Build failed in sandboxed app on Xcode 15.0 with User Script Sandboxing set to YES by default
UeharaYou opened this issue · 2 comments
Description
It seems that Xcode 15.0 has changed "User Script Sandboxing" to YES by default, making Run Script Phase to fail with sandbox denying access the script and the helpers in LaunchAtLogin.bundle.
Environment
- Xcode 15.0-beta3
- macOS 14.0 Beta(23A5286i)
Error Message
Sandbox: bash(18682) deny(1) file-read-data /Users//Library/Developer/Xcode/DerivedData/test-/Build/Products/Debug/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/copy-helper-swiftpm.sh
Fixes
- Whitelisting the script and all files accessed by the script by enlisting them as "Input Files" in "Run Script Phase".
- After adding the "Run Script Phase" as instructed in "readme.md", add the following files to the "Input Files" slot.
${BUILT_PRODUCTS_DIR}/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip
${BUILT_PRODUCTS_DIR}/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper.zip
${BUILT_PRODUCTS_DIR}/LaunchAtLogin_LaunchAtLogin.bundle/Contents/Resources/LaunchAtLoginHelper-with-runtime.zip
- After adding the "Run Script Phase" as instructed in "readme.md", add the following files to the "Input Files" slot.
2. (Fallback Solution) If step 1 does not work, and ONLY WHEN YOU KNOW THE SECURITY RISKS AND WHAT YOU ARE ACTUALLY DOING, Override "User Script Sandboxing" back to NO in build settings.
solution 1 forks for Build only,
and for Archive generates a sandbox error
@ikorich Hi there. Sorry I for the inconvenience. The solution does fail on archiving, and I failed to spot that the time I'm just debugging (it never failed since I'm using macOS 14).
For now the solution is to disable "User Script Sandboxing" option if you want to use this package. We have to change the script to have it fitted into the sandbox.
This is mainly because "Run Script Phase" is not designed for manipulating bundles, but to build sources (at least that's what Apple thinks), and "User scripting Sandboxing" is just in consideration for that. So we are basically exploiting the "Run Script phase" to do extra works.
I'm sorry for the inconvenience.