Tuesday, September 26, 2017

Sandbox Inheritance Tax

Daniel Jalkut:

When my subprocess is launched, the system sees that extra “com.apple.security.get-task-allow” entitlement in the context of “com.apple.security.inherit”, and unceremoniously crashes my the child process.

I’m not sure what Apple’s reasoning is for imposing this entitlement on sandboxed targets, but it appears to be doing so across the board, for literally every sandboxed target in my app. I confirmed that all of my apps, XPC processes, helper tools, etc., are all getting this bonus entitlement.

[…]

I’ve learned that Xcode’s “Export Archive” functionality causes the unwanted entitlement to be removed. Apparently the assumption is that everybody creates Xcode archives as part of their build and release process.

It’s still a bad bug, though, because you can’t run your app from Xcode during development. How did Apple not run into this when testing any of their own apps?

Update (2017-09-28): Daniel Jalkut:

So, if you’re a developer who doesn’t use archives, what are your options? I’ve come up with four workarounds, and I present them here, roughly sorted by advisability and level of tedium[…]

Update (2017-09-29): Erik Schwiebert:

yea, we dont use Xcode Achives due to restricted access to MSFT corp signing cert.

Comments RSS · Twitter

Leave a Comment