New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable sandboxing without using temporary-exception #5584

Merged
merged 2 commits into from May 18, 2016

Conversation

Projects
None yet
6 participants
@zcbenz
Contributor

zcbenz commented May 18, 2016

According to App Sandbox in Depth, if we use application groups then it will be possible to use mach IPC without acquiring temporary-exception.

This should be able to make apps much easier to get approved.

Close #5350.

@zcbenz zcbenz merged commit e05f795 into master May 18, 2016

8 of 9 checks passed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
electron-linux-arm Build #3254281 succeeded in 41s
Details
electron-linux-ia32 Build #3254282 succeeded in 34s
Details
electron-linux-x64 Build #3254283 succeeded in 110s
Details
electron-mas-x64 Build #1215 succeeded in 4 min 59 sec
Details
electron-osx-x64 Build #1217 succeeded in 5 min 54 sec
Details
electron-win-ia32 Build #225 succeeded in 6 min 6 sec
Details
electron-win-x64 Build #220 succeeded in 5 min 46 sec
Details

@zcbenz zcbenz deleted the sandbox-no-expl branch May 18, 2016

@h13i32maru

This comment has been minimized.

Show comment
Hide comment
@h13i32maru

h13i32maru May 18, 2016

super cool!!!

h13i32maru commented May 18, 2016

super cool!!!

@mmm117

This comment has been minimized.

Show comment
Hide comment
@mmm117

mmm117 May 18, 2016

So do I need to update my version of Electron?

mmm117 commented May 18, 2016

So do I need to update my version of Electron?

@slaskis

This comment has been minimized.

Show comment
Hide comment
@slaskis

slaskis May 18, 2016

Thanks for this!

I just tried this out and got this error while uploading to Itunes Connect:

ERROR ITMS-90286: "Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on Mac OS X. Specifically, value '[com.example]' for key 'com.apple.security.application-groups' in 'com.example.pkg/Payload/Example.app/Contents/MacOS/Example' is not supported. This value should be a string or an array of strings, each starting with your TEAMID followed by a dot '.' ."

And according to the docs for the application groups entitlements it seems to be required.

Just changing the entitlement plist to <string>[TEAM_ID].com.example</string> does not work either because then it does not match the bundle id.

Do you think the bundle id should always be prefixed with team id in the app or should the mach bundle id set in this PR also include the team id somehow?

slaskis commented May 18, 2016

Thanks for this!

I just tried this out and got this error while uploading to Itunes Connect:

ERROR ITMS-90286: "Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on Mac OS X. Specifically, value '[com.example]' for key 'com.apple.security.application-groups' in 'com.example.pkg/Payload/Example.app/Contents/MacOS/Example' is not supported. This value should be a string or an array of strings, each starting with your TEAMID followed by a dot '.' ."

And according to the docs for the application groups entitlements it seems to be required.

Just changing the entitlement plist to <string>[TEAM_ID].com.example</string> does not work either because then it does not match the bundle id.

Do you think the bundle id should always be prefixed with team id in the app or should the mach bundle id set in this PR also include the team id somehow?

@slaskis

This comment has been minimized.

Show comment
Hide comment
@slaskis

slaskis May 18, 2016

Actually I just tested to change the app bundle id to include the team id and it will not be accepted either. I got this error now:

No suitable application records were found. Verify your bundle identifier '[TEAM ID].com.example' is correct.

slaskis commented May 18, 2016

Actually I just tested to change the app bundle id to include the team id and it will not be accepted either. I got this error now:

No suitable application records were found. Verify your bundle identifier '[TEAM ID].com.example' is correct.

@slaskis

This comment has been minimized.

Show comment
Hide comment
@slaskis

slaskis May 18, 2016

I'm trying now to upload a version where we still use the temporary exception entitlement but with the bundle id:

    <key>com.apple.security.temporary-exception.sbpl</key>
    <string>(allow mach-lookup (global-name-regex #"^com.example.rohitfork.[0-9]+$"))</string>

slaskis commented May 18, 2016

I'm trying now to upload a version where we still use the temporary exception entitlement but with the bundle id:

    <key>com.apple.security.temporary-exception.sbpl</key>
    <string>(allow mach-lookup (global-name-regex #"^com.example.rohitfork.[0-9]+$"))</string>
@zcbenz

This comment has been minimized.

Show comment
Hide comment
@zcbenz

zcbenz May 18, 2016

Contributor

@slaskis Thanks for trying with it, I will figure out a way to enable people to specify TEAM_ID.

Contributor

zcbenz commented May 18, 2016

@slaskis Thanks for trying with it, I will figure out a way to enable people to specify TEAM_ID.

@slaskis

This comment has been minimized.

Show comment
Hide comment
@slaskis

slaskis May 18, 2016

Awesome, I couldn't find a reference to the team id in the info.plist so I'm trying to upload a version now that uses a hard coded TEAM_ID.

But I'll let you know how that goes! :)

slaskis commented May 18, 2016

Awesome, I couldn't find a reference to the team id in the info.plist so I'm trying to upload a version now that uses a hard coded TEAM_ID.

But I'll let you know how that goes! :)

@bryan-jowers

This comment has been minimized.

