Error when trying to Sandbox with codesign command

Question

I am trying to Sandbox my OS X app using the codesign command (this is a common lisp app and does not use Xcode). I have created a very basic enitlements plist that looks like this:

<?xml version="1.0" encoding="utf-8"?>
<plist version="1.0">
    <dict>
        <key>com.apple.security.app-sandbox</key>
        <true/>
    </dict>
</plist>

and I am calling the codesign command:

codesign -s - -f --entitlements "/path/to/my/app/MyApp.app/Contents/entitlements.plist" "/path/to/my/app/MyApp.app/"

But this command returns the following error:

/path/to/my/app/MyApp.app/Contents/entitlements.plist: cannot read entitlement data

Does this error mean that I have used the wrong command? If so what is wrong with the command?

Answer 1

The Xcode generated plist is binary format and looks like this for a fairly standard limited sandbox setup:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.ubiquity-container-identifiers</key>
    <array>
        <string>$(TeamIdentifierPrefix)com.company.appanme</string>
    </array>
    <key>com.apple.developer.ubiquity-kvstore-identifier</key>
    <string>$(TeamIdentifierPrefix)com.company.appname</string>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.assets.movies.read-only</key>
    <true/>
    <key>com.apple.security.assets.music.read-only</key>
    <true/>
    <key>com.apple.security.assets.pictures.read-only</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.print</key>
    <true/>
    <key>com.apple.security.files.bookmarks.document-scope</key>
    <true/>
</dict>
</plist>

All I can suggest is use Xcode to construct the plist and stripping those keys that you dont want manually. In your case...

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
</dict>
</plist>

I'm just wondering if the !DOCTYPE element is required for some reason by the signing tool and the encoding attribute should be upper case.

I've also left in a couple of keys which may be needed even if as you say its a basic lisp app in particular the com.apple.security.files.user-selected.read-write key which will give your process file access.

Answer 2

For people that find this from a Google search:

I got an almost-identical error:

~/Desktop/Instagram.xcent: cannot read entitlement data

The solution was to not use ~ in the path, but instead /Users/...