Hi,
I have a PCI DriverKit System Extension project that our team has tested, and the entitlements are not a problem.
Once we decided to place the project to the Apple Store the review team requested to add "App Sandbox" entitlement to the project. Then I added the entitlement manually to the ".entitlements" file ( I couldn't do that using the Xcode add entitlement section because since it is a driverkit project, the "App sandbox" is not visible in the entitlements page ) and re-packaged the project for distribution. Later on, I saw that the entitlement was removed during the packaging process.
I also tried to add that using the "build settings" page in Xcode (the signing section ), but I had no luck.
I feel like I'm being misled by the review team. Do you know if the "App sandbox" entitlement is applicable to a DriverKit project ?
reply to the review team and tell them it is an Xcode bug, you're welcome to refer to the bug I filed FB13688443 "Xcode strips App Sandbox entitlement from dext". It would be good if you filed your own bug. Here are my steps to reproduce:
create a new macOS project. observe that the newly-created app target in the project has a .entitlements file. By default, that .entitlements file contains an App Sandbox = YES entry. add a new DriverKit project to the target
observe that the dext target does not have a .entitlements file. Note that this page https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “Xcode provides a default entitlements file for every new DriverKit driver you create. “
- no, it doesn’t.
Archive the application, then export the archive to a local copy. Use codesign -dvvv —entitlements - <path-to-dext> to dump the entitlements of the dext.
Return to the Xcode project, add a DriverKit capability to the dext target using the + button on the Signing and Capabilities page. This causes a .entitlements file to be added to the dext target, but it doesn’t have an App Sandbox entitlement in it.
This page: https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development says “The default driver entitlements file contains only the DriverKit and App Sandbox entitlements.” But it doesn’t contain any entitlements by default.
In the newly-created .entitlements file for the dext, add two entitlements, one called “Fake-entitlement”, and the App Sandbox entitlement.
Archive the app again, export it to a local copy, and examine the entitlements of the dext now.
App Sandbox is absent, but Fake-entitlement is present.