It looks like that worked, thanks! I ended up creating a separate entitlements file for jspawnhelper which looks like this:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> </plist> On Tue, Jun 24, 2014 at 11:44 AM, Danno Ferrin <danno.fer...@oracle.com> wrote: > What entitlements did you sign spawnhelper with? The same as the main app > or the inherit permission? > > On Jun 24, 2014, at 9:40 AM, Zach Oakes <zsoa...@gmail.com> wrote: > > > I've successfully shipped Java apps on the MAS using an embedded JRE, but > > with the stricter signing requirements now in place, I'm having a > problem. > > My script now signs all the binaries, including the JRE's jspawnhelper > > executable, which my app relies on to spawn new processes via > Runtime.exec. > > > > The sandboxed app launches correctly, but when it tries launching a new > > process, I get a dialog saying "OS X needs to repair your Library to run > > applications". It then fails to spawn the process, and the console says > > "Sandbox creation failed: Container object initialization failed: failed > to > > get bundleid for app > > > "<snip>/Contents/PlugIns/jdk1.7.0_60.jdk/Contents/Home/jre/lib/jspawnhelper". > > > > I can't figure out why it is failing to get the bundleid for > jspawnhelper. > > It is definitely being signed with codesign, and I've tried explicitly > > setting an --identifier to no avail. I would appreciate advice on how to > > resolve this. > >