Develop Reference

Electron app cannot open any web page when sandboxed

I have an application that consists of two parts: Python (the main app, which works as a server) and Electron ("helper" app, which works as a UI).
I plan to submit it to the App Store, so it's sandboxed.
Right now, I'm testing the sandboxed development-signed build, and I have a problem with it.
Some info about the entitlements and signing:
The Python app is packaged with Py2App (I heard that it's the only possible way to package a Python app for the App Store).
The Python app has com.apple.security.network.client, com.apple.security.network.server, and sandbox entitlements, I sign it using the Mac Development certificate.
The Electron app is packaged with electron-builder and signed with electron-osx-sign (Mac Development certificate, as well).
The Electron app has standard entitlements, I just added the sandbox and security.inherit to its entitlements.
I have generated the development provision profile and embedded it into the app's bundle.
Yes, I know that this architecture is a bad choice for the macOS/App Store, I'm aware of it.
The project is 99% done, and it's just easier for me to somehow overcome this issue, rather than rewriting everything from zero to Swift/Obj-C.
So, when the user clicks on the .APP, this is what happens:
the Python app starts, it creates the server, and finally, launches the Electron.
The problem begins here: the Electron successfully starts but fails to load the server's URL.
I tried to open my server's URL in Chrome and everything works fine.
So this problem is related to the Electron or maybe entitlements.
I also tried to load any other webpages, like google.com, and it still doesn't work, I get the exact same error.
When I load the page (like calling the app.loadURL or changing the window.location.href), these messages get printed out in the Console:
default 13:36:40.749975 +0200 trustd cert[2]: AnchorTrusted =(leaf)[force]> 0
default 13:36:42.903489 +0200 symptomsd rssi (-49) or transmitRate (145.000000) changed on interface en1 for BSSID:b0:95:75:21:bc:d8
default 13:36:50.909786 +0200 symptomsd rssi (-50) or transmitRate (145.000000) changed on interface en1 for BSSID:b0:95:75:21:bc:d8
default 13:36:51.321708 +0200 trustd could not enable test hierarchy: no UAT pinning preferences set
I googled this "no UAT pinning preferences set", and didn't find anything useful.
These messages are always the same, it doesn't matter if I try to open a localhost page or google.com.
I also tried using "fetch" in the Electron's app console, it outputs this error:
>>> await fetch("https://google.com")
---> VM123:1 GET https://google.com/ net::ERR_NAME_NOT_RESOLVED
---> VM123:2 Uncaught TypeError: Failed to fetch
---> at <anonymous>:1:7

I think that this issue is somehow related to security.inherit entitlement.
Maybe when I launch the Electron, Python's entitlements don't get passed to the Electron?
So, Electron doesn't inherit the "com.apple.security.network.client" entitlement and has no right to load any web pages, am I right?
If yes, then how should I properly launch the Electron?
Currently, I tried using the "open" command and an AppleScript, the error stays the same in any case.
Here are the commands I used:
Open:
open "MyPythonApp.app/Contents/MacOS/MyElectronApp.app"
AppleScript:
osascript -e "tell application \"MyPythonApp.app/Contents/MacOS/MyElectronApp.app\" to activate"
I sign the Python app with these entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleIdentifier</key>
<string>com.abtco.myquickmaclite</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.files.downloads.read-write</key>
<true/>
<key>com.apple.security.assets.pictures.read-write</key>
<true/>
<key>com.apple.security.assets.music.read-write</key>
<true/>
<key>com.apple.security.assets.movies.read-write</key>
<true/>
</dict>
</plist>
And the Electron app with these ones:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
Mac Mini 2012 (macOS 10.13.6)
Python 3.9.1
Electron 16.0.5
Thank you.

React-Native: Why do I get network errors when testing on iOS device

I am developing currently in React Native an app. After testing everything on the simulator I decided to run our app on a physical ios device.
When I try to connect to our API (fetch) I get following error (endless repeat everytime I try to connect):
nw_connection_get_connected_socket 12 Connection has no connected handler
2018-02-19 21:28:59.652134+0100 myApp[12063:4504022] TCP Conn 0x1c016b100 Failed : error 0:61 [61]
Strange thing: If I turn on Remote JS Debugging on my device it works without any problems. I think it works because it is using the connection of my laptop.
Any help would be appreciated.

