Problem about sandboxing my apps

hi,
its been a while i m not release new games ... almost 6month. just now i upload my apps to mac appstore and i received an email :
----------------------------
Dear developer,

We have discovered one or more issues with your recent binary submission for "xxxxx". Your app has proceeded to review, but you may wish to correct the following issues in your next submission:

Invalid Signature - the executable xxxxx.app/Contents/Frameworks/MonoEmbedRuntime/osx/libmono.0.dylib is not signed, the signature is invalid, or it is not signed with an Apple submission certificate. Refer to the Code Signing and Application Sandboxing Guide for more information.

If you would like to update your binary for this app, you can reject this binary from the Binary Details page in iTunes Connect. Note that rejecting your binary will remove your app from the review queue and the review process will start over from the beginning when you resubmit your binary.

Regards,

The App Store team
-------------------------------
first time i read ... i tough my apps has been reject by apple. but when i check in itunesconnect ... i found my apps was not rejected and still in yellow dot with status "waiting for review"

i read the code signing guide and my interpretation is this sandboxing system is optional (hope my interpretation is not wrong with my lack of english ... sorry)

my question is :
a. is it really optional with sandboxing or it is a must ?
b. what is this sandbox use for ?
c. how to sandboxing our apps? can you guys point me to the right direction.

thanks in advance. have a nice day

 

Hi petero,

You'll be glad to hear the error your getting isn't to do with Sandboxing, but instead a bug where the codesign misses out on a Unity lib. You can fix this by doing a 2nd codesign for the lib before your product build. Something like this:

Code (csharp):

1. codesign -f -s '3rd Party Mac Developer Application: CompanyName' "AppName/Contents/Frameworks/MonoEmbedRuntime/osx/libmono.0.dylib”

Whether you need to do this or not, I'm unsure. I've read some people say that their App has been accepted with this warning, but then later had issues updating them - so I've always opted to do the extra codesign to avoid any issues. I'm also aware of some people having issues with the above 2nd codesign when using Unity 3.5, but I can't confirm this as I'm still using 3.4.2 (Never a good idea to update mid-project! ).

As for Sandboxing, it was supposed to be optional, but I'm sure there was a time line for it to become mandatory. It's fairly easy to do, but involves creating an additional file and modifying the codesign. I can post more details of this if you decide you want to add that too.

Hope that helps

 

@NomadKing : thx for your quick reply. now i don't know what to do ... whether add this codesign or not ... as i'm using unity3d ver 3.5 ... anyway thanks for your information. if its not bother you, can you post more detail about sandboxing ... thx.

btw ... you already help me alot.

 

Sure petero.

I can't really offer a good description of exactly what Sandboxing is (and why Apple want it) but a quick google or wiki search should give you an overview of the idea. What I can offer is a way to make sure your App gets approved for it Credit goes to CoalGames for originally sharing this:

1. You need to make an entitlements file for your App (AppName.entitlements). It's an XML style file, so its pretty simple. You can find out more info on exactly what you can put in it from the Apple developer site, but for most Unity games the following will be fine:

Code (csharp):

1.     <?xml version="1.0" encoding="UTF-8"?>
2.     <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3.     <plist version="1.0">
4.     <dict>
5.         <key>com.apple.security.app-sandbox</key>   <true/>
6.     </dict>
7.     </plist>

2. Save this file with your App (AppName.entitlements)

3. Codesign with the added entitlements

Code (csharp):

1. codesign -f -s '3rd Party Mac Developer Application: CompanyName' --entitlements "AppName.entitlements" "/AppPath/AppName.app"

It's basically the same as the normal codesign, but with --entitlements “AppName.entitlements” added after the certificate.

After this, I usually do the 2nd codesign for the Unity lib (without entitlements) and then the product build as normal. Done!

Perosnally, I would leave your App in the review queue (as it's not rejected by the warning you got), then after its approved do an update with the 2nd codesign and sandboxing. That way, if there is an error with getting them to work your App will still be available, and you won't lose your place in the review queue (which you would do if you cancelled it now).

 

you are right ... when i update my games ... i will do 2nd code sign n sandbox as until now my apps is not rejected by apple. thanks for your sharing and valuable information ... and thankyou for CoalGames too ... have a nice day

 

Your welcome petero.

