Bug 39958 - Xcode does Ad Hoc signing if signing not enabled when sandboxing while XS does not support this behavior
Summary: Xcode does Ad Hoc signing if signing not enabled when sandboxing while XS doe...
Alias: None
Product: Xamarin.Mac
Classification: Desktop
Component: Other ()
Version: 2.4.1 (C6SR1)
Hardware: Macintosh Mac OS
: Low normal
Target Milestone: ---
Assignee: Bugzilla
Depends on:
Reported: 2016-03-29 02:33 UTC by Jon Goldberger [MSFT]
Modified: 2016-09-26 22:03 UTC (History)
5 users (show)

Is this bug a regression?: ---
Last known good build:

XM and XCode test projects (384.26 KB, application/zip)
2016-03-29 02:33 UTC, Jon Goldberger [MSFT]

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report for Bug 39958 on Developer Community or GitHub if you have new information to add and do not yet see a matching new report.

If the latest results still closely match this report, you can use the original description:

  • Export the original title and description: Developer Community HTML or GitHub Markdown
  • Copy the title and description into the new report. Adjust them to be up-to-date if needed.
  • Add your new information.

In special cases on GitHub you might also want the comments: GitHub Markdown with public comments

Related Links:

Description Jon Goldberger [MSFT] 2016-03-29 02:33:25 UTC
Created attachment 15539 [details]
XM and XCode test projects

## Description

I can follow this Apple guide for App Sandboxing, and App Sandboxing works without even signing the app:

Open and launch the attached XCode app test project, which has Sandboxing selected but not Outgoing internet connection permissions. And signing is selected as "None". When you launch the app you won't see Apple's website in the window that is opened as the Sandboxing is blocking access. Also a Container is created for the app in ~/Library/Containers confirming sandboxing is working. 

However doing the same with a XM app, if you enable Sandboxing in the Entitlements.plist, it has no effect. The app is not sandboxed. It seems you do need to sign and provision the app for sandboxing to work. If you sign it with an identity but do not have a provisioning profile, the app will not launch with a native exception about code signing failure. 

## Steps to reproduce

1. Open and launch the XCode project.

Expected result: Apple's web page will not show in the WebView due to sandboxing and not explicitly allowing client network access. 

Actual result: As expected.

2. Open and launch the XM project.

Expected result: Apple's web page will not show in the WebView due to sandboxing and not explicitly allowing client network access. 

Actual result: Apple's web page does show in the WebView indicating that sandboxing is not working. 

## Notes

Additionally you can look in ~/Library/Containers and see a container was created for the XCode app but not for the XM app. 

## Environment

=== Xamarin Studio ===

Version 5.10.3 (build 27)
Installation UUID: 964c531b-d928-456b-a9ae-e1f82266b360
	Mono 4.2.3 (explicit/832de4b)
	GTK+ 2.24.23 (Raleigh theme)

	Package version: 402030004

=== Xamarin.Profiler ===

Version: 0.32.0
Location: /Applications/Xamarin Profiler.app/Contents/MacOS/Xamarin Profiler

=== Apple Developer Tools ===

Xcode 7.3 (10183.3)
Build 7D175

=== Xamarin.iOS ===

Version: (Business Edition)
Hash: d7cac50
Branch: master
Build date: 2016-03-21 20:13:04-0400

=== Xamarin.Android ===

Version: (Business Edition)
Android SDK: /Users/apple/Library/Developer/Xamarin/android-sdk-mac_x86
	Supported Android versions:
		4.0.3 (API level 15)
		4.1   (API level 16)
		4.2   (API level 17)
		4.3   (API level 18)
		4.4   (API level 19)
		5.0   (API level 21)
		5.1   (API level 22)
		6.0   (API level 23)

SDK Tools Version: 24.4.1
SDK Platform Tools Version: 23.1
SDK Build Tools Version: 23.0.3

Java SDK: /usr
java version "1.7.0_79"
Java(TM) SE Runtime Environment (build 1.7.0_79-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.79-b02, mixed mode)

Android Designer EPL code available here:

=== Xamarin Android Player ===

Version: 0.6.5
Location: /Applications/Xamarin Android Player.app

=== Xamarin.Mac ===

Version: (Business Edition)

