macOS App Sandbox #9023
Draft
macOS App Sandbox #9023
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-project-automation
bot
moved this to 🧭 Planning evaluation (don't pick)
in 💻 Desktop Clients team
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR migrates from using team-identifier-prefixed app groups to the standard group. prefix for macOS app group identifiers, and updates code signing configuration to use automatic signing with a specific development team.
- Changed app group identifier format from
$(TEAM_ID)$(BUNDLE_ID)togroup.$(BUNDLE_ID) - Updated socket paths to use
Library/Application Support/subdirectories - Switched from manual to automatic code signing with
NKUJUXUJ3Bdevelopment team - Updated bundle identifiers from
com.owncloud.*tocom.nextcloud.*
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/gui/socketapi/socketapi_mac.mm | Updated socket path to use group prefix and Application Support directory |
| src/gui/macOS/fileproviderutils_mac.mm | Added whitespace formatting improvements |
| src/gui/macOS/fileprovidersocketserver_mac.mm | Updated file provider socket path to use group prefix and Application Support directory |
| shell_integration/MacOSX/NextcloudIntegration/NextcloudIntegration.xcodeproj/project.pbxproj | Changed code signing from manual to automatic, updated development team ID, and changed bundle IDs from owncloud to nextcloud |
| shell_integration/MacOSX/NextcloudIntegration/FinderSyncExt/FinderSyncExt.entitlements | Updated app group identifier to use group prefix |
| shell_integration/MacOSX/NextcloudIntegration/FinderSyncExt/FinderSync.m | Updated socket path to use Application Support subdirectory |
| shell_integration/MacOSX/NextcloudIntegration/FileProviderUIExt/FileProviderUIExt.entitlements | Updated app group identifier to use group prefix |
| shell_integration/MacOSX/NextcloudIntegration/FileProviderExt/Info.plist | Updated NCFPKAppGroupIdentifier to use group prefix |
| shell_integration/MacOSX/NextcloudIntegration/FileProviderExt/FileProviderExt.entitlements | Updated app group identifier to use group prefix |
| cmake/modules/MacOSXBundleInfo.plist.in | Updated NCFPKAppGroupIdentifier template to use group prefix |
| admin/osx/macosx.entitlements.cmake | Updated app group identifier template to use group prefix and added sandbox entitlements |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
shell_integration/MacOSX/NextcloudIntegration/FileProviderExt/Info.plist
Outdated
Show resolved
Hide resolved
shell_integration/MacOSX/NextcloudIntegration/NextcloudIntegration.xcodeproj/project.pbxproj
Outdated
Show resolved
Hide resolved
i2h3
force-pushed
the
i2h3/proper-macos-sandboxing
branch
from
38661b3 to
a7f4af5
Compare
i2h3
moved this from 🧭 Planning evaluation (don't pick)
to 🏗️ In progress
in 💻 Desktop Clients team
i2h3
requested review from
Aiiaiiio,
camilasan,
mgallien and
nilsding
as code owners
i2h3
force-pushed
the
i2h3/proper-macos-sandboxing
branch
from
636553d to
e37dada
Compare
Collaborator
Author
|
I need to fix how the build settings are passed through now before it is ready for review. |
i2h3
force-pushed
the
i2h3/proper-macos-sandboxing
branch
2 times, most recently
from
38055c2 to
a78b990
Compare
i2h3
added a commit
to nextcloud/nextcloudfileproviderkit
that referenced
this pull request
Nov 10, 2025
- These changes are related to making the main app bundle of the macOS build adopt the app sandbox entitlement which imposes certain restrictions on its file system access (nextcloud/desktop#9023). - Logs are now written to the app group container because they are not accessible by the main app for creating debug archives otherwise. - Databases are now written to the app group container because they are not accessible by the main app for creating debug archives otherwise. - Removed legacy database migration code because it cannot work with the new app group identifier of the now sandboxed app anymore. - Simplified database location assembly. Signed-off-by: Iva Horn <[email protected]>
i2h3
added a commit
to nextcloud/nextcloudfileproviderkit
that referenced
this pull request
Nov 12, 2025
- These changes are related to making the main app bundle of the macOS build adopt the app sandbox entitlement which imposes certain restrictions on its file system access (nextcloud/desktop#9023). - Logs are now written to the app group container because they are not accessible by the main app for creating debug archives otherwise. - Databases are now written to the app group container because they are not accessible by the main app for creating debug archives otherwise. - Removed legacy database migration code because it cannot work with the new app group identifier of the now sandboxed app anymore. - Simplified database location assembly. Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
- Removed redundant build settings about signing. - Updated default base identifier from ownCloud to Nextcloud. Signed-off-by: Iva Horn <[email protected]>
- Use automatically managed code signing. - Defined Nextcloud GmbH (NKUJUXUJ3B) as the default development team. - Set default code sign identity to "Apple Development". - This is necessary because the new and correct group container identifier "group.com.nextcloud.desktopclient" requires a provisioning profile which requires development signing. Signed-off-by: Iva Horn <[email protected]>
…main app. Signed-off-by: Iva Horn <[email protected]>
Content of sandboxed apps must not be created on the root level of a container but lower in the hierarchy of it. Signed-off-by: Iva Horn <[email protected]>
This moves the preferences of the app into its sandbox container as documented here: https://developer.apple.com/documentation/security/migrating-your-app-s-files-to-its-app-sandbox-container Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
…file. - CODE_SIGN_IDENTITY - CODE_SIGN_STYLE - DEVELOPMENT_TEAM Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
Also replaced the template file with a default file for build settings which can be overridden by environment variables. Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
…n app sandbox. Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
…dFileProviderKit. Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
- Replaced "group." with DEVELOPMENT_TEAM. - Removed every occurrence of SOCKETAPI_TEAM_IDENTIFIER_PREFIX. - Removed NCFPKAppGroupIdentifier from MacOSXBundleInfo.plist.in. Signed-off-by: Iva Horn <[email protected]>
This is for working with a development branch of NextcloudFileProviderKit only while the required changes there have not been integrated yet. This reference must be removed in a follow up commit. Signed-off-by: Iva Horn <[email protected]>
…topclient". This was still missing in contrast to FileProviderExt. "desktopclient" is no the actual app for macOS but only a shallow wrapper and meta target to enable convenient build of everything in the Xcode project without building the main Qt app. Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
…e conveniently from Xcode. Signed-off-by: Iva Horn <[email protected]>
- Force an initial folder selection on folder wizard appearance. - Turn the path text field into read only to force a change through the open folder dialog as required by the sandbox. - On macOS, look up the actual user's home directory instead of the sandboxed container. - Removed initial value for path text field in folder wizard because it was pointing into the sandbox container and also obsolete due to the forced folder selection on appearance. Signed-off-by: Iva Horn <[email protected]>
Signed-off-by: Iva Horn <[email protected]>
i2h3
force-pushed
the
i2h3/proper-macos-sandboxing
branch
from
76982cb to
1534ff2
Compare
|
Artifact containing the AppImage: nextcloud-appimage-pr-9023.zip Digest: To test this change/fix you can download the above artifact file, unzip it, and run it. Please make sure to quit your existing Nextcloud app and backup your data. |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Originally, I set out to avoid the appearance of a system prompt of our app wanting to access data from other apps when it actually just tried to create a local socket file in its own group container for interprocess communication.
group.prefix) so the main app can access it for creation of a debug archive. This renders the shared legacy account database migration code obsolete because it could not be accessed anyway.☑️ To Do
A migration wizard might be necessary which requires the user to select every synchronization root folder once which set up in previous releases through an "open directory" panel by the system because that is how granting access permission to user-selected file system items work and required to persist access to those out of the sandbox.
😵 Caveats
Breaking File Provider Change
This is a breaking change for our file provider extension. Currently, I do not see a way to enable the app sandbox without setting up file provider domains for accounts from scratch. The compliance with the app sandbox requires to use a proper group container identifier and app sandbox migration manifests only support containers (not group containers), to my knowledge.
Should a 4.1 build look for the file provider extension data, it will look in the new group container initially and not find anything. This is equal to a complete reset.
UNIX Sockets
Long identifiers may break the UNIX socket-based IPC. The app sandbox makes long path prefixes inevitable. In example:
It is about 122 characters long and there is a problem with that:
Apple XNU kernel source code for reference.
The solution for now is to keep it as short as possible but this may break with branded identifiers which are significantly longer than this reference case.
⚡️ Impact
This is not a simple bug fix but foundational changes to how security is implemented by our client on macOS. It requires extensive testing and cannot be delivered or ported back as a patch release. This is not just flipping a switch in some settings. The debug archive creation feature is an example how the technical debt of a missing app sandbox requires code refactoring.
🔗 Dependencies
This pull request requires these changes to NextcloudFileProviderKit.