There is a lot of discussions around the upcoming sandboxing requirement for all the Mac App Store published applications.

There were several publications on the subject with sometimes very elaborate discussion:

These articles lead me to wondering:

  • Apple is going to enforce sandboxing on third-party applications, but what about Apple's own applications ?
  • Sandboxing is said to be a work in progress; the current entitlement keys are sparse and most of the time, developers relies on temporary exceptions to keep their application fully functional. Is there anything in Apple's applications that give a clue of possible entitlement keys ?

So, I decided to take my Terminal and play with the codesign tool. This tool is very useful because if can sign binaries (obviously), but it can also print what is contained in the signature (certificate chain, requirements, entitlements). So I ran it on my Application folder.

cd /Applications
find . -type d -name "*.app" -exec echo {} \; -exec codesign -d --entitlements - {} \;

Here are the applications that contain entitlements (as on 2011-11-06). I have indicated if they mandate the use of sandbox:

  • Address Book
  • App Store
  • FaceTime
  • Font Book
  • Preview (SANDBOXED)
  • TextEdit (SANDBOXED)
  • Activity Monitor
  • Boot Camp Assistant
  • RAID Utility
  • iCal
  • PhotoStreamAgent (in iPhoto)
  • iTunes

Here are the key points:

  • All the Apple applications are signed
  • Only a few of them contain entitlements
  • Only two of them are sandboxed

Digging further into the entitlements, I found:

  • Preview is actually using a temporary entitlement key for global Mach lookup. So don't be shy using them into your applications !
  • A bunch of private entitlement keys: they may be migrated to public entitlement keys as they seems generic.

And finally, here are the private entitlement keys I found:

  • com.apple.private.aps-connection-initiate: it seems related to iCloud, as applications like Address Book, FaceTime, iCal, iTunes and iPhoto (PhotoStreamAgent) have this one.
  • com.apple.private.dark-wake-push: a key to wake up the computer ???
  • com.apple.private.AuthorizationServices: widely used, it seems a good candidate for a future entitlement key.

I hope that by March 2012, Apple would have solved all the details about sandboxing. It would be nice to see a set of versatile entitlement that could protect the end-user and let the developer be inventive.