8 Steps to Get Rid Of Error "nw_connection_get_connected_socket Connection has no connected handler TCP Conn Failed : error 0:61 [61]"
1-Xcode menu -> Product -> Edit Scheme...
2-Environment Variables -> Add -> Name: "OS_ACTIVITY_MODE", Value:"disable"
3-Xcode menu -> product -> clean
4-Xcode menu product -> 'clean build folder' (hold down option key)
5-Install react-devtools: npm install -g react-devtools
6-Run react-devtools: react-devtools
7-In your project, edit node_modules/react-native/Libraries/Core/Devtools/setupDevtools.js by replacing 'localhost' with your development machine's IP address.
8-Build Project - (it will take long time for first time)
This steps for React Native nw_connection Errors, if the problem still occurs; follow the step on the image link (it will hide logs not solve)
image link -->this will hide logs and lets build (if build failing) not solves problem exactly

Is your server HTTPS?
If yes, I'm not sure what the problem is either.
But if not, then you probably haven't added the domain of your server in your iOS app's configuration to enable insecure fetching.
You can add it via Xcode or in the './ios/YOUR_PROJECT_NAME/Info.plist' file.
Part of the info.plist file should look something like this after adding:
<key>NSAppTransportSecurity</key>
<dict>
<key>NSExceptionDomains</key>
<dict>
<key>localhost</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
<key>192.0.2.1:3000</key>
<dict>
<key>NSExceptionAllowsInsecureHTTPLoads</key>
<true/>
</dict>
</dict>
</dict>

xcodebuild on jenkins

I am getting frustrated with this and will really appreciate any help
We set up jenkins for our CI environment on Mac OSX for building our xcode project. Configured everything with SVn so that it syncs and all but when it comes to build
Code Sign error : There are no valid certificate/private key pairs in the default keychain
Jenkins as far as i know is running under the daemon and i am logged in as myself on that machine so after hours of looking i copied the Iphone Developer Certificates from the login.keychain to the system.keychain too and now get this error . A valid provisioning profile matching the appliacation's IDentifier "MZCZ.... . Icacher" could not be found
So i deleted it
As somebody suggested , I even set up the session create to info.plist too as suggested on here Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development
Did this too
To keep a compartmentalized keychain for Jenkins/Hudson, I moved the launchctl item from
/Library/LaunchDaemons/org.jenkins-ci.plist
to
/Users/Shared/Jenkins/Home/Library/LaunchAgents/org.jenkins-ci.plist
This is how my launch Daemon org.jenkins-ci.plist looks
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnvironmentVariables</key>
<dict>
<key>JENKINS_HOME</key>
<string>/Users/Shared/Jenkins/Home</string>
</dict>
<key>GroupName</key>
<string>daemon</string>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>org.jenkins-ci</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>/Library/Application Support/Jenkins/jenkins-runner.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>daemon</string>
<key>SessionCreate</key>
</dict>
</plist>
Please help i have run out of options

We just had this problem. You need to add the SessionCreate key, but in your example you forgot to add <true/> after it.

Getting rid of duplicate system keychain in keychain list using jenkins launched as a mac osx slave through a StartupItem

I'm building my iOS projects from a jenkins slave and getting some weird results. If I try to build my project from the command-line as jenkins does it, there are no problems. But jenkins keeps telling me the identity appears more than once in the keychain. The identity is not duplicated, I checked it a lot of times.
I'm launching the jenkins slave as my user (using sudo -u, ps shows the correct user) from a StartupItem. The signing cert, its private key and the WWDR intermediate certificate are deployed into the System keychain because I cannot access the login keychain launching jenkins from the StartupItem.
After digging a little bit through SO and Google I've found that it could be related to something pointed in this question:
Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development
I have set a command-line step in order to print the list-keychains output and I'm getting the same:
+ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/applepushserviced.keychain"
"/Library/Keychains/System.keychain"
But it is not working for me, xcodebuild keeps saying "Certificate identity 'XXXXXX' appears more than once in the keychain" and seems to be related as I have the System.keychain duplicated in the keychain list.
I cannot find a way to leave just one System.keychain into the list, I tried:
Executing a first script using security list-keychains -s in order to change the list w/o luck
Cleaning all the certs and keys and start over again
Resetting the keychains
Creating a dedicated user for the jenkins service trying to avoid any mess from the previous user, but seems to be something more system-wide related
Resetting LS database
Any clues from anyone?
I tried to leave a comment on the previous mentioned question but I'm a newbie, I can't do it and answering doesn't seems polite as I need to ask something, I'm not giving an answer. So any answer through this question would be appreciated. Thanks in advance!
Environment:
OSX Lion 10.7.3
Xcode 4.3
Xcode command-line tools updated
Jenkins ver. 1.456 and up to date plugins.

