{"id":19006,"date":"2017-09-26T10:52:02","date_gmt":"2017-09-26T14:52:02","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=19006"},"modified":"2017-09-29T20:17:18","modified_gmt":"2017-09-30T00:17:18","slug":"sandbox-inheritance-tax","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2017\/09\/26\/sandbox-inheritance-tax\/","title":{"rendered":"Sandbox Inheritance Tax"},"content":{"rendered":"<p><a href=\"http:\/\/indiestack.com\/2017\/09\/sandbox-inheritance-tax\/\">Daniel Jalkut<\/a>:<\/p>\n<blockquote cite=\"http:\/\/indiestack.com\/2017\/09\/sandbox-inheritance-tax\/\">\n<p>When my subprocess is launched, the system sees that extra &ldquo;com.apple.security.get-task-allow&rdquo; entitlement in the context of &ldquo;com.apple.security.inherit&rdquo;, and unceremoniously crashes my the child process.<\/p>\n<p>I&rsquo;m not sure what Apple&rsquo;s reasoning is for imposing this entitlement on sandboxed targets, but it appears to be doing so across the board, for literally every sandboxed target in my app. I confirmed that all of my apps, XPC processes, helper tools, etc., are all getting this bonus entitlement.<\/p>\n<p>[&#8230;]<\/p>\n<p>I&rsquo;ve learned that Xcode&rsquo;s &ldquo;Export Archive&rdquo; functionality causes the unwanted entitlement to be removed. Apparently the assumption is that everybody creates Xcode archives as part of their build and release process.<\/p>\n<\/blockquote>\n<p>It&rsquo;s still a bad bug, though, because you can&rsquo;t run your app from Xcode during development. How did Apple not run into this when testing any of their own apps?<\/p>\n\n<p>Update (2017-09-28): <a href=\"http:\/\/indiestack.com\/2017\/09\/xcode-9-signing-workarounds\/\">Daniel Jalkut<\/a>:<\/p>\n<blockquote cite=\"http:\/\/indiestack.com\/2017\/09\/xcode-9-signing-workarounds\/\">\n<p>So, if you&rsquo;re a developer who doesn&rsquo;t use archives, what are your options? I&rsquo;ve come up with four workarounds, and I present them here, roughly sorted by advisability and level of tedium[&#8230;]<\/p>\n<\/blockquote>\n\n<p>Update (2017-09-29): <a href=\"https:\/\/twitter.com\/Schwieb\/status\/913461153900118016\">Erik Schwiebert<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/Schwieb\/status\/913461153900118016\">\n<p>yea, we dont use Xcode Achives due to restricted access to MSFT corp signing cert.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Daniel Jalkut: When my subprocess is launched, the system sees that extra &ldquo;com.apple.security.get-task-allow&rdquo; entitlement in the context of &ldquo;com.apple.security.inherit&rdquo;, and unceremoniously crashes my the child process. I&rsquo;m not sure what Apple&rsquo;s reasoning is for imposing this entitlement on sandboxed targets, but it appears to be doing so across the board, for literally every sandboxed target [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,30,1529,71,53,226],"class_list":["post-19006","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-mac","tag-macos-10-13","tag-programming","tag-sandboxing","tag-xcode"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/19006","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=19006"}],"version-history":[{"count":3,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/19006\/revisions"}],"predecessor-version":[{"id":19060,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/19006\/revisions\/19060"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=19006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=19006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=19006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}