Incomplete codesign entitlements in build distributed by Mac App Store

Originator:dkocher
Number:rdar://37934094 Date Originated:February 27 2018, 10:19 AM
Status:Closed Resolved:October 22 2018, 7:40 PM
Product:Mac App Store Product Version:
Classification: Reproducible:Always
 
When installing from the Mac App Store, the codesign entitlements are invalid and missing several keys. Some particular entitlements key submitted are missing from the package downloaded from the store.

com.apple.security.network.client: true
com.apple.security.files.downloads.read-write: true
com.apple.security.files.user-selected.read-write: true
com.apple.security.print: true

You can view all submitted entitlement keys at https://itunesconnect.apple.com/WebObjects/iTunesConnect.woa/ra/ng/app/409222199/activity/osx/builds/6.4.1/27633/details

Steps to Reproduce:
Install Cyberduck 6.4.1 or 6.4.2 from the Mac App Store

Expected Results:
Complete codesign entitlements as found as when installing from the installer package (pkg) submitted to iTunes Connect.

See attachment "Installer Package Codesign Entitlements.txt"

Actual Results:
Incomplete codesign entitlements when installed from the Mac App Store

See attachment "Mac App Store Codesign Entitlements.txt"

Version/Build:
Reproducible in Cyberduck 6.4.1 built with Xcode 9.2 Build version 9C40b
Reproducible in Cyberduck 6.4.2 built with Xcode 8.2.1 Build version 8C1002

References:
https://trac.cyberduck.io/ticket/10237
Comments

Comments

The invalid processing by Apple is triggered by the line comments in the entitlements XML. Looks like someone at Apple is learning XML in production.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!