Signing a Sandbox app in OSX

posted in: Development | 762

Last week we learnt how to convert a jar file into an app for OSX, and also how to sign this app for the Gatekeeper. Now we’re going to finish this tutorial learning how to sign in Sandbox. Hope we help you with these annoying tasks!

Remember that you’re going to need a Sandbox version to publish in the App Store. First of all, you have to prepare an Entitlements file. What is this? It’s a plist file that includes the permissions we want our app to use. Here you have the list.

And a sample of how the file must be:

[xml]<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">

<plist version="1.0">










As you can see, those are mostly pairs of keys with a boolean value, telling us the permission we want to use in our app. It depends on each developer to know which keys the app has to use. You must be careful with this, it could be errors if you make a wrong use of certain keys. Also, those errors are silent: we’ll sign our app but we’ll see that it doesn’t run correctly. In these moments is very important to know how to use the OSX console.

In our case, our file was called Entitlements.entitlements (yes, although it’s a plist on the inside, you can use the .entitlements ext), and we put it in the same directory than our app.

On the other hand, our app may not be pointing to the Sandbox folder that OSX usually asign to apps, which are the type “/Library/Containers/”; if that’s your case, then AppBundler has some methods (“getters”) to save the correct directories for Sandbox:


Although our app is going to be converted into Sandbox by default, the assistant files (in our case, the savegame file) may not be saved into the Sandbox folders, which leads to a direct crash of our app once we try to open the file.

Inside our code, using the AppBundler properties, we must redirect any directory outside Sandbox to its folders. For instance:

if (System.getProperty("SandboxEnabled"))

myapp.savegameDir = System.getProperty("DocumentsDirectory") + “/savegameFile”

Once we’ve done this, we create the certificate in the same way we did earlier, but this time using the Mac App Store production certificate. We choose whether we want to create just the app or an install package, which must be signed too.

After that, we just have to sign into the Terminal:

[bash]codesign -v -f -s "3rd Party Mac Developer Application: My company (company code)" –entitlements "Entitlements.entitlements" "My"[/bash]

If we finally decide to add the jdk or jre inside our app, we recommend you to sign all the exes it includes. In this case, we do it this way:

[bash]find "my" -type f ( -name "*.jar" -or -name "*.dylib" ) -exec codesign –verbose -f -s "3rd Party Mac Developer Application: My company (company code)" –entitlements "Entitlements.entitlements" {} ;[/bash]

To create an install package and to sign it, we use the following code:

[bash]productbuild –component "my" /Applications –sign  "3rd Party Mac Developer Application: My company (Company code)""My package name.pkg"[/bash]

Given this, we already have everything we need to present our app in iTunes Connect and upload it with the Application Loader. Hooray!

If you encounter any other problems, we recommend you this:

-Search any error message in Google (yes, that seems obvious, but not everybody follow this simple rule)

-Use Apple documentation, it’s very helpful and have a lot of answers in many given scenarios

-Have the console always open (not the Terminal: the application that shows us the whole log)

762 Responses