Currently, it cannot be done using a StartupItem... I've finally managed the problem using a LaunchDaemon based on an answer from the linked SO. This is the LaunchDaemon I'm using:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>GroupName</key>
<string>wheel</string>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>org.jenkins-ci</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/java</string>
<string>-jar</string>
<string>/Users/jenkins/work/slave.jar</string>
<string>-noCertificateCheck</string>
<string>-jnlpUrl</string>
<string>https://MySERVER/jenkins/computer/MacOSX/slave-agent.jnlp</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>jenkins</string>
<key>SessionCreate</key>
<true/>
</dict>
</plist>

So I see that keychain list when I run Jenkins from launchctl as a LaunchDaemon. No matter which user I tell launchctl to use when it launches I always only see only those keychains.
To change this behavior I started Jenkins from a launchd plist as a LaunchAgent. Using Jenkins to list the keychains in this instance shows the users Login keychain and System keychain rather than the slightly odd "System,applepushserviced,System" list.

This can also be fixed by opening Keychain Access, Edit, Keychain List and removing the System keychain from the User list. It's still available from System.

Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development

I'm trying to improve Hudson CI for iOS and start Hudson as soon as system starts up. To do this I'm using the following launchd script:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>Hudson CI</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/java</string>
<string>-jar</string>
<string>/Users/user/Hudson/hudson.war</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>user</string>
</dict>
</plist>
This works OK but when xcodebuild, which is started by Hudson, tries to sign an app it fails because it cant find the proper key/certificate in the keychain. However key/certificate pair is there since it's working correct if I start Hudson from command line.
Do you have any ideas why it happens?

I have found a solution giving me access to the regular keychains for my Jenkins user.
Find this plist: /Library/LaunchDaemons/org.jenkins-ci.plist then:
Add the UserName element with a value of jenkins.
Add a SessionCreate element with a value true to the plist file. This gives access to the normal keychains for the user you specified in UserName
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnvironmentVariables</key>
<dict>
<key>JENKINS_HOME</key>
<string>/Users/Shared/Jenkins/Home</string>
</dict>
<key>GroupName</key>
<string>wheel</string>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>org.jenkins-ci</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>/Library/Application Support/Jenkins/jenkins-runner.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>jenkins</string>
<key>SessionCreate</key>
<true/>
</dict>
</plist>
Then restart the daemon and try running a job in Jenkins that calls security list-keychains. You should no longer see System.keychain as the only entry but the regular login and any custom key chains you might have added to the list of keychains for the "jenkins" user.
With the above setup I am able to use codesigning certificates from a custom keychain on my Jenkins build server. I don't have to install any certificates or keys in my System keychain.

After spending hours and days with this issue I found a fairly easy solution to this. It doesn't matter if you have a distinct username in your launchd configuration as stated above:
<key>UserName</key>
<string>user</string>
The missing certificates and keys have to be on the system keychain (/Library/Keychains/System.keychain). I found this after I setup a jenkins job which executes several security shell calls. The one which's interesting is security list-keychains:
+ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/applepushserviced.keychain"
"/Library/Keychains/System.keychain"
That are the keychains jenkins will search the certificates and keys for so they should be there. After I moved my certs there it works. Make sure you also copy the »Apple Worldwide Developer Relations Certification Authority« certificate to the system keychain, otherwise you will see a CSSMERR_TP_NOT_TRUSTED error from codesign.
It is also possible to register more keychains with security list-keychains -s [path to additional keychains]. I haven't tried it but something like security list-keychains -s $HOME/Library/Keychains/login.keychain as a pre-build shell execution in jenkins might work.
EDIT: I've tried to add a user keychain to the search path with -s but I wasn't able to get it to work. So for now, we have to copy our certs and keys into the system keychain.
EDIT^2: Read and use joensson' solution instead of mine, he managed it to access the users keychain instead of just the system keychain.

