I have been able to sandbox my two image editing apps, one using sips and the other CS5 Photoshop. Thanks to security scoped bookmarks. I can post code if anyone needs help with that part of the sandbox routine.
All has been working well on 10.7.4 and the sips version works great on Mountain lion so far with no sandbox errors showing in the console. The Adobe Photoshop version on 10.8 is throwing an error:
adobe photoshop CS5 got an error: A privilege violation occurred.
There are no sandbox errors showing in log and the same code on 10.7.4 works perfectly. I also tried a plain applescript with the same call to photoshop and that works fine.
tell application id "com.adobe.Photoshop"
--tell application "Adobe Photoshop CS5" (this also throw the error)
launch
open file openPath showing dialogs never
--a lot more code..
end tell
It throws the error right after the “tell application.”
Since applescript is working I am thinking it must be sandbox related, or ASOC/ photoshop related.
In my other app it passes the posix path to sips and it all works fine so I think I am stuck at this point. It doesn’t seem to allow the hfs path to be the user-chosen path passed in to Photoshop. I’ve spent a week getting this working and fear the worst now. I submitted a tech request since there is very little online about applescript and sandbox.
I have also noticed I am getting several warnings on launch indicating the app is not allowed to read the script file (in resources)
These don’t seem to cause problems but it seems odd that it gets upset at the app loading its own script class. Has anyone actually sandboxed an ASOC app yet out there? And did you see any of thee issues?
Tell application id "com.adobe.Photoshop"
open file ImagePath showing dialogs never
end tell
After playing in the sandbox for way too long, and a talk with tech support, it doesn’t seem possible to sandbox an app that has another app open a file, at least with my tests with Adobe apps and TextEdit via apple events. You can gain access to files through open/save and then that file becomes part of your container. But then, another app won’t have permission to open it.
I thought that by setting an entitlement for the app, it would be allowed access but apparently not, at least not in OS 10.8.
These containers kind of remind me of gated communities. give me some fresh air.
No, and I have 2 apps in the apps store. I got them done before sandbox was required. I dont know if I will even attempt to update them ever. Since they drive InDesign, it was too much of a pain to even contemplate sandbox; even if I did it would probably require one of those “special exemptions”. If I turned on any sandboxing, nothing worked (that was in Lion).
But I’ve decided I’m gonna be a luddite and stick with Snow Leopard for as long as possible at home. There are no things in L/ML that I desired to use. Except if they ever drop SL from running iTunes and new phones/pads won’t work; maybe.
FWIW, one of my ASOC image apps is now sandboxed and accepted in the App Store. So it is possible but very limited.
It took 3 rejections and resubmissions - I guess I did it just to see if it was possible.
The other app uses Photoshop to do the image stuff and was rejected. From what tech support told me, you can’t have another app accessing your chosen files within your sandbox. But. this one uses sips (another app) to do just that. But sips is working via “do shell script” whereas Photoshop was via apple events and that seems to definitely not work. I did a test with TextEdit and no deal there either. So It may not be possible to use apple events to control other apps in the sandbox at all at least where files are involved.
They told me I couldn’t use a temporary entitlement for com.apple.finder so forget about basic AS finder stuff. Luckily there is almost always a foundation equivalent in ASOC. So the temporary entitlements they will pick at. They did allow com.apple.imageevents…
I couldn’t specify any particular directories such as /Desktop/ for temporary file entitlements. All open and save must be done at run time via drag and drop or open/save. I used security scoped bookmarks to save source and destination paths to disk and they seem to retain their privileges after relaunch which is kind of cool.
I expected them to reject on the the console errors ( in previous listing ) denying read /write for the AS scripts themselves in the bundle. But they didn’t? An Oversight? I did start to get the feeling that it could depend on who reviews your app if they accept certain things or your explanation of what should be allowed for a given use.
Well, I was wrong about ASOC and sandbox when trying to open a file with another app. It works!
Developer Tech person told me that the error I was getting from Photoshop meant you couldn’t “tell” Photoshop to open a file of your choosing since another app wouldn’t have permission to open a file which belongs to your container.
We went back and forth a few times. Then I remembered seeing an example of the entitlements for using image events and the entitlement was all lowercase, com.apple.imageevents.
I had entered bundle id com.adobe.Photoshop which is of course the name of the plist file in Preferences. I tried com.adobe.photoshop instead and now everything works perfectly inside sandbox. As long as the user picks the file, or drags it in to select it, you can pass that to Photoshop or TextEdit or whatever app for opening and can also save the file to location which also has to be user selected or from save dialog etc. I added security scoped bookmarks which save the urls for the next launch and they retain their container status.
So it actually is pretty easy to sandbox an ASOC app and use apple events to work with other apps. So always lowercase on your entitlement strings!
