Apple store connect requests sandbox entitlement for the PCI DriverKit System Extension

Hi,

I have a PCI DriverKit System Extension project that our team has tested, and the entitlements are not a problem.

Once we decided to place the project to the Apple Store the review team requested to add "App Sandbox" entitlement to the project. Then I added the entitlement manually to the ".entitlements" file ( I couldn't do that using the Xcode add entitlement section because since it is a driverkit project, the "App sandbox" is not visible in the entitlements page ) and re-packaged the project for distribution. Later on, I saw that the entitlement was removed during the packaging process.

I also tried to add that using the "build settings" page in Xcode (the signing section ), but I had no luck.

I feel like I'm being misled by the review team. Do you know if the "App sandbox" entitlement is applicable to a DriverKit project ?

Answered by ssmith_c in 795041022

reply to the review team and tell them it is an Xcode bug, you're welcome to refer to the bug I filed FB13688443 "Xcode strips App Sandbox entitlement from dext". It would be good if you filed your own bug. Here are my steps to reproduce:

create a new macOS project. observe that the newly-created app target in the project has a .entitlements file. By default, that .entitlements file contains an App Sandbox = YES entry. add a new DriverKit project to the target

observe that the dext target does not have a .entitlements file. Note that this page https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “Xcode provides a default entitlements file for every new DriverKit driver you create. “

  • no, it doesn’t.

Archive the application, then export the archive to a local copy. Use codesign -dvvv —entitlements - <path-to-dext> to dump the entitlements of the dext.

Return to the Xcode project, add a DriverKit capability to the dext target using the + button on the Signing and Capabilities page. This causes a .entitlements file to be added to the dext target, but it doesn’t have an App Sandbox entitlement in it.

This page: https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “The default driver entitlements file contains only the DriverKit and App Sandbox entitlements.” But it doesn’t contain any entitlements by default.

In the newly-created .entitlements file for the dext, add two entitlements, one called “Fake-entitlement”, and the App Sandbox entitlement.

Archive the app again, export it to a local copy, and examine the entitlements of the dext now.

App Sandbox is absent, but Fake-entitlement is present.

Accepted Answer

reply to the review team and tell them it is an Xcode bug, you're welcome to refer to the bug I filed FB13688443 "Xcode strips App Sandbox entitlement from dext". It would be good if you filed your own bug. Here are my steps to reproduce:

create a new macOS project. observe that the newly-created app target in the project has a .entitlements file. By default, that .entitlements file contains an App Sandbox = YES entry. add a new DriverKit project to the target

observe that the dext target does not have a .entitlements file. Note that this page https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “Xcode provides a default entitlements file for every new DriverKit driver you create. “

  • no, it doesn’t.

Archive the application, then export the archive to a local copy. Use codesign -dvvv —entitlements - <path-to-dext> to dump the entitlements of the dext.

Return to the Xcode project, add a DriverKit capability to the dext target using the + button on the Signing and Capabilities page. This causes a .entitlements file to be added to the dext target, but it doesn’t have an App Sandbox entitlement in it.

This page: https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “The default driver entitlements file contains only the DriverKit and App Sandbox entitlements.” But it doesn’t contain any entitlements by default.

In the newly-created .entitlements file for the dext, add two entitlements, one called “Fake-entitlement”, and the App Sandbox entitlement.

Archive the app again, export it to a local copy, and examine the entitlements of the dext now.

App Sandbox is absent, but Fake-entitlement is present.

Thank you @ssmith_c. I had followed the same steps before the forum post to diagnose the problem, and we both observed the same results. Unfortunately, I am having a hard time explaining this to the App review team. It has been two weeks. I requested code-level support, appeal, and rejection clearance, but these are not working as they should. At this rate, it may take a month for them to admit they are wrong, and a simple sorry shouldn't be an answer to the financial losses caused by the delay of the software to market.

It has been three weeks, and I've lost faith that they can solve it. The problem that bothers me most is that I couldn't reach/find anyone from the technical level support team who knows about these important concepts.

I know these programming areas are not very popular, but I think they are still important, and you have to keep some people in the support teams who are knowledgeable about these types of projects.

Apple store connect requests sandbox entitlement for the PCI DriverKit System Extension
 
 
Q