App Wrapper 4 - Sandboxing

Hello to all,

Finally decided to sign and publish my software. I enrolled into the Developer Program (not happy about the fact to be forced to pay 99$ to get a freeware online) I got App Wrapper 4 to do so.

Now I have some problems that my signed and wrapped and packed application does not work correctly. I need some help.

  • First, my universal build does not pass the check as it contains 2 executables (terminal helpers) in the resources that do not exist as ARM version, but should run fine under Rosetta 2. I call them with “arch -x86_64”. Isn’t there a way to get theses passed the check ?

  • When I wrap my Intel version with App Wrapper set to “Website” everything works fine after the processing. When I wrap for the store with Sandboxing, I can not access all my databases but just some of them. I can set the Sandbox settings to Read & Write for some folders and databases into these folders work fine. How can I do a setup that accepts all other folders, or at least external disks and NAS ?

Thanks in advance for your help.

Is this the App Wrapper Check or has Apple rejected your application?

This would require a Sandbox breakout, I can tell you how to do it. However it has a high probability of being rejected by Apple. Forcing you to redesign how you handle databases to be accepted on their store.

You can however use a open dialog to select a database, although you’ll need to do some research to make sure your database plugin can operate within the App Sandbox this way. I know in the past this would fail for the included SQLite plugin of Xojo.

It is App Wrapper saying it. I didn’t try to notarize the App due to the other problem.

I would suggest trying to Notarize the application and seeing if Apple reject it or not.

I use an open dialogue to add a database to the list of known databases. The dialogue opens and let’s me select my database (no do you allow ? system dialogue) an the database is added to the list. But when then trying to open it, it simply does not work.

I have set a dialogue value for Network disks in App Wrapper so I don’t understand why I don’t get this system dialogue. I will have to check the code and to get a feedback message on the folderitems values to see if I can’t get access to the folderitem ot if SQLite fails to connect.

I suggest not making it sandboxed. As long you do not want to get your app on AppStore, it is not needed.

It may not be required, but if an app can be sandboxed, it’s better for everybody if it is.

I believe you’ll need to make some changes to get your app working in a sandbox, and therefore eligible for the App Store. Christophe is right though, if you’re not going to target the App Store, sandboxing is optional, and you would need to weigh code changes against consumer protection.

The app sandbox does NOT allow simply opening anything on the computer. At the high level, you pretty much are only allowed what is in your Application Support folder, and files opened by an OpenDialog or similar such as drag and drop. You may retain security scoped bookmarks to open previously allowed files. They can be difficult to work with, but if you need a recents menu or need to remember any kind of file outside your app support folder, they’ll be necessary. I imagine that’s the issue at hand. Your dialog select the database, and your app remembers it for later. It would work for one run, but not later runs of the app.

1 Like

I want to add and recommend using Sam’s AppKit. It has tons of classes for making an app sandboxed more easily (it’s still a bog though).

That’s right. I just thougth, why not to push it to the store as Apple already forced me to pay $99 for the code signing.

Yes, the open dialogue let me select a location on my NAS and the database file and Media Folder are created, but it can’t be used afterwards. I tried to install the database in the movie folder and the media folder on the NAS. Then I can open the database and some functions like “Reveal in the Finder” work and the media folder pops up with the file selected, but trying to play the file back in quicktime fails and also the internal palyer stays black. As long as sandboxing exists on the Mac and that Apple warns that in the future it may be required to sandbox all Apps, I don’t understand that Xojo does not feature an easy mechanism to handle this.

I already took a look at it, but with a $200 price tag this is again a no go for freeware developers.

A good reason to ask money. :expressionless:

By default your application only has access to that file/database for that session. When you relaunch your application that access is lost. There are things you can do to work around that and we’ll come to it later.

The main thing is the App Sandbox supports Apple’s SQLite Database, some others have been updated to work in the App Sandbox, while some have not. Over the years the tricks I knew to make it work have all been broken. However I haven’t tried for a long time.

Because that is an entirely different “Security” mechanism, and the App Sandbox restrictions overrule it.

If you use the Apple API for the recent items menu, you don’t need to use Security-Scoped Bodgemarks, and because of the fraility, I would suggest only considering them as a last resort. Among other things, a macOS update can break them, leaving you unable to access the file, unable to tell where the file was or even it’s name (like a lot of issues in the last 8 years, these remain unresolved).

The source code for using the Apple Recent Items menu is included as part of my App Kit.

Because of the extra cost to make your application work against Apple’s ever changing App Store Rules (when I say cost, I don’t just mean money, time as well). A good chunk of Indie Mac Devs have given up with the Mac App Store. Hopefully a new CEO will dedicate some time and resources to improving it and the overall state of the Mac software market.

1 Like