'How to enable AppleScript between Parent and Child applications within sandbox for Mac App Store?

I have a parent app that contains a child app in the bundle. The child app uses applescript to trigger some events in the parent app.

Now that I'm preparing for App Store I have sandboxed the apps and I am missing something with either the entitlements or property lists that I don't understand.

In the parent app I have defined the .sdef and I can dump it with sdef /Applications/Parent.app once installed from TestFlight and I see:

<!DOCTYPE dictionary SYSTEM "file://localhost/System/Library/DTDs/sdef.dtd">
<dictionary title="Parent">

<suite name="Parent Suite" code="prnt" description="Parent Scripts">

    <command name="is_first_run" code="prntisfr" description="Is this the first time running the app?">
        <cocoa class="MyScriptInterface"/>
    </command>

    <command name="activation_complete" code="prntWRac" description="Activation is complete">
        <cocoa class="MyScriptInterface"/>
    </command>

    <command name="sign_out" code="prntWRso" description="Sign out and delete local credentials">
        <cocoa class="MyScriptInterface"/>
    </command>

    <command name="get_version" code="prntgetv">
        <cocoa class="MyScriptInterface"/>
        <direct-parameter type="text" description="None"/>
        <result type="text"/>
    </command>

</suite>

In the parent app I have the following included in the .plist:

<key>NSAppleEventsUsageDescription</key>
    <string>AppleEvents needed to communicate between components</string>
<key>NSAppleScriptEnabled</key>
    <true/>
<key>OSAScriptingDefinition</key>
    <string>Parent.sdef</string>

In the Parent entitlements I include the following key parts:

<key>com.apple.security.automation.apple-events</key>
    <true/>
<key>com.apple.security.scripting-targets</key>
    <dict>
            <key>com.foo.parent</key>
            <array>
                 <string>com.foo.parent.is_first_run</string>
                 <string>com.foo.parent.activation_complete</string>
                 <string>com.foo.parent.sign_out</string>                            
                 <string>com.foo.parent.get_version</string>
            </array>

            <key>com.foo.parent.child</key>
            <array>
                    <string>com.foo.parent.is_first_run</string>
                    <string>com.foo.parent.activation_complete</string>
                    <string>com.foo.parent.sign_out</string>
                    <string>com.foo.parent.get_version</string>
            </array>
    </dict>

In the Child app I have only this key:

<key>NSAppleScriptEnabled</key>
    <true/>

And in the Child entitlements I have only this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>

    <key>com.apple.security.inherit</key>
    <true/>

I am not understanding something. When I install the app and watch Console output I see a combination of errors:

For the Parent app:

AppleEvents/sandbox: Returning errAEPrivilegeError/-10004 and denying dispatch of event prnt/isfr from process '<private>'/0x0-0x7dccdc5, pid=95806, because it is not entitled to send an AppleEvent to this process.

I feel it's telling me that my Child app needs to be whitelisted somehow? I thought I was explicitly already doing that.

For the Child app from sandboxd:

Violation:       deny(1) appleevent-send com.apple.systemevents

MetaData: {"platform-binary":false,"build":"macOS 12.3.1 (21E258)","sandbox_checker":"appleeventsd","process-path":"\/Applications\/Parent.app\/Contents\/MacOS\/Child.app\/Contents\/MacOS\/Child","profile-in-collection":false,"platform_binary":"no","primary-filter-value":"com.apple.systemevents","primary-filter":"appleevent-destination","checker":"appleeventsd","platform-policy":false,"policy-description":"Sandbox","summary":"deny(1) appleevent-send com.apple.systemevents","binary-in-trust-cache":false,"responsible-process-team-id":"367******2","target":"com.apple.systemevents","hardware":"Mac","pid":95806,"appleevent-destination":"com.apple.systemevents","flags":5,"responsible-process-signing-id":"com.foo.parent","apple-internal":false,"normalized_target":["com.apple.systemevents"],"checker-pid":359,"profile-flags":0,"operation":"appleevent-send","errno":1,"action":"deny","uid":501,"responsible-process-path":"\/Applications\/Parent.app\/Contents\/MacOS\/Parent","signing-id":"com.foo.parent.child","team-id":"367******2","container":"\/Users\/spartygw\/Library\/Containers\/com.foo.parent\/Data","process":"Child","release-type":"User"}

For completeness, I am attempting to execute applescript from Child.app like this:

NSDictionary* errorDict;
NSAppleScript* scriptObject = [[NSAppleScript alloc] initWithSource: @"tell application id \"com.foo.parent\" to sign_out"];
NSAppleEventDescriptor* returnDescriptor = [scriptObject executeAndReturnError: &errorDict];

References:

Apple: Enabling Scripting of Other Apps

Related stack question

macosapplescriptsandboxmac-app-storeappstore-sandbox


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions