Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

thomeven

macrumors newbie
Original poster
Apr 17, 2016
3
0
I have developed an application for OSX 10.11 as GUI to the rsync command-line tool. There are two versions of the application, one is released by MacUdate the other by Apple App Store. Rsync command-line might be used through ssh and passwordless logins(by private/public key pair).

The MacUpdate version of my application is working as expected. But the Apple App Store installed version does not. Both applications is used from the same user. The Apple App Store installed version complains about "..Host key verification fail..".

Both applications uses same code, the only difference is how they are installed. The application is using rsync to do the actual transfer of files...

http://rsyncosx.blogspot.no/

My knowledge of ssh is limited and I dont know where to search for a solution?

Anyone?
 

thomeven

macrumors newbie
Original poster
Apr 17, 2016
3
0
I have developed an application for OSX 10.11 as GUI to the rsync command-line tool. There are two versions of the application, one is released by MacUdate the other by Apple App Store. Rsync command-line might be used through ssh and passwordless logins(by private/public key pair).

The MacUpdate version of my application is working as expected. But the Apple App Store installed version does not. Both applications is used from the same user. The Apple App Store installed version complains about "..Host key verification fail..".

Both applications uses same code, the only difference is how they are installed. The application is using rsync to do the actual transfer of files...

http://rsyncosx.blogspot.no/

My knowledge of ssh is limited and I dont know where to search for a solution?

Anyone?

I might have found out why, I think it is because of the application is forced to be executed inside Apples sandbox technology (when released from Apple App store)...And to get ssh keys to work inside a Sandbox container is not easy (as far as I can understand)...
 

mag01

macrumors regular
Apr 10, 2011
150
47
Yes, I was going to point to the sandboxing but you answered to yourself already.

Regarding giving the sandboxed app the required permissions, normally you could use the temporary exception entitlements for that:
https://developer.apple.com/library...s.html#//apple_ref/doc/uid/TP40011195-CH5-SW1
at minimum com.apple.security.temporary-exception.files.home-relative-path.read-only for the /.ssh/ path will be required, or perhaps if you want to give your application the opportunity to write the remote host key into ~/.ssh/known_hosts file then also com.apple.security.temporary-exception.files.home-relative-path.read-write for the /.ssh/known_hosts path.

However since you intend to publish that application via MAS it would be most likely rejected by Apple with such entitlements. Fortunately there's another method available, but that can be used only in OS X 10.7.3+. It's called security-scoped bookmarks, from which you can use app-scoped bookmark subset:
https://developer.apple.com/library....html#//apple_ref/doc/uid/TP40011183-CH3-SW16
That will also require adding some entitlement, this time com.apple.security.files.bookmarks.app-scope
https://developer.apple.com/library....html#//apple_ref/doc/uid/TP40011195-CH4-SW18
but that one shouldn't be a problem for MAS approval.
 

thomeven

macrumors newbie
Original poster
Apr 17, 2016
3
0
Yes, I was going to point to the sandboxing but you answered to yourself already.

Regarding giving the sandboxed app the required permissions, normally you could use the temporary exception entitlements for that:
https://developer.apple.com/library...s.html#//apple_ref/doc/uid/TP40011195-CH5-SW1
at minimum com.apple.security.temporary-exception.files.home-relative-path.read-only for the /.ssh/ path will be required, or perhaps if you want to give your application the opportunity to write the remote host key into ~/.ssh/known_hosts file then also com.apple.security.temporary-exception.files.home-relative-path.read-write for the /.ssh/known_hosts path.

However since you intend to publish that application via MAS it would be most likely rejected by Apple with such entitlements. Fortunately there's another method available, but that can be used only in OS X 10.7.3+. It's called security-scoped bookmarks, from which you can use app-scoped bookmark subset:
https://developer.apple.com/library....html#//apple_ref/doc/uid/TP40011183-CH3-SW16
That will also require adding some entitlement, this time com.apple.security.files.bookmarks.app-scope
https://developer.apple.com/library....html#//apple_ref/doc/uid/TP40011195-CH4-SW18
but that one shouldn't be a problem for MAS approval.
Thank you very much for pointing out resources for reading about sandbox issues. I will check and test if there might be a solution or workaround for my application. There are some other options as passing passoword to rsync (--password-file=FILE), it might be a solution as well..The -password-file option requieres rsync to talk to a rsync daemon on server I belive..
Thanks for replying to my question..
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.