Youtube-DL does not run inside sandboxed apps in macOS Catalina

[Jake3231]

Youtube-DL no longer executes when included inside of a sandboxed application in macOS Catalina.

• [NA] I'm reporting a broken site support issue
• I've verified that I'm running youtube-dl version 2019.11.05
• [NA] I've checked that all provided URLs are alive and playable in a browser
• I've checked that all URLs and arguments with special characters are properly quoted or escaped
• I've searched the bugtracker for similar bug reports including closed ones
• I've read bugs section in FAQ

Verbose log

Traceback (most recent call last):
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py", line 174, in _run_module_as_main

macOS 10.15.1 (19B88)
Xcode 11.2 (11B52)

Description

I am developing a macOS application that bundles YouTube-dl, and I've run into a problem when using macOS Catalina. When the App Sandbox is enabled in the app's Xcode project, running YouTube-dl fails with the above error. This behavior did not occur when using macOS 10.14 Mojave. I am aware of a number of security changes in macOS Catalina, though I am not sure what would be causing this.

I downloaded the latest release of Youtube-dl, then included the youtube-dl executable file inside my Mac app bundle, with a .sh extension. I am running the code below:

 let path = Bundle.main.path(forResource: "youtube-dl-2019-11-05", ofType: "sh")
                print(path)
                self.downloadTask = Process()
                self.downloadTask.launchPath = path
                self.downloadTask.arguments = ["-v", "-f \(fileFormat.rawValue)", targetURL]
                self.downloadTask.currentDirectoryPath = downloadDestination

                self.downloadTask.terminationHandler = {
                   ...
                 }
                self.downloadTask.launch()
                self.downloadTask.waitUntilExit()

In order to troubleshoot the issue, I tried to code sign the YouTube-dl executable manually. I also ensured that the Process' currentDirectoryPath was set to a location which was explicitly accessible according to my app's entitlements.

[Jake3231]

@dstftw What new information can I add so that this issue can be addressed?

[owlboy]

@Jake3231 did you ever sort this out?

[Jake3231]

I have not yet solved this issue. I can try this again with the latest updates to YouTube-DL and macOS, though I doubt that will yield a different result.

For now I think that I will be removing the Sandbox from my application, since it it not distributed in the Mac App Store.

[Jake3231]

@owlboy I recently signed up for a WWDC20 lab with an Apple security engineer, who provided a solution to this issue. It turns out that you can resolve this issue by providing a read-only Sandbox exception for the directory /private/etc/apache2/

com.apple.security.temporary-exception.files.absolute-path.read-only : /private/etc/apache2/