Incorrect application of App Sandbox setting to entitlements

Two small bugs in the Projucer, regarding its handling of App Sandbox entitlements.

First: In jucer_ProjectExport_Xcode.h, in the XcodeProjectExport object, inside the getEntitlements() function, the logic for determining the com.apple.security.app-sandbox value is incorrect.

Currently, the logic detects whether the current project is an audio plugin, and sets the app sandbox entitlement according to whether the app is an audio plugin or not.

This behavior is incorrect. Any type of Mac executable may be sandboxed or not, regardless of whether it is an audio plugin in the Juce sense. Command line tools may be sandboxed or not, for example.

The Xcode exporter has an appSandboxValue and a corresponding “App Sandbox” checkbox, which is currently ignored when writing out the entitlements file.
The checkbox should be the sole source of truth in determining whether the com.apple.security.app-sandbox entitlement is enabled or not. Please make this change.

Second: there is no entitlement checkbox in the Xcode exporter for com.apple.security.inherit. This is an important entitlement flag for helper applications, or for utilities that are executed by other utilities. Please make what should be a one-line change.

I’d make all these code changes myself, but ROLI seems a bit picky about what they accept into mainline. Please advise.

This also adds the com.apple.security.app-sandbox key when the app sandbox setting is enabled in the Projucer. I believe sandboxing was working correctly before without this key, but Xcode adds it to the entitlements file when you select the sandboxing option in the project settings so we should too.

1 Like