Apple store connect requests sandbox entitlement for the PCI DriverKit System Extension

Question

Kivg OP

Created Jun ’24

Replies 3

Boosts 1

Participants 2

Hi,

I have a PCI DriverKit System Extension project that our team has tested, and the entitlements are not a problem.

Once we decided to place the project to the Apple Store the review team requested to add "App Sandbox" entitlement to the project. Then I added the entitlement manually to the ".entitlements" file ( I couldn't do that using the Xcode add entitlement section because since it is a driverkit project, the "App sandbox" is not visible in the entitlements page ) and re-packaged the project for distribution. Later on, I saw that the entitlement was removed during the packaging process.

I also tried to add that using the "build settings" page in Xcode (the signing section ), but I had no luck.

I feel like I'm being misled by the review team. Do you know if the "App sandbox" entitlement is applicable to a DriverKit project ?

Answered by ssmith_c in 795041022

reply to the review team and tell them it is an Xcode bug, you're welcome to refer to the bug I filed FB13688443 "Xcode strips App Sandbox entitlement from dext". It would be good if you filed your own bug. Here are my steps to reproduce:

create a new macOS project. observe that the newly-created app target in the project has a .entitlements file. By default, that .entitlements file contains an App Sandbox = YES entry. add a new DriverKit project to the target

observe that the dext target does not have a .entitlements file. Note that this page https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “Xcode provides a default entitlements file for every new DriverKit driver you create. “

no, it doesn’t.

Archive the application, then export the archive to a local copy. Use codesign -dvvv —entitlements - <path-to-dext> to dump the entitlements of the dext.

Return to the Xcode project, add a DriverKit capability to the dext target using the + button on the Signing and Capabilities page. This causes a .entitlements file to be added to the dext target, but it doesn’t have an App Sandbox entitlement in it.

This page: https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “The default driver entitlements file contains only the DriverKit and App Sandbox entitlements.” But it doesn’t contain any entitlements by default.

In the newly-created .entitlements file for the dext, add two entitlements, one called “Fake-entitlement”, and the App Sandbox entitlement.

Archive the app again, export it to a local copy, and examine the entitlements of the dext now.

App Sandbox is absent, but Fake-entitlement is present.

Boost

Answer 1

ssmith_c OP

Jul ’24

Accepted Answer

reply to the review team and tell them it is an Xcode bug, you're welcome to refer to the bug I filed FB13688443 "Xcode strips App Sandbox entitlement from dext". It would be good if you filed your own bug. Here are my steps to reproduce:

create a new macOS project. observe that the newly-created app target in the project has a .entitlements file. By default, that .entitlements file contains an App Sandbox = YES entry. add a new DriverKit project to the target

observe that the dext target does not have a .entitlements file. Note that this page https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “Xcode provides a default entitlements file for every new DriverKit driver you create. “

no, it doesn’t.

Archive the application, then export the archive to a local copy. Use codesign -dvvv —entitlements - <path-to-dext> to dump the entitlements of the dext.

Return to the Xcode project, add a DriverKit capability to the dext target using the + button on the Signing and Capabilities page. This causes a .entitlements file to be added to the dext target, but it doesn’t have an App Sandbox entitlement in it.

This page: https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “The default driver entitlements file contains only the DriverKit and App Sandbox entitlements.” But it doesn’t contain any entitlements by default.

In the newly-created .entitlements file for the dext, add two entitlements, one called “Fake-entitlement”, and the App Sandbox entitlement.

Archive the app again, export it to a local copy, and examine the entitlements of the dext now.

App Sandbox is absent, but Fake-entitlement is present.

1

Answer 2

Kivg OP

Jul ’24

Thank you @ssmith_c. I had followed the same steps before the forum post to diagnose the problem, and we both observed the same results. Unfortunately, I am having a hard time explaining this to the App review team. It has been two weeks. I requested code-level support, appeal, and rejection clearance, but these are not working as they should. At this rate, it may take a month for them to admit they are wrong, and a simple sorry shouldn't be an answer to the financial losses caused by the delay of the software to market.

0

Answer 3

Kivg OP

Jul ’24

It has been three weeks, and I've lost faith that they can solve it. The problem that bothers me most is that I couldn't reach/find anyone from the technical level support team who knows about these important concepts.

I know these programming areas are not very popular, but I think they are still important, and you have to keep some people in the support teams who are knowledgeable about these types of projects.

0