#'App sandbox not enabled' when submitting to Apple Store

I'm running into an issue when attempting to submit my MAS app build. I'm getting the error in the attached picture. Weird thing is, I definitely have the com.apple.security.app-sandbox key set to true in the entitlements these files are being code signed with. I even dug through my temporary files to find the exact entitlement file being passed into the command line by osx-sign and verified it was there. Is there something weird about the packaging process when the app is turned into a .pkg that could somehow strip off these entitlements?

You are using osx-sign directly or electron-builder is using it for signing?

I've tried both routes with the same result. This screenshot is through electron-builder though. Which is in turn being called through electron-forge.

Now I'm running into same issue. Can you please tell me where to find the entitlement file?

And also can you please post your entitlement file content.

It's in the root directory of my project. Called entitlementsAppStore.plist. The contents looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.debugger</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
  </dict>
</plist>

I do have another file called entitlements.plist at my root directory as well. I use it for building for distribution outside of the App Store. However, I've pointed my forge config to the entitlementsAppStore.plist version and from what I can tell, it's working properly.

I also know Apple has been having server problems recently. Maybe that's the cause of your issue?

So which method of signing actually worked for you? electron-builder or directly via @electron/osx-sign ?

I'm having following errors now 😦

Asset validation failed (90296) App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.xxxx.xxxxxx.pkg/Payload/xxxxxx.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler", "com.xxxx.xxxxxx.pkg/Payload/xxxxxx.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt", "com.xxxx.xxxxxx.pkg/Payload/xxxxxx.app/Contents/Frameworks/xxxxxx Helper (GPU).app/Contents/MacOS/xxxxxx Helper (GPU)", "com.xxxx.xxxxxx.pkg/Payload/xxxxxx.app/Contents/Frameworks/xxxxxx Helper (Plugin).app/Contents/MacOS/xxxxxx Helper (Plugin)", "com.xxxx.xxxxxx.pkg/Payload/xxxxxx.app/Contents/Frameworks/xxxxxx Helper (Renderer).app/Contents/MacOS/xxxxxx Helper (Renderer)", "com.xxxx.xxxxxx.pkg/Payload/xxxxxx.app/Contents/Frameworks/xxxxxx Helper.app/Contents/MacOS/xxxxxx Helper", "com.xxxx.xxxxxx.pkg/Payload/xxxxxx.app/Contents/MacOS/xxxxxx" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app. (ID: 42a95171-8f71-4e27-888e-9ef845660066)

2023-04-19 16:19:04.181 ERROR: Asset validation failed (90237) The product archive package's signature is invalid. Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate. (ID: 64fb18a9-6dc5-4527-9a1d-f80c13de9c82)

Neither, I can't get the submission to be accepted. That's why I made this post. Your second error is because you're using the wrong certificate to finish signing with though. Swap to your "3rd Party Mac Developer Installer" certificate and it should work.

I've the "3rd Party Mac Developer Installer" certificate installed. But still I'm getting this error 😦

It's not enough to have it installed. You also need to set it as the certificate you're using to sign with in your build settings

inside package.json?
for identity key?

like this
"mas": {
"provisioningProfile": "build/embedded.provisionprofile",
"identity": "XXX (XXX)",
"category": "public.app-category.productivity",
"type": "distribution",
"entitlements": "build/entitlements.mas.plist",
"entitlementsInherit": "build/mas.inherit.entitlements"
}

But "target" should be "pkg", right?
Because we can only upload pkg formate to the Mac App Store via Transporter app.

Yes, the pkg is generated for the mas target.

Hey! did anyone manage to successfully ship a mac app to the mac app store. I'm able to successfully code sign and package my build and submit to test flight but the app goes directly to "not available for testing" with no reason. been stuck on this for a few days now.

@frozen geyser Thank you for the tip. That really helped.

@grim heart I'm stuck at this point now: https://discord.com/channels/745037351163527189/1101502707409354752

If I'm able to resolve my issue, I'll come back and post it here.

Meanwhile we can all help each other and see where we can go with MAS publishing.

@grim heart Can you share your entitlement files please?

I'm using electron-forge which auto generates them for me. (Sure, will share shortly)

Hey! sorry about the delay, had a busy day. See sample attached, however please note this is auto-generated when packaging for mas build using electron-forge

Did you have any luck with submitting mas builds to the Mac App Store? I'm able to successfully submit to TestFlight with Transporter but the app goes directly in to "Not available for testing" status.

I've uploaded the app in testflight, but when I download it and open it gives me this error I've posted: https://discord.com/channels/745037351163527189/1101502707409354752

Thank you for posting the entitlement file. Did it generate only 1 entitlement file?

And do you know what each one of these key does?
For example, do we need

 <key>com.apple.security.network.client</key>
      <true />

if we want our application to access internet?

I've most of these entitlements in place. I'm still reading the documentation for entitlements. Maybe I've missed something.

Yes, only one file that I see in the logs.

I believe for network access

https://www.electronjs.org/docs/latest/tutorial/mac-app-store-submission-guide#additional-entitlements

hey quick question: for mac app store submission we only need to code signing right, we do not need to notarize the app? OR am i mistaken?

@hushed crystal can you share as well? want to make sure I'm not missing anything.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.app-sandbox</key>
        <true/>
        <key>com.apple.security.application-groups</key>
        <string>XXXXXX.com.xxxx.xxxx</string>
        <key>com.apple.application-identifier</key>
        <string>XXXXXX.com.xxxx.xxxx</string>
        <key>com.apple.developer.team-identifier</key>
        <string>XXXXXX</string>
        <key>com.apple.security.cs.allow-jit</key>
        <true/>
        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
        <true/>
        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
        <true/>
        <key>com.apple.security.network.client</key>
        <true/>
        <key>com.apple.security.files.user-selected.read-only</key>
        <true/>
        <key>com.apple.security.files.user-selected.read-write</key>
        <true/>
    </dict>
</plist>

@grim heart and you've only 1 entitlement file? Can you share the package.json file, where you've the mas and mac settings?

I finished building the application in 1 month, but signing and uploading it to TestFlight is taking more than a month now 🤯