2

the problem concerns the Sandbox and the execution of processes outside of the main one. It is a desktop application (created in Unity) that, upon execution, requires another process to be executed (an executable created with another technology). The main application exchanges data via socket with a mobile application through this second process, which serves as a local server.

I built the project in Unity, created the xCode project, and entered all my developer account details in xCode. I also added the Hardened Runtime property, and up to this point, everything worked perfectly. The application started, the second process (server) was also executed, and I could connect and exchange data with the mobile application. However, when I tried to publish it on the Mac App Store, I received a warning that I needed to enable the Sandbox as well. I went back to the project and enabled the Sandbox property along with both Network checks (Incoming Connection Server/Client).

At this point, I ran a test, but the second application, which acts as a server, seems to be executed and then immediately "killed" by the Sandbox.

The external application was signed this way:

codesign -f -s "DeveloperID Application: XXX" --entitlements entitlements.plist -o runtime externalApplicationName

entitlements.plist:

com.apple.security.cs.allow-jit = true com.apple.security.cs.allow-unsigned-executable-memory = true

Thanks in advance !!!

Improve this question
1
  • Can you post the sandboxd logs from the Console when the killing happens?
    – iSpain17
    Commented Sep 17 at 16:51

1 Answer 1

Reset to default
0

I managed to get it working. I'll share the solution in case someone encounters the same problem.

  1. Add the SandBox to the parent target and check the boxes that the application uses (Incoming Connection, Hardware, AppData, or File Access).

  2. If in the final build the child process is missing, add it using "Copy Files Phases" into a folder of your choice (from what I understand, it's recommended to place it in Frameworks, but I'm not sure).

  3. Run the process in the parent’s main file. I used posix_spawn(), but if you're using Swift, you should use NSTask.

  4. Manually sign the child executable with codesign, adding the SandBox and making it inherit the parent's one. (com.apple.security.app-sandbox, com.apple.security.inherit)

  5. Do a build with Xcode.

There are probably cleaner ways to achieve the same thing, but doing it this way, I managed to upload it to the Mac App Store.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.