Sandbox not allowing XPC service to get app's bundle after downloading update

[balthisar]

Description of the problem

tl;dr: the sandbox is preventing the InstallerLauncher.xpc from getting the bundle from my sandboxed application. This failure happens at SUInstallerLauncher.m:329, where NSBundle *hostBundle = [NSBundle bundleWithPath:hostBundlePath];

This results in a nil assignment and failing the assert() a few lines later.

Do you use Sandboxing in your app?

Yes.

Version of Sparkle.framework in the latest version of your app

Commit hash 4054549, this is current as of today.

Version of Sparkle.framework in the old version of app that your users have (or N/A)

n/a

Sparkle's output from Console.app

Sandbox: org.sparkle-proj(23068) deny(1) file-read-data /Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app

That's the output when I've got a signed application exported from the Organizer. Here's the output when I'm running attached to XCode:

Sandbox: org.sparkle-proj(22950) deny(1) file-read-data /Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app
Violation:       deny(1) file-read-data /Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app
Process:         org.sparkle-proj [22950]
Path:            /Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app/Contents/XPCServices/org.sparkle-project.InstallerLauncher.xpc/Contents/MacOS/org.sparkle-project.InstallerLauncher
Load Address:    0x10ddda000
Identifier:      org.sparkle-project.InstallerLauncher
Version:         2.0.0 (2.0.0)
Code Type:       x86_64 (Native)
Parent Process:  debugserver [22951]
Responsible:     /Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app/Contents/MacOS/Balthisar Tidy (web-debug)
User ID:         501

Date/Time:       2021-04-16 14:23:31.287 EDT
OS Version:      macOS 11.2.3 (20D91)
Report Version:  8

MetaData: {
  "file-flags": 0,
  "team-id": "9PN2JXXG7Y",
  "responsible-process-user-uuid": "5ACCD410-0123-4991-979D-939DC5BFF7D8",
  "sandbox_checker": "org.sparkle-proj",
  "checker": "org.sparkle-proj",
  "pid": 22950,
  "hardware": "Mac",
  "signing-id": "org.sparkle-project.InstallerLauncher",
  "summary": "deny(1) file-read-data /Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app",
  "apple-internal": false,
  "responsible-process-uid": 501,
  "matched-user-intent-extension": false,
  "build": "macOS 11.2.3 (20D91)",
  "matched-extension": false,
  "process-path": "/Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app/Contents/XPCServices/org.sparkle-project.InstallerLauncher.xpc/Contents/MacOS/org.sparkle-project.InstallerLauncher",
  "platform-policy": false,
  "file-mode": 493,
  "primary-filter-value": "/Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app",
  "profile-in-collection": false,
  "responsible-process-path": "/Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app/Contents/MacOS/Balthisar Tidy (web-debug)",
  "normalized_target": [
    "Users",
    "jderry",
    "Library",
    "Developer",
    "Xcode",
    "DerivedData",
    "Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl",
    "Build",
    "Products",
    "web_debug",
    "Balthisar Tidy (web-debug).app"
  ],
  "rdev": 0,
  "mount-flags": 76582912,
  "hardlinked": false,
  "checker-pid": 22950,
  "target": "/Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app",
  "uid": 501,
  "process": "org.sparkle-proj",
  "flags": 5,
  "platform_binary": "no",
  "path": "/Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app",
  "action": "deny",
  "operation": "file-read-data",
  "errno": 1,
  "vnode-type": "DIRECTORY",
  "primary-filter": "path",
  "profile-flags": 0,
  "container": "/Users/jderry/Library/Containers/org.sparkle-project.InstallerLauncher/Data",
  "platform-binary": false
}

Thread 0 (id: 785525):
0   libsystem_kernel.dylib          0x00007fff204b7376 __mac_syscall + 10
1   libsystem_sandbox.dylib         0x00007fff29192e57 sandbox_check + 207
2   Foundation                      0x00007fff2131182c -[NSBundle initWithPath:] + 400
3   Foundation                      0x00007fff2131ab39 +[NSBundle bundleWithPath:] + 33
4   org.sparkle-project.InstallerLauncher   0x000000010ddeacac __158-[SUInstallerLauncher launchInstallerWithHostBundlePath:authorizationPrompt:installationType:allowingDriverInteraction:allowingUpdaterInteraction:completion:]_block_invoke + 60 (SUInstallerLauncher.m:329)
5   libdispatch.dylib               0x000000010dfe0e78 _dispatch_call_block_and_release + 12
6   libdispatch.dylib               0x000000010dfe20b0 _dispatch_client_callout + 8
7   libdispatch.dylib               0x000000010dfe96b7 _dispatch_lane_serial_drain + 776
8   libdispatch.dylib               0x000000010dfea5c6 _dispatch_lane_invoke + 499
9   libdispatch.dylib               0x000000010dff61f9 _dispatch_root_queue_drain + 334
10  libdispatch.dylib               0x000000010dff6c83 _dispatch_worker_thread2 + 127
11  libsystem_pthread.dylib         0x000000010e089acf _pthread_wqthread + 244
12  libsystem_pthread.dylib         0x000000010e088ae3 start_wqthread + 15

