MBS Updater Kit: unable to update sandboxed app?

My test app is properly updating on OSX 10.9.2, as long as it is not sandboxed.

Now I tried to update a sandboxed version and I’m running into errors.

Does anyone have Sparkle (and MBS Updater Kit respectively) running with a sandboxed app? Is this supposed to be working?

[quote]test(1869) deny forbidden-exec-sugid

Process: test [1869]
Path: /Applications/test.app/Contents/MacOS/test
Load Address: 0x1000
Identifier: com.osswald.test
Version: 2014.6.0.0.23 (2014.6)
Code Type: i386 (Native)
Parent Process: test [1861]

Date/Time: 2014-03-25 22:49:14.764 +0100
OS Version: Mac OS X 10.9.2 (13C64)
Report Version: 8

Thread 0:
0 libsystem_kernel.dylib 0x929923e2 execve + 10
1 Security 0x969e9f2b AuthorizationExecuteWithPrivilegesExternalForm + 1181
2 Security 0x969e9a7a AuthorizationExecuteWithPrivileges + 84
3 Sparkle 0x056bbc73
4 Sparkle 0x056bc283
5 Sparkle 0x056bc5c7
6 Sparkle 0x056c2f59 load_dsa_key + 14157
7 Sparkle 0x056c307c load_dsa_key + 14448
8 Foundation 0x91261f0e -[NSThread main] + 45
9 Foundation 0x91261e66 NSThread__main + 1426
10 libsystem_pthread.dylib 0x921ad5fb _pthread_body + 144
11 libsystem_pthread.dylib 0x921ad485 _pthread_struct_init + 0
12 libsystem_pthread.dylib 0x921b2cf2 thread_start + 34

Binary Images:
0x56b9000 - 0x56ccfff org.andymatuschak.Sparkle (1.5 Beta 6 - 313) <5df2b8a3-560d-4500-6b85-4215644de532> /Applications/test.app/Contents/MacOS/Sparkle.framework/Sparkle
0x911f5000 - 0x91520ffe com.apple.Foundation (6.9 - 1056.13) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
0x921ac000 - 0x921b3ffb libsystem_pthread.dylib (53.1.4) <8b1b7b84-1b5d-32a8-ac0d-1e689e5c8a4c> /usr/lib/system/libsystem_pthread.dylib
0x9297a000 - 0x92997ff4 libsystem_kernel.dylib (2422.90.20) /usr/lib/system/libsystem_kernel.dylib
0x96929000 - 0x96b97ff6 com.apple.security (7.0 - 55471.14) <7915499b-66cf-39fe-b53c-a11c7775314d> /System/Library/Frameworks/Security.framework/Versions/A/Security
[/quote]

Isn’t that the purpose of the sandbox to forbid the app editing applications?

So, I guess that is a NO.

Bummer! Step back to field one then…

I started from Marc Zeedar’s “Update Yourself” article and built a solution which works and OSX, Windows and Linux.

But after downloading such update, the user still has to go through a whole lot of clicking, plus password entering, in order to install the update.

So I wrote a app which is asking for the password only on the first run and then is storing it in keychain (OSX) - and from then on it does silent updating in the background (if the user allows).

But then restart of the app did fail once in while. On some machines the user ended up with a restart of the old app and got caught in a update loop.

So I’m trying the MBS updater kit and look: restart issue is gone… but unfortunately it does not work with sandboxed apps.

So I end up with a sandboxed version for MAS (where Apple takes care of updating) and non-sandboxed version with Sparkle Updater, distributed from my own website.

There is no other solution, right?

Sandbox is only for MAS. For your own website, you’d better not sandbox and avoid ton of issues.

I do not really want to go into any religious discussion about sandboxing here.

But I want to give some background info: I wrote a little database application where the data stored is all about money. Sandbox comes in handy as an additional security feature - and in fact the software works fine in the sandbox.

I just wanted to make the update procedure a little bit more fool-proof with fewer clicking there.

But security is more important than fool-proof updating. So I guess I will have to go back to my previous updating solution.

Sorry to hear.
It maybe that the little helper app in the sparkle framework is not signed/sandboxed, so your app may not even be allowed to launch it. Or it can’t exchange the files.
Does console log show something?