=== Xamarin Inspector ===

Hash: 45b35bb
Branch: master
Build date: Thu Jan 14 18:53:32 UTC 2016

=== Build Information ===

Release ID: 510030027
Git revision: 8dc6bca63f5cd93719a093973e74de6999864193
Build date: 2016-03-17 17:13:33-04
Xamarin addins: 45239909442742bdee83a0c0f77eecb8a08bedfa
Build lane: monodevelop-lion-cycle6-c6sr2

=== Operating System ===

Mac OS X 10.11.4
Darwin Jons-iMac.local 15.4.0 Darwin Kernel Version 15.4.0
    Fri Feb 26 22:08:05 PST 2016
    root:xnu-3248.40.184~3/RELEASE_X86_64 x86_64
Comment 1 Jon Goldberger [MSFT] 2016-03-29 02:36:19 UTC
Also note:

I do realize that our guide on App Sandboxing [1] does say to provision the app, but I am filing this due to the different behavior in XCode vs XS/XM. 

[1] https://developer.xamarin.com/guides/mac/application_fundamentals/sandboxing/
Comment 2 Chris Hamons 2016-04-12 13:21:40 UTC
So, actually Xcode is doing some sort of code signing, even in your example:

$ codesign -dv /Users/donblas/Downloads/testProjects/XCodeSandboxingTestProject/DerivedData/testSandboxingWihtoutSigning/Build/Products/Debug/testSandboxingWihtoutSigning.app
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=410 flags=0x2(adhoc) hashes=5+5 location=embedded
Info.plist entries=22
TeamIdentifier=not set
Sealed Resources version=2 rules=12 files=4
Internal requirements count=0 size=12

$ codesign --verify --deep --verbose=2  /Users/donblas/Downloads/testProjects/XCodeSandboxingTestProject/DerivedData/testSandboxingWihtoutSigning/Build/Products/Debug/testSandboxingWihtoutSigning.app
/Users/donblas/Downloads/testProjects/XCodeSandboxingTestProject/DerivedData/testSandboxingWihtoutSigning/Build/Products/Debug/testSandboxingWihtoutSigning.app: valid on disk
/Users/donblas/Downloads/testProjects/XCodeSandboxingTestProject/DerivedData/testSandboxingWihtoutSigning/Build/Products/Debug/testSandboxingWihtoutSigning.app: satisfies its Designated Requirement

ls /Users/donblas/Downloads/testProjects/XCodeSandboxingTestProject/DerivedData/testSandboxingWihtoutSigning/Build/Products/Debug/testSandboxingWihtoutSigning.app/Contents/
Info.plist     MacOS          PkgInfo        Resources      _CodeSignature

Note the _CodeSignature directory as well..

And from the build log:

CodeSign DerivedData/testSandboxingWihtoutSigning/Build/Products/Debug/testSandboxingWihtoutSigning.app
    cd /Users/donblas/Downloads/testProjects/XCodeSandboxingTestProject
    export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
Signing Identity:     "-"

    /usr/bin/codesign --force --sign - --entitlements /Users/donblas/Downloads/testProjects/XCodeSandboxingTestProject/DerivedData/testSandboxingWihtoutSigning/Build/Intermediates/testSandboxingWihtoutSigning.build/Debug/testSandboxingWihtoutSigning.build/testSandboxingWihtoutSigning.app.xcent --timestamp=none /Users/donblas/Downloads/testProjects/XCodeSandboxingTestProject/DerivedData/testSandboxingWihtoutSigning/Build/Products/Debug/testSandboxingWihtoutSigning.app

Now it is true that Xcode lets you do this without explicitly setting up the signature (it appears to be doing some Ad Hod thing). I'll keep the bug around for that.
Comment 3 Jon Goldberger [MSFT] 2016-04-12 20:12:40 UTC

The reporting customer points out that XCode does not require a Provisioning profile, but Xamarin studio does when enabling the app Sandbox. So apologies that my description was not more accurate.
Comment 4 Chris Hamons 2016-04-12 20:27:49 UTC
@Jon - Yep. It is a limitation on our end that we don't support this use case. I was just noting that _somebody_ was doing the signing for them.