macOS Granting full-disk access to sandboxed app not working - McMap

About

macOS Granting full-disk access to sandboxed app not working

Asked 23/10, 2019 at 21:11 Answered 7/2, 2020 at 16:37

macos appstore-sandbox full-disk-access

C

1

7

I'm experimenting with full-disk access and can't make it working. Here is list of steps I did:

Sandbox is turned ON. In fact the entitlements file looks like:

<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.bookmarks.app-scope</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>

I created archive of the app and tried to distribute it using boths Developer ID or Development methods
I placed the binary of my app to /Applications folder
I went to System Preferences -> Security & Privacy -> Privacy -> Full Disk Access and added access to my app in /Applications folder
Of course I'm NOT attached to the app with Xcode

I'm testing it in Xcode 11 and on Catalina. It's dummy app, opening NSOpenPanel to let user select archives to decompress and tries to decompress it in the same directory.

In fact it's not about NSOpenPanel, the question is:

What is necessary to do to make sandboxed app using full-disk access?

Any hints? Am I doing anything wrong?

Cheddite answered 23/10, 2019 at 21:11 Comment(7)

Does your app use a launch script, or is it only a binary exec? – Stentor 25/10, 2019 at 12:51

I'm quite new to macOS development thus my goal is to learn something new and implement a simple compressing/decompressing app using libarchive as library to do the job. The app can open and decompress associated files, drag-n-dropped files, files selected using NSOpenPanel or opened from FinderSync. Nothing special, just regular application, not using launch script or XPC services – Cheddite 25/10, 2019 at 14:12

Ok, apps that use a launch script need to have the particular shebang interpreter granted file system access by the user in Catalina. But that is not the case here. Please also post any error messages your are rxing. – Stentor 25/10, 2019 at 15:52

libarchive keeps saying it can't read files. It's working as expected when sandbox is turned OFF – Cheddite 25/10, 2019 at 18:21

That means you need to use sandbox-extending entitlements. – Stentor 25/10, 2019 at 18:25

Not sure if I follow. I found this documentation regarding entitlements file: developer.apple.com/documentation/bundleresources/entitlements/… – Cheddite 25/10, 2019 at 19:26

What is the actual question? What is "not working"? The steps you've listed look fine. – Croton 8/3, 2020 at 2:54

W

3

Here is solution found for iTerm2 (it is worth read how solution was found). It just adds this to application plist:

<key>NSSystemAdministrationUsageDescription</key>
<string>I want to read all your files</string>

Documentation is a bit fuzzy.

Sadly this solution doesn't work for launchctld daemons (this is what I need). I think daemons are an exception since the do not see UI at all.

But for regular applications it should work like a charm (didn't test it yet).

Woodland answered 7/2, 2020 at 16:37 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2025 — McMap. All rights reserved.