Incorrect application of App Sandbox setting to entitlements

Two small bugs in the Projucer, regarding its handling of App Sandbox entitlements.

First: In jucer_ProjectExport_Xcode.h, in the XcodeProjectExport object, inside the getEntitlements() function, the logic for determining the com.apple.security.app-sandbox value is incorrect.

Currently, the logic detects whether the current project is an audio plugin, and sets the app sandbox entitlement according to whether the app is an audio plugin or not.

This behavior is incorrect. Any type of Mac executable may be sandboxed or not, regardless of whether it is an audio plugin in the Juce sense. Command line tools may be sandboxed or not, for example.

The Xcode exporter has an appSandboxValue and a corresponding “App Sandbox” checkbox, which is currently ignored when writing out the entitlements file.
The checkbox should be the sole source of truth in determining whether the com.apple.security.app-sandbox entitlement is enabled or not. Please make this change.

Second: there is no entitlement checkbox in the Xcode exporter for com.apple.security.inherit. This is an important entitlement flag for helper applications, or for utilities that are executed by other utilities. Please make what should be a one-line change.

I’d make all these code changes myself, but ROLI seems a bit picky about what they accept into mainline. Please advise.

This also adds the com.apple.security.app-sandbox key when the app sandbox setting is enabled in the Projucer. I believe sandboxing was working correctly before without this key, but Xcode adds it to the entitlements file when you select the sandboxing option in the project settings so we should too.

1 Like

I can’t build AUv3 after updating to JUCE v5.4.7. The error from Xcode:

Automatic signing is unable to resolve an issue with the “App - AUv3 AppExtension” target’s entitlements. Automatic signing can’t add the com.apple.security.app-sandbox entitlement to your provisioning profile. Switch to manual signing and resolve the issue by downloading a matching provisioning profile from the developer website. Alternatively, to continue using automatic signing, remove this entitlement from your entitlements file and its associated functionality from your code.

I know that sandboxing is enabled by default for any iOS target. So I found AUv3_AppExtension.entitlements file and there is App Sandbox row set to TRUE and it is created every time I resave project. There are no field in Projucer for iOS target. And after removing this row the build runs smoothly. Is there a fix to Projucer?
Thanks

Looks like that might have been an issue with the changes above. Can you see if ad241f8 fixes the issue for you? You’ll need to rebuild the Projucer and resave your project.

1 Like

It’s fixed! Thank you for quick response

Side note, if you resave your project with after this change (without deleting the build-folder), someone might note realise that the entitlements file will not created anymore automatically (any may silently depend on it, without knowing it)

Do have plugin entitlements (besides AUv3) have an effect on hosts, do they have any effect at all?