Entitlements issue

Kem_Tekinay · July 29, 2013, 5:02pm

I have a script that prepares my app for the app store, and it works perfectly until I include entitlements. Then, after creating the package and installing, my app launches and quits, but never gives me the login for the app store. If I remove the entitlements, it works fine.

My question is, do I have to register my entitlements with the app store before the app will work? (I’m especially perplexed because, when I first tried it with the entitlements, it worked just fine.)

My entitlements file is simply this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
</dict>
</plist>

My script looks something like this:

    dim initialSignCmd as string =  "/usr/bin/codesign --force -s " + certApp + " " + pathAppName
    if kIncludeEntitlements and entitlementsPath <> "" then
      initialSignCmd = initialSignCmd + " --entitlement " + entitlementsPath
    end if

Here is the error in the Console:

7/28/13 11:51:19.141 PM storeagent[305]: Unsigned app (/Applications/RegExRX.app).
7/28/13 11:51:19.000 PM kernel[0]: Validation failed, dataSuffix: 
7/28/13 11:51:19.000 PM kernel[0]: 00 00 01 00 00 01 e8 54 00 01 e7 54 00 00 00 32 00 0f d2 30 00 13 00 00 00 1c 00 32 00 00 69 63 6e 73 00 00 00 0a bf b9 ff ff 00 00 00 00 00 0f d2 48 
7/28/13 11:51:19.000 PM kernel[0]: vnode_validate_compressed_file_Type4 error: 22
7/28/13 11:51:19.000 PM kernel[0]: Validation failed, dataSuffix: 
7/28/13 11:51:19.000 PM kernel[0]: 00 00 01 00 00 01 e8 54 00 01 e7 54 00 00 00 32 00 0f d2 30 00 13 00 00 00 1c 00 32 00 00 69 63 6e 73 00 00 00 0a bf b9 ff ff 00 00 00 00 00 0f d2 48 
7/28/13 11:51:19.000 PM kernel[0]: vnode_validate_compressed_file_Type4 error: 22

Mike_D · July 30, 2013, 1:46am

Kem, have you tried to validate the app from the command line, either after code-signing, or again after installation? Try:

   codesign -d -vvvv /path/to/my/app

Also: More info? which version of Xojo? Which version of OS X?

Sam_Rowlands · July 30, 2013, 5:21am

Your entitlements looks fine. You didn’t have to register entitlements with Apple a couple of weeks ago, but then they do changes things frequently and without warning.

Try manually code signing in the terminal, just to see if there are any errors being reported. The error message in the console sorta suggests to me that it’s failing somehow.

Then other thing to try is to delete the application container in your library folder, these can get corrupted and release a whole world of woe.

Lastly, try using a wrapping application to code sign and wrap your application, if it works in a wrapping app, it should give you some indication as to where to look in your script.

ChristopheDV · July 30, 2013, 4:06pm

Yes, Appwrapper can be very useful.

Mike_D · July 30, 2013, 4:22pm

Also - how are you testing installation? Although you can double-click the PKG file I think that’s not the correct way to do it, you actually are supposed to use the terminal :

sudo installer -store -pkg /path/to/the/pkg/file -target /

Kem_Tekinay · July 30, 2013, 4:29pm

To answer some of the questions, I have AppWrapperMini (excellent), but not AppWrapper. No matter, I’m comfortable in the CLI so I just needed the right commands.

And yes, installing through the CLI as recommended. Michael, if you see the comment when you run “sudo installer”, it actually advises you to run as admin, not root, so just use “installer” and it will ask you for your password anyway. (I’m not sure if that’s a change from previous versions of the OS.)

I’m on MacOS X 10.8.4. using Xojo 2013r2.

I am also using additional plugins since I first tried this so I am going to see what happens if I take those out of the mix.

Thanks for all the comments and suggestions. I am going to devote some serious time to it today and will report back what I find.

Mike_D · July 30, 2013, 5:23pm

Kem, I’d also suggest you test against 10.9, as a little bird told me that there are some changes in how code validation is done.

Mike_D · July 30, 2013, 5:24pm

[quote=23688:@Kem Tekinay]Michael, if you see the comment when you run “sudo installer”, it actually advises you to run as admin, not root, so just use “installer” and it will ask you for your password anyway. (I’m not sure if that’s a change from previous versions of the OS.)
[/quote]

That does sound different, and my advice is definitely from when I was testing in 10.6. That’s good to know that it’s not the same in 10.8.

jim_mckay · July 30, 2013, 5:56pm

[quote=23367:@Kem Tekinay]if kIncludeEntitlements and entitlementsPath <> “” then
initialSignCmd = initialSignCmd + " --entitlement " + entitlementsPath
end if[/quote]

" --entitlement " should be " --entitlements "

Kem_Tekinay · July 30, 2013, 6:07pm

[quote=23726:@jim mckay]" --entitlement " should be " --entitlements "
[/quote]

D’OH! For the love of…

I’ll make the change in any case. Odd that it didn’t return an error though. Thanks for catching that.

Kem_Tekinay · July 30, 2013, 6:14pm

I’m testing on a different machine now, but it’s working, so I have to chalk it up to the typo. And that makes sense if I included the “s” in my script’s initial versions and screwed it up later.

Thanks to all for the help.

Sam_Rowlands · July 31, 2013, 2:02am

Well spotted! I’m surprised that it didn’t generate any error at this however.