Mac app store helper tool Sandboxing

Question

My app consist of two executables

• the main app executable
• small console app to process some files, this executable is on Resources folder (no root privileges required)

The thing is that I don't know how to submit this app to appstore, I get the following response from apple

Invalid Signature - the main app bundle appname at path appname.app is signed but the signature is invalid. The following error(s) were reported from codesign: a sealed resource is missing or invalid In architecture: i386

If I remove helper app, it bypasses this error, but app won't work at all. Anyone knows a good way or example on how to embed a helper app and sign it corectly to appstore??

Apple docs are not clear on this.

Answer 1

You need to sign both main app and helper console tool

Signing .app is documented so I describe you how to codesign the helper.

• Create by hand an entitlements file and add it to helper project (you can copy the one from main app and removing not necessary entitlements keys)
• Create an Info.plist as documented at Adding an Info.plist to Single-File Tools (this step should be not mandatory but if you find the helper crash try to add it)

If main app launches the helper tool you should need to add

com.apple.security.inherit

this is described in Enabling App Sandbox Inheritance

If main app interacts with helper in some other manner maybe you need XPC communication or if you are lucky it will be sufficient to use App Group

Something like

<key>com.apple.security.application-groups</key>
<array>
    <string>$(TeamIdentifierPrefix)my.package</string>
</array>

Take a look at AppSandboxLoginItemXPCDemo

From my experience TeamIdentifierPrefix must be empty on development environment and set to your team id when you submit to MAS, please handle with care my considerations on TeamIdentifierPrefix (i.e. try yourself)