Mac OS In App Sandbox Entitlements Directory Read Issue

Question

I am having an issue with my App Sandbox entitlements.

My Mac OS app allows a user to open an XML file. When that file is parsed it reads a image file in the same directory as XML file.

If App Sandbox is False, the image loads just fine. If App Sandbox is True, the image fails to load. (The XML file is still read)

The App Sandbox must be True to push to the App Store.

I have tried

com.apple.security.files.user-selected.read-write = TRUE
com.apple.security.temporary-exception.files.home-relative-path.read-only = TRUE
com.apple.security.temporary-exception.files.absolute-path.read-only = TRUE

I pulled this information from Apple’s documentation: Apples Entitlement Doc

Is there a way that I can read both files? Anyone else encounter something like this?

Additionally, the two files can be anywhere the user would normally save a file. Including, Network Drives.

Answer 1

com.apple.security.files.user-selected.read-write = TRUE

this is a Boolean value and it's OK, the XML representation in the entitlements file is:

<key>com.apple.security.files.user-selected.read-write</key>
<true/>

the other 2 entitlements are not Boolean, but arrays of strings. So the correct way to represent it in the entitlements file is:

<key>com.apple.security.temporary-exception.files.home-relative-path.read-only</key>
<array>
    <string>example/local/path1/</string>
    <string>example/local/path2/</string>
</array>
<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
<array>
    <string>/usr/local/bin/</string>
    <string>/usr/local/lib/</string>
</array>

Answer 2

No. In order for the file to be read, it must be:

• In a world readable location, or
• In a folder that can enabled in the entitlement preferences, i.e Downloads folder, or
• Manually opened or saved to by the user using an NSOpenPanel after which it can optionally be
• Stored as a security scoped bookmark, after which it can be accessed freely. See here.