How to sandbox JavaAppLauncher for App Store
I am trying to submit a Java application to the MacOS X App Store. All my code is correctly signed (jars, dylib, etc.). Unfortunately, when uploading a binary file, I always get an "Invalid Binary" error with the following message:
Dear Developer, We have encountered one or more problems with your recent delivery for "tamaggo ibi desktop". The following issues must be resolved to process your delivery: Failed to enable application sandbox. The following executables must include the right to "com.apple.security.app-sandbox" with Boolean true in the list of rights properties. For more information on sandboxing your application, see the Application Sandbox page. β’ tamaggo ibi.app/Contents/MacOS/JavaAppLauncher After fixing these issues, go to the Release Notes page and click Finish to download binaries. Continue the submission process until the status of the application "Waiting for Download" appears. Then you can deliver the patched binary. With respect,App Store Team
I thought about this all day, but I couldn't find anything. Does anyone know how to isolate the JavaAppLauncher in the .entitlements file?
To give more information, here's how I sign the code:
/usr/bin/codesign --resource-rules desktop-app/target/dist/myApp/Contents/ResourceRules.plist --verbose --force --sign "3rd Party Mac Developer Application: XXX" desktop-app/target/dist/myApp
find desktop-app/target/dist/myApp.app/Contents/ -type f \( -name "*.jnilib" -or -name "*.jar" -or -name "*.dylib" \) -exec codesign --resource-rules desktop-app/target/dist/myApp.app/Contents/ResourceRules.plist --verbose -f -s "3rd Party Mac Developer Application: XXX" --entitlements desktop-app/target/dist/myApp.app/Contents/myApp.entitlements {} \;
codesign --resource-rules desktop-app/target/dist/myApp.app/Contents/ResourceRules.plist --verbose --force --sign "3rd Party Mac Developer Application: XXX" desktop-app/target/dist/myApp.app/Contents/Resources/binaries/ffmpeg
codesign --resource-rules desktop-app/target/dist/myApp.app/Contents/ResourceRules.plist --verbose --force --sign "3rd Party Mac Developer Application: XXX" desktop-app/target/dist/myApp.app/Contents/MacOS/JavaAppLauncher
source to share
We have had a java application on MAS since late summer 2012. I think we were the first java application in the store (more on infinkind.com).
I think one problem is how you sign up. To be accepted in the app store, you need to link the JDK. This can be done using the appbundler ant task. We've forked this with a few improvements as the official one seems to be stuck and not accepting updates:
https://bitbucket.org/infinitekind/appbundler
We also created a fork of OpenJDK with a few minor fixes that were the handlers (keyboard issues for menu items) for us. They can now be included in the mainstream OpenJDK, but I don't think so.
https://bitbucket.org/infinitekind/openjdk7u-jdk
Anyway, the above two elements might not be necessary in your case, but this is how we did it and it worked. I think the real problem is what you sign and in what order. Here's what we're doing, and it has been accepted for five update submissions:
# sign all the jar and dylib files (signing jars is apparently not required by apple, but should be!)
find "Path/To/App/AppName.app/Contents" -type f \( -name "*.jar" -or -name "*.dylib" \) -exec codesign -f -s '3rd Party Mac Developer Application: YourCompanyName' --entitlements 'path/to/AppName.entitlements' {} \;
# Sign the JDK plugin
codesign --verbose -f -s '3rd Party Mac Developer Application: YourCompanyName' --entitlements 'path/to/AppName.entitlements' "Path/To/App/AppName.app/Contents/Plugins/jdk"
# sign the whole bundle
codesign --verbose -f -s '3rd Party Mac Developer Application: YourCompanyName' --entitlements 'path/to/AppName.entitlements' "Path/To/App/AppName.app"
Hope it's not too late to be helpful!
source to share