Sandboxed apps have to declare their entitlements. Of course, that doesn't do me any good if I can't tell what entitlements it declares. A text editor that has entitlements for Core Location, Network Server, and my Address Book, without my knowledge, could be much worse than an unsandboxed app.
How can I see what entitlements an app has?
After some more searching, I found a command-line answer:
codesign -d --entitlements - --xml /Applications/Whatever.app
This will print out an XML plist with values like:
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
For more information see https://developer.apple.com/library/archive/qa/qa1798/_index.html#//apple_ref/doc/uid/DTS40014167-CH1-IOS_STEPS
If anyone knows an easier/nicer way, though, I'd love to hear it.
fade7171000000fb, making the XML invalid. Any way to avoid that or strip it away? – luckman212 Apr 22 '19 at 15:03codesign -d --entitlements - <filepath> 2>&1 | LANG=C LC_CTYPE=C sed 's/^.*\<\?xml/\<\?xml/g' | grep "<.*>"Maybe there's another solution, but that's how I strip those bytes. But I don't think it's necessary: you can
– JayB May 18 '19 at 06:29codesignan app by pointing to an entitlements xml, and macOS will ignore those bytes anyway.codesign -d --entitlements :- /Applications/Whatever.app/– artyom.stv Jul 01 '19 at 14:32jtool --ent /MyApp.app/Contents/MacOS/MyApp@Ken – rustyMagnet Feb 17 '20 at 10:41:-part was the key to making this work (that man fails to mention), whatever it means. – Violet Giraffe Feb 19 '20 at 15:48--xmlswitch which is much clearer than the colon, which is now deprecated. – ReinstateMonica3167040 Mar 25 '23 at 13:57