Mac App Store Sandboxing
Mac App Store Sandboxing
It looks like by November 1st, you'll have to read and write to, ~/Library/Containers/<app id>/Data/Library/Application Support/<app name>/ in order for your app to be accepted on the Mac App Store. This of coarse is the equivalent of, ~/Library/Application Support/<app name>.
www.posemotion.com
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
Re: Mac App Store Sandboxing
[deleted]
Last edited by WilliamL on Mon May 14, 2012 5:09 pm, edited 2 times in total.
MacBook Pro-M1 (2021), Sonoma 14.4.1, PB 6.10LTS M1
Re: Mac App Store Sandboxing
Well as November 1st, this will be for Lion if you want accepted on the Mac App Store. It's for security reasons.WilliamL wrote:is this a new path structure established in Lion? Are all apps updated to this structure when upgrading to Lion?~/Library/Containers/<app id>/Data/Library/Application Support/<app name>/
www.posemotion.com
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
Re: Mac App Store Sandboxing
What do you mean that is equivalent?J. Baker wrote:This of coarse is the equivalent of, ~/Library/Application Support/<app name>.
Re: Mac App Store Sandboxing
Maybe wrong choice of word. But that's basically how it would be done before Apple requires the sandboxing way.kenmo wrote:What do you mean that is equivalent?J. Baker wrote:This of coarse is the equivalent of, ~/Library/Application Support/<app name>.
www.posemotion.com
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
Re: Mac App Store Sandboxing
Oh okay. I didn't know if one path was a symbol link for the other, or something.
So for all future purposes, use ~/Library/Containers/<app id>/Data/Library/Application Support/<app name>/, gotcha. Thanks for the info, J.
So for all future purposes, use ~/Library/Containers/<app id>/Data/Library/Application Support/<app name>/, gotcha. Thanks for the info, J.
Re: Mac App Store Sandboxing
kenmo wrote:Oh okay. I didn't know if one path was a symbol link for the other, or something.
So for all future purposes, use ~/Library/Containers/<app id>/Data/Library/Application Support/<app name>/, gotcha. Thanks for the info, J.
www.posemotion.com
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
Re: Mac App Store Sandboxing
What is an example of 'app id' (as opposed to the 'app name')?
Say for 'TextEdit.app'
Say for 'TextEdit.app'
MacBook Pro-M1 (2021), Sonoma 14.4.1, PB 6.10LTS M1
Re: Mac App Store Sandboxing
com.apple.TextEditWilliamL wrote:What is an example of 'app id' (as opposed to the 'app name')?
Say for 'TextEdit.app'
As for distributing a sandboxed app, make sure to read "the code signing guide". So your app doesn't get rejected by something simply over-looked.
To request that your application be placed in a sandbox, you must include the following key in your entitlements property-list file at a minimum:
com.apple.security.app-sandbox
In addition to including the preceding key, your entitlements property-list file should include the other keys that reflect which resources your application uses. An application can request access to the Open and Save panels, access to the network, access to a camera (when present), and access to the microphone. You must request the items that your application uses but should not request access to items your application does not use. If you attempt to use a feature for which you do not have an appropriate entitlement, the system denies access and logs an appropriate message to the console. You can use these console messages during debugging to help identify features your application uses.
For a complete list of entitlement keys and information on how to create an entitlements property-list file and apply it to your application, see Code Signing Guide.
www.posemotion.com
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
Re: Mac App Store Sandboxing
I recently sent an iOS app to Itunes connect, I had completely forgotten how paintful it is to go through the certificates, Apple requirements and such...
Hope they'll come up with something simpler at some time!
Hope they'll come up with something simpler at some time!
Re: Mac App Store Sandboxing
Simpilar is nice, but if it weeds out the not so serious developers and helps security, I'm all for it.Polo wrote:I recently sent an iOS app to Itunes connect, I had completely forgotten how paintful it is to go through the certificates, Apple requirements and such...
Hope they'll come up with something simpler at some time!
www.posemotion.com
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
-
- Enthusiast
- Posts: 772
- Joined: Tue May 20, 2008 2:12 am
- Location: Cologne, Germany
- Contact:
Re: Mac App Store Sandboxing
Hi,
as I have 5 PB-made Apps approved to the Mac App Store under the name 'quadWorks', I can give you this hint:
My Apps save their configuration to /Users/<User>/Library/Application Support/quadWorks/<App-Name>.
I doubt, this will be enough for Sandboxing my Apps: For the moment, I removed all automatic saving to locations other than /tmp and the above.
When in need of a destination-folder set by the User, the path doesn't matter - at least what I learned from this incident: http://purebasic.fr/english/viewtopic.php?f=19&t=49720
as I have 5 PB-made Apps approved to the Mac App Store under the name 'quadWorks', I can give you this hint:
My Apps save their configuration to /Users/<User>/Library/Application Support/quadWorks/<App-Name>.
I doubt, this will be enough for Sandboxing my Apps: For the moment, I removed all automatic saving to locations other than /tmp and the above.
When in need of a destination-folder set by the User, the path doesn't matter - at least what I learned from this incident: http://purebasic.fr/english/viewtopic.php?f=19&t=49720
Regards,
JamiroKwai
JamiroKwai
Re: Mac App Store Sandboxing
I recently had to do an update to my app as I thought Snow Leopard was sand boxing too. I must have read wrong info some where. So just make sure to use the old path for Snow Leopard and the sand box path for Lion and up. The following example code is for PB v4.61.
Code: Select all
If OSVersion() = #PB_OS_MacOSX_Future
;GetHomeDirectory() + "Library/Containers/com.<company-name>.<App-name>/Data/Library/Application Support/<App-Name>"
Else
;GetHomeDirectory() + "Library/Application Support/<Company-Name>/<App-Name>" ;with or without <Company-Name>
EndIf
www.posemotion.com
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
-
- Enthusiast
- Posts: 772
- Joined: Tue May 20, 2008 2:12 am
- Location: Cologne, Germany
- Contact:
Re: Mac App Store Sandboxing
Hi there,
it seems, you have to do more for sandboxing your Apps...
1. Use J. Baker's suggestion for using the correct location of the preferences-file.
2. Create an Entitlement
This minimal file needs to be saved in the same folder where you put your .App-Bundle. If your .App is called ABC.App, call your entitlement ABC.entitlements
Update: You can see the keys here. The entitlements below are examples (some are set to true).
The problem: at the moment, neither Network-Access nor loading or saving is possible with PureBasic.
http://developer.apple.com/library/ios/ ... 95-CH4-SW1
3. Sign your app using this edited app.sh
Call using Terminal.app like this: ./app.sh /path/to/ABC. Do not add the .App or ABC.App
4. Add your App to iTunes Connect
5. Upload the prepared Application
6. Wait for Apple to approve
6.1. Me is waiting for approval of Tablelizer: http://purebasic.fr/english/viewtopic.php?f=14&t=50328
it seems, you have to do more for sandboxing your Apps...
1. Use J. Baker's suggestion for using the correct location of the preferences-file.
Code: Select all
If OSVersion() = #PB_OS_MacOSX_Future
;GetHomeDirectory() + "Library/Containers/com.<company-name>.<App-name>/Data/Library/Application Support/<App-Name>"
Else
;GetHomeDirectory() + "Library/Application Support/<Company-Name>/<App-Name>" ;with or without <Company-Name>
EndIf
2. Create an Entitlement
This minimal file needs to be saved in the same folder where you put your .App-Bundle. If your .App is called ABC.App, call your entitlement ABC.entitlements
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
The problem: at the moment, neither Network-Access nor loading or saving is possible with PureBasic.
http://developer.apple.com/library/ios/ ... 95-CH4-SW1
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true />
<key>com.apple.security.assets.movies.read-only</key>
<false />
<key>com.apple.security.assets.movies.read-write</key>
<false />
<key>com.apple.security.assets.music.read-only</key>
<false />
<key>com.apple.security.assets.music.read-write</key>
<false />
<key>com.apple.security.assets.pictures.read-only</key>
<false />
<key>com.apple.security.assets.pictures.read-write</key>
<false />
<key>com.apple.security.device.bluetooth</key>
<false />
<key>com.apple.security.device.camera</key>
<false />
<key>com.apple.security.device.firewire</key>
<false />
<key>com.apple.security.device.microphone</key>
<false />
<key>com.apple.security.device.serial</key>
<false />
<key>com.apple.security.device.usb</key>
<false />
<key>com.apple.security.files.downloads.read-write</key>
<false />
<key>com.apple.security.files.bookmarks.app-scope</key>
<false />
<key>com.apple.security.files.bookmarks.collection-scope</key>
<false />
<key>com.apple.security.files.user-selected.read-only</key>
<false />
<key>com.apple.security.files.user-selected.read-write</key>
<true />
<key>com.apple.security.inherit</key>
<true />
<key>com.apple.security.network.client</key>
<true />
<key>com.apple.security.network.server</key>
<true />
<key>com.apple.security.personal-information.addressbook</key>
<false />
<key>com.apple.security.personal-information.calendars</key>
<false />
<key>com.apple.security.personal-information.location</key>
<false />
<key>com.apple.security.print</key>
</dict>
</plist>
Call using Terminal.app like this: ./app.sh /path/to/ABC. Do not add the .App or ABC.App
Code: Select all
sudo chmod -R a+xr "$1.app"
codesign -f -s "3rd Party Mac Developer Application: quadWorks" --entitlements "$1.entitlements" "$1.app"
productbuild --component "$1.app" /Applications --sign "3rd Party Mac Developer Installer: quadWorks" "$1.pkg"
sudo rm "$1.app"
sudo installer -store -pkg "$1.pkg" -target /
4. Add your App to iTunes Connect
5. Upload the prepared Application
6. Wait for Apple to approve
6.1. Me is waiting for approval of Tablelizer: http://purebasic.fr/english/viewtopic.php?f=14&t=50328
Last edited by jamirokwai on Fri Jul 06, 2012 10:46 am, edited 3 times in total.
Regards,
JamiroKwai
JamiroKwai
Re: Mac App Store Sandboxing
Ok, I had to "chmod -R 755 /Path to/app.sh" for it to work but I get the following...
"cannot read entitlement data"
"cannot read entitlement data"
www.posemotion.com
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.
PureBasic Tools for OS X: PureMonitor, plist Tool, Data Maker & App Chef
Mac: 10.13.6 / 1.4GHz Core 2 Duo / 2GB DDR3 / Nvidia 320M
PC: Win 7 / AMD 64 4000+ / 3GB DDR / Nvidia 720GT
Even the vine knows it surroundings but the man with eyes does not.