electron-builder: MAS com.apple.security.app-sandbox in entitlements crashes the application

Version: 22.4.1

Target: mas

Sandbox entitlement is crashing the mas build on startup. The application works fine if I do not include <key>com.apple.security.app-sandbox</key><true/>, but it is refused by Mac Store. I tried using both mac and mas plist.

I even tried a workaround proposed in [https://github.com/electron/electron-osx-sign/issues/192](this issue) to add to node_modules/app-builder-lib/templates/entitlements.mac.plist the sandbox entitlement. The app crashes.

Here is my build config:

 "build": {
    "productName": "xxxxx",
    "appId": "com.xxx.xx",
    "artifactName": "${productName} Setup-${version}.${ext}",
    "mac": {
      "entitlementsInherit": "build/entitlements.mac.plist",
      "category": "public.app-category.business",
      "extraResources": [
        {
          "from": "./preconfigMac",
          "to": "preconfig",
          "filter": [
            "*.sh"
          ]
        }
      ]
    },
    "directories": {
      "output": "release"
    },
    "files": [
      "dist/",
      "package.json"
    ],
    "protocols": {
      "name": "Test protocol",
      "role": "Viewer",
      "schemes": [
        "test"
      ]
    },
    "mas": {
      "type": "distribution",
      "provisioningProfile": "embedded.provisionprofile",
      "entitlements": "build/entitlements.mas.plist",
      "entitlementsInherit": "build/entitlements.mas.inherit.plist"
    },
    "afterSign": "scripts/notarize.js"
  },

I identified the problem by checking the entitlements of the output. It seems that when I add sandbox entitlement it completely messes up the xml.

Here is the output of codesign -d --entitlements :- Test.app when entitlements do not include sandbox:

Executable=xxxxxx
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.security.cs.allow-jit</key>
  <true/>
  <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
  <true/>
  <key>com.apple.security.cs.disable-library-validation</key>
  <true/>
</dict>
</plist>

That is exactly the xml that I have in my entitlements.mas.plist.

However, when I add the sandbox entitlement to mas.plist or to mas.inherit.plist, this is the output:

Executable=xxxxx
bplist00?
                _ com.apple.application-identifier_#com.apple.developer.team-identifier_com.apple.security.app-sandbox_%com.apple.security.application-groups_com.apple.security.cs.allow-jit_6com.apple.security.cs.allow-unsigned-executable-memory_0com.apple.security.cs.disable-library-validation_xxxxxx	?       	       :`???7U`acdef%

As you can see the entitlements are completely messed up because of the sandbox. Seems that there is some issue in how the entitlements are created during the build.

Any suggestions of what might be wrong?

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 11
Comments: 31 (9 by maintainers)

Most upvoted comments

One of the many critical issues solved by the great stale bot! 🥳

johannesjo on Sep 10, 2020

Of course it is relevant! Fucking slate bot!

сб, 11 июл. 2020 г., 17:04 stale[bot] notifications@github.com:

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/electron-userland/electron-builder/issues/4790#issuecomment-657077307, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAF6VB7C3KK5O6TUXY36HTTR3B5PBANCNFSM4LMJ4WXQ .

mahnunchik on Jul 11, 2020