Lucky guess. This validates my choice to use the inherit permission for all but the main .app in the java packager Mac App Store Ready bundler. What you describe is already being automatically be done in 8u20. Now I know it makes a difference. Thanks for the update.
—Danno On Jun 24, 2014, at 10:50 AM, Zach Oakes <zsoa...@gmail.com> wrote: > It looks like that worked, thanks! I ended up creating a separate > entitlements file for jspawnhelper which looks like this: > > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" > "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> > <plist version="1.0"> > <dict> > <key>com.apple.security.app-sandbox</key> > <true/> > <key>com.apple.security.inherit</key> > <true/> > </dict> > </plist> > > > On Tue, Jun 24, 2014 at 11:44 AM, Danno Ferrin <danno.fer...@oracle.com> > wrote: > What entitlements did you sign spawnhelper with? The same as the main app or > the inherit permission? > > On Jun 24, 2014, at 9:40 AM, Zach Oakes <zsoa...@gmail.com> wrote: > > > I've successfully shipped Java apps on the MAS using an embedded JRE, but > > with the stricter signing requirements now in place, I'm having a problem. > > My script now signs all the binaries, including the JRE's jspawnhelper > > executable, which my app relies on to spawn new processes via Runtime.exec. > > > > The sandboxed app launches correctly, but when it tries launching a new > > process, I get a dialog saying "OS X needs to repair your Library to run > > applications". It then fails to spawn the process, and the console says > > "Sandbox creation failed: Container object initialization failed: failed to > > get bundleid for app > > "<snip>/Contents/PlugIns/jdk1.7.0_60.jdk/Contents/Home/jre/lib/jspawnhelper". > > > > I can't figure out why it is failing to get the bundleid for jspawnhelper. > > It is definitely being signed with codesign, and I've tried explicitly > > setting an --identifier to no avail. I would appreciate advice on how to > > resolve this. > >
