone encounters the same problem.
-
Add the SandBox to the parent target and check the boxes that the application uses (Incoming Connection, Hardware, AppData, or File Access).
-
If in the final build the child process is missing, add it using “Copy Files Phases” into a folder of your choice (from what I understand, it’s recommended to place it in Frameworks, but I’m not sure).
-
Run the process in the parent’s main file. I used posix_spawn(), but if you’re using Swift, you should use NSTask.
-
Manually sign the child executable with codesign, adding the SandBox and making it inherit the parent’s one. (com.apple.security.app-sandbox, com.apple.security.inherit)
-
Do a build with Xcode.
There are probably cleaner ways to achieve the same thing, but doing it this way, I managed to upload it to the Mac App Store.
Matteo Guerra is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.