Show comment
Hide comment
@bryan-jowers

bryan-jowers May 25, 2016

Just was approved by MAS with this update. thanks to all.

bryan-jowers commented May 25, 2016

Just was approved by MAS with this update. thanks to all.

@mmm117

This comment has been minimized.

Show comment
Hide comment
@mmm117

mmm117 May 31, 2016

@bryan-jowers, did you submit a copy of U.S. Encryption Registration (ERN) approval when submitting your app to MAS?

As mentioned on this page, it seems we need to do it for all Electron built apps:
https://github.com/electron/electron/blob/master/docs/tutorial/mac-app-store-submission-guide.md

Cryptographic Algorithms Used by Electron
Depending on the country and region you are located, Mac App Store may require documenting the cryptographic algorithms used in your app, and even ask you to submit a copy of U.S. Encryption Registration (ERN) approval.

mmm117 commented May 31, 2016

@bryan-jowers, did you submit a copy of U.S. Encryption Registration (ERN) approval when submitting your app to MAS?

As mentioned on this page, it seems we need to do it for all Electron built apps:
https://github.com/electron/electron/blob/master/docs/tutorial/mac-app-store-submission-guide.md

Cryptographic Algorithms Used by Electron
Depending on the country and region you are located, Mac App Store may require documenting the cryptographic algorithms used in your app, and even ask you to submit a copy of U.S. Encryption Registration (ERN) approval.

@sethlu

This comment has been minimized.

Show comment
Hide comment
@sethlu

sethlu May 31, 2016

Member

Adding an App to an App Group
The com.apple.security.application-groups (available in OS X v10.7.5 and v10.8.3 and later) allows multiple apps produced by a single development team to share access to a special group container. This container is intended for content that is not user-facing, such as shared caches or databases.
In addition, this attribute allows the apps within the group to share Mach and POSIX semaphores and to use certain other IPC mechanisms among the group’s members. For additional details and naming conventions, read “Mach IPC and POSIX Semaphores and Shared Memory” in App Sandbox Design Guide.
The value for this key must be of type array, and must contain one or more string values, each of which must consist of your development team ID, followed by a period, followed by an arbitrary name chosen by your development team. For example:

<array>
    <string>DG29478A379Q6483R9214.HolstFirstAppSuite</string>
    <string>DG29478A379Q6483R9214.HolstSecondAppSuite</string>
</array>

The group containers are automatically created or added into each app’s sandbox container as determined by the existence of these keys. The group containers are stored in ~/Library/Group Containers/, where is one of the strings from the array. Your app can obtain the path to the group containers by calling the containerURLForSecurityApplicationGroupIdentifier: method of NSFileManager.

@slaskis Seems that com.apple.security.application-groups needs an array, rather than a single string?

Ref: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html

Member

sethlu commented May 31, 2016

Adding an App to an App Group
The com.apple.security.application-groups (available in OS X v10.7.5 and v10.8.3 and later) allows multiple apps produced by a single development team to share access to a special group container. This container is intended for content that is not user-facing, such as shared caches or databases.
In addition, this attribute allows the apps within the group to share Mach and POSIX semaphores and to use certain other IPC mechanisms among the group’s members. For additional details and naming conventions, read “Mach IPC and POSIX Semaphores and Shared Memory” in App Sandbox Design Guide.
The value for this key must be of type array, and must contain one or more string values, each of which must consist of your development team ID, followed by a period, followed by an arbitrary name chosen by your development team. For example:

<array>
    <string>DG29478A379Q6483R9214.HolstFirstAppSuite</string>
    <string>DG29478A379Q6483R9214.HolstSecondAppSuite</string>
</array>

The group containers are automatically created or added into each app’s sandbox container as determined by the existence of these keys. The group containers are stored in ~/Library/Group Containers/, where is one of the strings from the array. Your app can obtain the path to the group containers by calling the containerURLForSecurityApplicationGroupIdentifier: method of NSFileManager.

@slaskis Seems that com.apple.security.application-groups needs an array, rather than a single string?

Ref: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html

@slaskis

This comment has been minimized.

Show comment
Hide comment
@slaskis

slaskis Jun 1, 2016

@sethlu yeah, needs an array. We only have a single string in the array and it worked great, even deployed an update recently.

slaskis commented Jun 1, 2016

@sethlu yeah, needs an array. We only have a single string in the array and it worked great, even deployed an update recently.

@sethlu

This comment has been minimized.

Show comment
Hide comment
@sethlu

sethlu Jun 1, 2016

Member

@slaskis nice; thanks for letting us know. 😄 A implementation of this is almost ready on https://github.com/electron-userland/electron-osx-sign. You may be interested in checking it out.

Member

sethlu commented Jun 1, 2016

@slaskis nice; thanks for letting us know. 😄 A implementation of this is almost ready on https://github.com/electron-userland/electron-osx-sign. You may be interested in checking it out.

@slaskis

This comment has been minimized.

Show comment
Hide comment
@slaskis

slaskis Jun 1, 2016

I saw the discussion, looks great and extracting the team id from the signature is pretty brilliant. We will definitely use that for future versions.

slaskis commented Jun 1, 2016

I saw the discussion, looks great and extracting the team id from the signature is pretty brilliant. We will definitely use that for future versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment