search

sindresorhus / LaunchAtLogin-Legacy

Add “Launch at Login” functionality to your macOS app in seconds
MIT License
1.55k stars 122 forks source link

Build failed in sandboxed app on Xcode 15.0 with User Script Sandboxing set to YES by default #95

Closed UeharaYou closed 1 year ago

UeharaYou commented 1 year ago

Description

It seems that Xcode 15.0 has changed "User Script Sandboxing" to YES by default, making Run Script Phase to fail with sandbox denying access the script and the helpers in LaunchAtLogin.bundle.

Environment

Error Message

Sandbox: bash(18682) deny(1) file-read-data /Users//Library/Developer/Xcode/DerivedData/test-/Build/Products/Debug/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/copy-helper-swiftpm.sh

Fixes

  1. Whitelisting the script and all files accessed by the script by enlisting them as "Input Files" in "Run Script Phase".
    • After adding the "Run Script Phase" as instructed in "readme.md", add the following files to the "Input Files" slot.

      ${BUILT_PRODUCTS_DIR}/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip ${BUILT_PRODUCTS_DIR}/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper.zip ${BUILT_PRODUCTS_DIR}/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip

image

  1. (Fallback Solution) If step 1 does not work, and ONLY WHEN YOU KNOW THE SECURITY RISKS AND WHAT YOU ARE ACTUALLY DOING, Override "User Script Sandboxing" back to NO in build settings.
ikorich commented 11 months ago

Hi @sindresorhus, @UeharaYou

solution 1 forks for Build only, and for Archive generates a sandbox error

UeharaYou commented 11 months ago

@ikorich Hi there. Sorry I for the inconvenience. The solution does fail on archiving, and I failed to spot that the time I'm just debugging (it never failed since I'm using macOS 14).

For now the solution is to disable "User Script Sandboxing" option if you want to use this package. We have to change the script to have it fitted into the sandbox.

This is mainly because "Run Script Phase" is not designed for manipulating bundles, but to build sources (at least that's what Apple thinks), and "User scripting Sandboxing" is just in consideration for that. So we are basically exploiting the "Run Script phase" to do extra works.

I'm sorry for the inconvenience.