Mac App Store Build Sandbox Help!


I have my app created, signed and ready to go. I keep receiving deny file-read-data from console when I run the app after signing it and using it in the sandbox. I know the reason behind this, but don’t understand it. I am using node to create a data.json file to hold a specific cookie inside the userData folder within electron. I can build the app and I am able to read and write from that file, no problem, but as soon as I sign the app and try to run it, I run into the deny file-read-data within the console. I was able to log the path where the file should be when the app is signed and it is inside the app’s container. So my question is, why cannot my app communicate with its own container? Thanks in advance for the help!

-Alec Dilanchian


I updated your title because at first (despite being a Mac user) I didn’t know what MAS referred to :laughing: I hope you don’t mind!


haha! Learn something new everyday, eh? Thanks for that!


This has been resolved!
One critical component I forgot was to check to see if the .json file even existed before I started trying to read and write to it. Everything is now functional in sandbox.


Hi, sorry to bother you. I came across an MAS signing issue: I don’t know whether it’s a issue in electron or in my signing script. Do you have any idea? I’m very appreciate for you help!


Hey @mecee,

I actually ended up using a mix of Electron’s MAS guide and nw.js’s guide. I first package the app using electron-packager and then move it into a folder that has my signing script. Here is the script I use to sign my app:

export APP_NAME=(App Name Goes Here) export IDENTITY=(Key for Certificate goes here) export PARENT_PLIST=/Path/To/Parent_plist export CHILD_PLIST=/Path/To/Child_plist export APP_PATH=/Path/To/.app export APP_DIR=/Path/To/DIR/That/Holds/.app

codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $APP_PATH"/Contents/Frameworks/$APP_NAME"

codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $APP_PATH"/Contents/Frameworks/$APP_NAME Helper"

codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $APP_PATH"/Contents/Frameworks/$APP_NAME Helper"

codesign --deep -s $IDENTITY --entitlements $PARENT_PLIST $APP_PATH

cd $APP_DIR && productbuild --component "$" /Applications --sign $IDENTITY "$APP_NAME.pkg"

I’m signing all my helper apps before I sign the .app. Then I take it and make a .pkg which throws it into the dir where the original package originates.

Just make sure you have the correct entitlements for your app. It can be a real pain. Before submitting I would suggest making sure it works within the Sandbox.

Good luck and I hope this helps!



Hey, can you post what your entitlement files are? I’ve tried both the electron entitlements, as well as the NWJS entitlements, your signing script, electron-packager with the --osx-sign parameters (specifying parent and child entitlements, identity, etc). and I cannot get the damn thing to sign properly. The MAS build crashes (sandbox errors, despite what the entitlements say) and spctl -a -vvvv --raw rejects the package bundle as not signed and gives this completely useless information:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

This is with Electron 1.1.0 on OS X 10.11.4. These “error” messages are about as useless as one can get. I’ve been trying to sign this thing over 3 days now, and have made zero progress.

More googling has revealed:

spctl passes now, using the Developer ID identity, NOT Mac Third Party Developer identity.

The app still fails to load with sandboxd[154]: ([9703]) MyApp Helper(9703) deny forbidden-sandbox-reinit

Edit. Finally got this thing to work. Took pretty much every single combination of everything on the internet, ever.

Package with electron-package. Do not use the --osx-sign option, use the following script (and entitlements) instead:

Note that of course, this script won’t actually work in generating the .pkg. Remove the - sign option in the productbuild command, because of course this has be different. You’ll create the .pkg, which you then need to sign with productsign which is fairly self explanatory. <- this of course proved to be untrue. The package will get created. It’ll install the application. And then the app just displays a white screen, no errors in the console. spctl -a -v --raw --type install App.pkg fails with the rejected error.


Hey jpittner,

Glad you got it working! I had the same experience when I was dealing with it… It was difficult to track down the information needed. Good luck with submitting it to the App Store!


I’ve got no idea what to try now. The .app signs and verifies fine (using Developer ID, using the 3rd Party Mac Developer certs doesn’t work at all) but I can’t package it. I mean, I can, but spctl fails to verify it with any of the identities. I’ve tried using productbuild --sign, productbuild without the signing, then signing with productsign, all seem to create the pkg without error, but then fail spctl verification. The pkg will even run, and install, on a test mac, but the install will finish (with no errors, application successfully installed it says) and the app won’t actually be in the /Applications directory. When it was signed (but failed the cpctl -a -v --type install) it would install the app, I could load it up and the result would be a blank window, but no errors in the console.

So then I tried creating a Project with xcode, because maybe those tools will give me some useful errors. I put the newly created project in the same folder with my signed .app, then run the Archive process. This finds my .app, tells me that there are no entitlements in it (and that the executable should be sandboxed), and that it’s missing the 2x icns file. It then of course tells me that the process has failed, due to a general error. So no help there.

– edit:

The installer was failing as I didn’t have the Developer ID Installer cert installed. So, I go back to the page, request the cert, download that, add it to the keychain, and lo and behold, I can run productbuild with the --sign option, and spctl is happy - output is myapp.pkg: accepted source=Developer ID. Double click the pkg on my test machine, and it installs. Or claims to. Says the program was successfully installed, but nothing added to the Applications directory. sigh. Okay, let’s try again. productbuilt, this time without the --sign option, let’s use productsign to do that. Pkg created, signed, send it over to test machine, amazing - the app is now actually installed. Let’s load it up. Blank screen. Console has no errors. Well this is peculiar. Let’s try something, let’s tar this up and check if it’s still signed properly after the install. Hm, errors during the tar. I don’t have permission to access files. The installer wanted me to type in a password when installing, and looks like all the files are owned by root. chgrp to admin, and the app works. Looks like Electron will just sit there and not spit out any errors if it can’t access the files.

chmod -R 755 on the app files (prior to packaging them) address the file permissions, at least.