Let me know how Unity 3.5 and the 2nd codesign work out

 

i will

 

Where should i save AppName.entitlements exactly?

Thanks for sharing infos.

 

i saved the file in MacOS folder.when i code sign get an error :

AppName.entitlements: cannot read entitlement data

What's the problem?

Thanks.

 

I usually just save it in the same directory as my app, although it shouldn't matter where you save it as long as you put the correct path to it in the codesign line. That error sounds like it can't find the entitlements file.

 

Thanks.Problem solved.

 

I am an artist first and coder(learning) second, so please cut me some slack per the following:
Could someone please post a step by step method to solve this issue of sandboxing outside of the xcode environment/ utilizing unity such that the unity app can be published to the mac app store. (I'm familiar with signing using terminal.)

At the risk of seeming "unwise" (fill in your own euphemism) I am going to post the (erroneous at some point) steps I have so far:

0. Create entitlements file (allowing keys for all services needed--- i.e. network (for linking from a demo to the full version), and usb(required by unity) etc...

1. Place appName.entitlements in same folder as appName.app (That is, place entitlements file in a folder not inside the app file, but in the same folder as the app file-- i.e. both appName.entitlements and appName.app on the desktop.)

2. Sign the appName.entitlements file using terminal (Does this file then need to be placed within the app and where? Root?) (Yes when I sign it, I am asked for access to the keychain and the signing goes well.)

3. Get rejected by Apple for not sandboxing.

Any help is appreciated.

 

any luck smoothsailing?

I have the exact same issue with the same steps.

ahh, nevermind i was missing this bit in the command! "--entitlements"

 

any update smooth sailing?

I have the exact same issue with the same steps. I am using Mountain Lion 10.8.1 and Xcode 4.4.1.

As per Apple documentation, to confirm that the app is sandboxed

In Finder, look at the contents of the ~/Library/Containers/ folder.

If the app is sandboxed, there is now a container folder named after your app. The name includes the company identifier for the project, so the complete folder name would be, for example, com.yourcompany.app.

The system creates an app’s container folder, for a given user, the first time the user runs the app.

In Activity Monitor, check that the system recognizes the app as sandboxed.

Launch Activity Monitor (available in /Applications/Utilities).
In Activity Monitor, choose View > Columns.
Ensure that the Sandbox menu item is checked.

In the Sandbox column, confirm that the value for the app is Yes.
To make it easier to locate the app in Activity monitor, enter the name of the app in the Filter field.

 

Hello,

I'm trying to build my package too, but I get stuck on the Sandbox too. I've created a 'GameName.entitlements' and placed it within my Content folder (where Info.plist is, and everything else).

Every time I try and code sign it - I keep get this error:
GameName.entitlements: cannot read entitlement data

I've tried moving it out on to the desktop, I've tried renaming my entitlements, I've even tried naming it entitlements.plist.
What am I missing here?

Can someone please point me in the right direction as I am honestly stumped!
Thanks!

 

Just to update what Apple is doing, I've just had an app kicked back for not sandboxing. From the email: "To process your delivery, the following issues must be corrected: App sandbox not enabled - The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list. Refer to the App Sandbox page for more information on sandboxing your app." I read that to mean that it now HAS to be sandboxed in order to be reviewed.

I think what's in this thread will solve the issue, though. Hope this saves someone some time.

 

i am facing problem while codesign at

1. codesign -f -s '3rd Party Mac Developer Application: CompanyName' --entitlements "AppName.entitlements" "/AppPath/AppName.app"

it shows error in ambiguous match in my certificate

 

When you have a problem, start your own post. Please DO NOT NECRO-POST to some other completely unrelated ten-year-old post.

When you post, here's how to communicate technical issues clearly:

How to report your problem productively in the Unity3D forums:

http://plbm.com/?p=220

This is the bare minimum of information to report:

- what you want
- what you tried
- what you expected to happen
- what actually happened, especially any errors you see
- links to documentation you used to cross-check your work (CRITICAL!!!)

If you post a code snippet, ALWAYS USE CODE TAGS:

How to use code tags: https://forum.unity.com/threads/using-code-tags-properly.143875/