We had the same problem with a hudson slave started as a launchdaemon on Mac OSX Lion. It worked, when we started the slave with webstart. The only difference we spotted was a different environment variable.
com.apple.java.jvmTask=WebStart
works, if we started the slave without webstart the variable was
com.apple.java.jvmTask=CommandLine.java
We found no way to influence the value upfront. I suggest you create a new node in Hudson, running on the same machine and started by webstart. For starting the slave we use the following launchdaemon configuration:
<?xml version"1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>Label</key>
<string>jenkins</string>
<key>UserName</key>
<string>apple</string>
<key>Program</key>
<string>/usr/bin/javaws</string>
<key>ProgramArguments</key>
<array>
<string>-verbose</string>
<string>-wait</string>
<string>http://<hudson-hostname>:8080/computer/<node-name>/slave-agent.jnlp</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>WorkingDirectory</key>
<string>/Users/apple</string>
</dict>
</plist>

Adding this since I had the same problem, but none of these solutions worked for me.
My problem was that my signing certificate had expired. After the update, xcode and running xcodebuild manually worked fine, BUT Jenkins could not sign the app.
Here is how I fixed it:
Look into Keychain and search for the key. For some reason that I don't understand I had multiple results.
Make sure that the private key is in the System level (if it isn't then drag and drop it to the System icon on the left.

We faced exactly the same issue on Lion as well as on SnowLeopard. We had to start a Tomcat/Hudson with xcodebuild jobs as a service. While starting from command line, the xcodebuild could access the login.keychain to use the certificate contained. But after reboot of the box, the login.keychain wasnt visible to xcodebuild and therefore the signing failed.
Since we needed to provide our company certificate by a keychain, the system keychain wasnt an option. Instead, we solved the issue by a simple workaround. We removed the user name, so that the launch daemon launches the process under root.
<plist version="1.0">
<dict>
<key>Label</key>
<string>${LAUNCH_LABEL}</string>
<key>Disabled</key>
<false/>
<key>RunAtLoad</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>${INSTALL_DIR}/start.sh</string>
</array>
<key>StandardOutPath</key>
<string>${INSTALL_DIR}/tomcat-stdout.log</string>
<key>StandardErrorPath</key>
<string>${INSTALL_DIR}/tomcat-stderr.log</string>
</dict>
</plist>
The launch daemon called a simple script (start.sh), simulation a full login and running the program wanted
su -l username -c program
Now, even after booting, the xcodebuild can access the login.keychain. This works on Snow Leopard too, but, if you close the user specific login.keychain in a parallel session (like vnc login/logout) the keychain gets lost. Lion behaves different. Seems that Lion decouples the keychain from the user and assigns it to a login-session.

You could try my Jenkins.app, https://github.com/stisti/jenkins-app, an alternative way to run Jenkins. It runs Jenkins in the user session, so Keychain access is not a problem.

I faced the same problem, and tried changing the user name in /Library/LaunchDaemons/org.jenkins-ci.plist as described in one of the other posts. However, it still did not work, and some obscure NullPointerException did not help me identify the problem. Therefore, I would just share my solution: I had to also change the owner of the JENKINS_HOME directory (defined in org.jenkins-ci.plist as well):
chown -R myBuildUser /Users/Shared/Jenkins
myBuildUser is the user that has the certificates installed, and this is the user that I specified in the plist file.
This solution was quite obvious when I finally realized it - but it took me a couple of hours to find out about this, so hopefully this post can save the time for somebody else :-)

To keep a compartmentalized keychain for Jenkins/Hudson, I moved the launchctl item from
/Library/LaunchDaemons/org.jenkins-ci.plist
to
/Users/Shared/Jenkins/Home/Library/LaunchAgents/org.jenkins-ci.plist
And that allows me to access the private keychain created for Jenkins.

Adding
SessionCreate
and setting lots of certificates to 'always trust' in keychain manager
worked for me with buildbot started from plist... but at some point, codesign started failing
with CSSMERR_TP_NOT_TRUSTED. I recovered by setting the iPhone Distribution cert to 'use system defaults' in keychain manager. Even after a reboot, without logging in,
the buildbot slave was then able to sign code, whew.

For Manual Signing Move your certificate from login to System in keychain. Login not accessible during archive and generating iPA.