Thread 1 (id: 785527):
0   libsystem_kernel.dylib          0x00007fff204bb622 __sigsuspend_nocancel + 10
1   libdispatch.dylib               0x000000010dff8d9b _dispatch_sigsuspend + 0

Thread 2 (id: 785528):
0   libsystem_kernel.dylib          0x00007fff204b753e __workq_kernreturn + 10
1   libsystem_pthread.dylib         0x000000010e088ae3 start_wqthread + 15

Thread 3 (id: 785951):
0   libsystem_kernel.dylib          0x00007fff204b7586 kevent_id + 10
1   libdispatch.dylib               0x000000010e0062ab _dispatch_kq_drain + 125
2   libdispatch.dylib               0x000000010e0061c5 _dispatch_event_loop_drain + 315
3   libdispatch.dylib               0x000000010dfe97a3 _dispatch_lane_serial_drain + 1012
4   libdispatch.dylib               0x000000010e000e34 _dispatch_mach_invoke + 565
5   libdispatch.dylib               0x000000010dff8217 _dispatch_workloop_worker_thread + 1675
6   libsystem_pthread.dylib         0x000000010e089b15 _pthread_wqthread + 314
7   libsystem_pthread.dylib         0x000000010e088ae3 start_wqthread + 15

Binary Images:
       0x10ddda000 -        0x10ddf1fff  org.sparkle-project.InstallerLauncher (2.0.0 - 2.0.0) <bea71292-8406-3d9e-bda5-d86de2a9aaa4> /Users/jderry/Library/Developer/Xcode/DerivedData/Balthisar_Tidy-bvpybresykcplwanwodqvzveuuyl/Build/Products/web_debug/Balthisar Tidy (web-debug).app/Contents/XPCServices/org.sparkle-project.InstallerLauncher.xpc/Contents/MacOS/org.sparkle-project.InstallerLauncher
       0x10dfde000 -        0x10e030ff2  libdispatch.dylib (1271.40.12) <0b72877d-37cb-3e20-a2b8-0cdad1bdfd35> /usr/lib/system/introspection/libdispatch.dylib
       0x10e087000 -        0x10e093ff7  libsystem_pthread.dylib (454.80.2) <2c144d51-63b2-3e16-ac9d-c15f8b72d0a3> /usr/lib/system/introspection/libsystem_pthread.dylib
    0x7fff204b5000 -     0x7fff204e3fff  libsystem_kernel.dylib (7195.81.3) <ab413518-ecde-3f04-a61c-278d3cf43076> /usr/lib/system/libsystem_kernel.dylib
    0x7fff2130e000 -     0x7fff21671267  com.apple.Foundation (6.9 - 1774.101) <8d9081b3-3f6a-31a0-9b20-1ae5cd8dd747> /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
    0x7fff29192000 -     0x7fff29196fff  libsystem_sandbox.dylib (1441.60.4) <5f7f3dd1-4b38-310c-aa8f-19ff1b0f5276> /usr/lib/system/libsystem_sandbox.dylib

Steps to reproduce the behavior

• The host application is sandboxed.
• I'm using only org.sparkle-project.InstallerLauncher.xpc and not the other services.
• The host application entitlements have had the added entitlements:

  <key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
  <array>
      <string>$(PRODUCT_BUNDLE_IDENTIFIER)-spks</string>
      <string>$(PRODUCT_BUNDLE_IDENTIFIER)-spki</string>
  </array>

• The host application entitlements have been verified via codesign -d --entitlements :- {file} as being correct.

Of course, I thought the whole point of using XPC was to have it escape from the sandbox. Why would sandbox even be preventing the XPC from getting at the bundle?

[zorgiepoo]

It's possible you are accidentally sandboxing org.sparkle-project.InstallerLauncher.xpc which should not be done. The deny log above seems to imply the XPC Service has a container:

"container": "/Users/jderry/Library/Containers/org.sparkle-project.InstallerLauncher/Data"

Which I'm not sure should be present.

The host application entitlements have been verified via codesign -d --entitlements :- {file} as being correct.

Please check this on the XPC Service inside your built app and verify it has no sandboxing entitlements applied.

[balthisar]

Whoah, yeah, when I check it with codesign, it has all of the host app's entitlements. I guess those are somehow embedded in the XPC itself, as they're present even if I move the XPC to the desktop.

Good catch on seeing the container in the log; I guess I see it so often I'm blind to it.

Any idea how to prevent Xcode from applying the entitlement? It's outside your scope, so feel free not to answer; I'll research that myself.

Thanks!

[zorgiepoo]

Are you using any scripts or invocations that use codesign --deep -s by chance? Deep signing like this is discouraged because different components in an app may need different entitlements. Xcode is normally good about signing and exporting re-signed applications properly; inside-out and preserving entitlements. Our website docs have the workflow we recommend.

[balthisar]

Ha! There it is:

OTHER_CODE_SIGN_FLAGS = --deep

Why the heck did I put that in there‽

Working perfectly for me. Thanks.