[quote=74118:@Christian Schmitz]…
Does console log show something?[/quote]
Yes, I did post some of it above (test(1869) deny forbidden-exec-sugid).

But now I’m no longer in front of my Mac, but using an iPad, so I have no access to those logs right now .

Btw: your post did not answer my issue, it is just close to impossible for me to quote someone on this forum, when is use the iPad. The icons only become visible when I tab in the upper right corner of a post - and many times I hit on ‘answer’ that way.

Ah, sorry.
I didn’t see that when replying later.
So running an app as admin is denied on sandbox.

Hi Oliver,
This is not allowed by the Sandbox. Check the forums “Updating” a Sandboxed application has been discussed many times and there doesn’t seem to be a concrete example of how to do it. Except to get the user to download it again…

One idea I’ve had, but never tried was to get the app to download an installer for itself, launch the installer and then quit itself . It should do some checking on this installer to make sure that it comes from you (i.e. code signed by you).

[quote=74143:@Sam Rowlands]…
One idea I’ve had, but never tried was to get the app to download an installer for itself, launch the installer and then quit itself . It should do some checking on this installer to make sure that it comes from you (i.e. code signed by you).[/quote]

Well, this is what I am originally doing, from a sandboxed app: I download the installer (.pkg) which is produced by AppWrapper and (after User-OK) launch this installer. This works, except that I can’t launch it for silent update. The user has to interact several times and click repeatedly on an OK button, plus he has to enter the password, again…

Then I tried to download a dmg as an alternative. But then I got user phone calls who simply did not know how to handle a dmg.

As I wrote before : I would like to have the advanced security of sandbox plus a fool-proof update solution. There must be a way, because Apple is doing it for MAS apps.

@ Sam: btw, I’m using AppWrapper 2.5.0 (202), and I no longer can find the option to overwrite signatures of frameworks in the bundle… is this now automatically done, or not at all? Re-sign already signed parts in it?

we would all love that. but I think they get around that issue by letting a 3rd party app (the App Store app) download/install the new versions. Notice you have to shutdown any app being updated before they even download it? Sparkle is awesome but with the new sandboxing/gatekeeper security it is just not functional anymore. Wish Apple would work with the Sparkle community to fix the issue.

It’s ‘forced’ on now as code signing for Mavericks and the Mac App Store now require all executables to be code signed with the same signature.

Good, Thanks!

One reason to sandbox your app would be to have a single version that you sell both in the MAS and through another route. But is that worth it? I have an app with 2 versions (MAS, non-MAS) and I can’t see any reason to sandbox the non MAS version. What’s your thinking?

Convenience (in some aspects) for the developer and the user. The application data will all be stored in the same place, you won’t have sandbox violations on one and not the other, which makes it harder to track down file issues.

Non sandboxed applications cannot create Security Scoped Bookmarks, so if you do need to use them in a Sandboxed application at some point you’re out of luck.

[quote=74695:@Sam Rowlands]Convenience (in some aspects) for the developer and the user. The application data will all be stored in the same place, you won’t have sandbox violations on one and not the other, which makes it harder to track down file issues.

Non sandboxed applications cannot create Security Scoped Bookmarks, so if you do need to use them in a Sandboxed application at some point you’re out of luck.[/quote]
Exactly! Plus there is a lower chance that some other app is manipulating your data, without user interaction.

I should have said that non-sandboxed applications cannot create or resolve Security Scoped Bookmarks.

The Sparkle/Sandbox issue has been discussed extensively with Andy Matuschak on GitHub and it seems there is a solution for sandboxed apps (outside of MAS):

Sam Deane has a Sparkle fork from Andy Matuschak, which implements this workaround, here:
https://github.com/samdeane/Sparkle/commits/sandboxing

Ryan Nielsen put up a test for this, here:
https://github.com/ryannielsen/NSDocumentSandboxSparkleTest

Blog “Sparkle in Sandbox mode”
http://www.lantean.co/sparkle-in-sandbox-mode/

My question to Christian: any chance to get this worked into the MBS Updater Kit? (So that one could use it with a sandboxed app outside of MAS?)

Simply take newer Sparkle framework and XPCService, add it to your app and sign correctly.

I have been working on NSXPC* classes, but failed so far to get them running.