LiveCode Forums.

Hi,

This link should work

And that's why there is http://qery.us

Best,

Mark

Thanks.. Looks like an interesting read..

Little bit more info on sandboxing.

It appears that we will not be allowed to execute shell commands from a sandboxed application.

specialFolderPath("Home") returns the path to the user's local container version of their Home directory, not the home directory itself.

RunRev support replied to me that they do not currently support checking of the MAS receipt file or any way to deal with opening files other than through the standard Open dialog (per my example of opening from a list of recently opened files) but that it is on their list of enhancements.

There is now an external available fro MAS receipt checking. You can find details on the How To Use Livecode email list or watch a video about it at:

http://www.phoenixsea.ch/downloads/phxMASValidate.mov

Pete

phaworth wrote:Little bit more info on sandboxing.
[... omissis ...]
There is now an external available fro MAS receipt checking. You can find details on the How To Use Livecode email list or watch a video about it at:

http://www.phoenixsea.ch/downloads/phxMASValidate.mov

Pete

Maybe can be useful, for people NOT reading other forums and list, to post also here the MAS Receipt Validation info ...


As you probably already know, a user can download from the MAS the purchased App on 5 different devices, but ... if inside your App you don't validate the "MAS Receipt", ANY user can make a copy and distribute your App without any control !

Unfortunately, the code to validate the MAS Receipt, can't be still the same because, otherwise, it will be too easy for crackers to discover the weak point and to patch the code once and for all. For this reason I think, Apple has not provided a fixed 'call' to use, but has provided some guidelines :

https://developer.apple.com/library/mac ... index.html

As you can see, to write a good MAS Receipt Validation code, is not so simple, but for this, fortunately, there is on the App Store, a very good program, called Receigen.
Each time you run, Receigen generates a complex C "MAS Receipt Validation" source code, where the constants and the strings are re-obfuscated, the checks are performed differently, and the code flow changes, so … each time a different, unique code ! (more info on : http://receigen.etiemble.com/index.php)

So, starting from this, I developed a very simple External for LiveCode, to call the validation process from inside our applications.

You can download the following items from my web server :

- All you need to build YOUR validation External : http://www.phoenixsea.ch/downloads/phxMASValidate.zip

- A simple test program that shows how to dynamically load and how to call the External : http://www.phoenixsea.ch/downloads/phxM ... rogram.zip

- An 8 minutes video showing "How To Do" : http://www.phoenixsea.ch/downloads/phxMASValidate.mov
... about this video ... I know that probably the slides go too quickly, but you can still use the pause/resume button to stop and resume the video.

Now, to briefly explain "How to do" ...

1. with Receigen.app generate your MAS Receipt Validation C code (DON'T FORGET to flag the "Perform only receipt checks" on Advanced Settings) and save in a file named receigen.h

2. go inside phxMASValidate folder and replace the file : phxMASValidate/phxvalidate/src/receigen.h with your just generated

3. go back inside : phxMASValidate/phxvalidate/ , start XCode and open the project phxvalidate.xcodeproj

4. to avoid problems, first do a "Clean" so ... from the menu bar, select Product -> Clean

5. verify that the 'Release' build is selected, so ... from the menu bar, select Product -> Edit Scheme and verify that the Build Configuration is on Release

6. still to avoid problems, put YOUR bundle identifier for this external, so ... click on the left pane, on the first item (the project name, with blue small icon) and in the central pane, on the Info TAB, the first row is 'Bundle Identifier' ... change it (e.g. com.yourname.phxvalidate)

7. build the external, so ... from the menu bar, select Product -> Build ... XCode must say : 'Build Succeeded'

8. you can close XCode ... your external is ready ! You will find it in : phxMASValidate/phxvalidate/_build/Release/phxvalidate.bundle

9. Include this external into your livecode app and, on the preOpenStack (... but I suggest to call also in different points of the code to make harder the work to crackers) and call :

put phxValidateMAS(the filename of this stack) into tRetCode

where the phxValidateMas is the name of the C call that you find into my source code; the parameter is the Path to the REAL executable that you find inside your Mac .app and tRetCode is the return code (... 0 if all is OK).

That's all ...

Important note :
fortunately/unfortunately, LiveCode is not a real common language so, as far as I know, there are not LiveCode decompilers and it's not so easy to debug a livecode application. The weakness is exactly the external, which is a real OSX executable easy to debug and to replace.
About debugging ... Receigen creates a quite complex code to debug, but ... anybody can easily replace the bundle with another one with just 'return 0' as return value for my validation call.
To avoid this, you MUST find a way to validate the external BEFORE using it.
I have spoken with the author of Receigen and, after having explained the situation, he also suggested to protect the External with different checking.

So, in my programs, I obfuscate the following values :

- the MD5 of the External CODE (the real one that you find INSIDE the External bundle)
- the SHA1
- the size in bytes

... and I will check the values each time, before calling the External ! Quite difficult to work around ...

If you need, don't hesitate to contact me (guglielmo [at] braguglia.ch)

Guglielmo

I suppose I am a little confused by this discussion. While receipt checking is certainly interesting, I was under the impression that an LC standalone would not be approved for the MAS as of June 1. Have I missed something?

Thanks.

LC apps are no different than any other apps as far as MAS submissions are concerned - they have to adhere to certain Apple policies or they will be rejected. June 1st is when MAS apps had to be "sandboxed", a whole new set of rules which programs must abide by in order to be accepted. Depending on what your app does, it may or may not be accepted. The reference to using the shell command, for example, is one thing that will most likely cause an app to be rejected.
Pete

Hi Pete,

I am afraid I am still confused. Clearly LC apps are not run in a sandbox (at least this is what Activity Monitor is telling me), how would they be approved by Apple if the requirement now is that they must be?

No apps are run in a sandbox unless you enable them to run that way, doesn't matter if they are created with Livecode or any other language. Basically, after you save your LC app as a standalone, you edit the info.plist file that is attached to it to indicate that it is sandboxed and what "entitlements" the app is allowed. Entitlements are general areas of functionality that the app is permitted to access, e.g network access, and if they try to do things that are not permitted by their entitlement settings, they are blocked from doing so.

Pete

rrBUSS9EE wrote:Hi Pete,
I am afraid I am still confused. Clearly LC apps are not run in a sandbox (at least this is what Activity Monitor is telling me), how would they be approved by Apple if the requirement now is that they must be?

Hi, maybe this tool (... originally made for RB, but work very fine with LC) can help you ... : http://www.bluecolin.com/rbpms/

Also this give a lot of info : http://intkeystrokes.blogspot.com/2012/ ... oxing.html

Hope this help

Guglielmo

Thanks… but the demo doesn't let you do much other than explore the interface.

After a little head scratching (the Apple docs are primarily presented in the context of Xcode's GUI) I have found that a separate plist must be created and passed to codesign with the "--entitlements" flag. So far so good… I now have a sandboxed app.

This is a test app that consists of a single window with a single button with just a "beep" in its mouseup handler. when I run it I get the following from console: It appears LC apps register for printing services on launch. Ok… so I add the com.apple.security.print key to the entitlements and resign. All is well.

Now I click my beep button and hear my beep, but console reports: Do any of you see this with just a simple beep?

I am a little concerned that Apple will frown on these denials, as well as me having to establish a printing entitlement even though my app does not print.

Any thoughts? I know it is early, but has anyone been successful with a LC based MAS submission after June 1?

Hi Guglielmo,
Useful links, thank you! In Obleo's video, he says you have to codesign any externals used by your app - should we be doing that for MAS receipt checking external?
Pete

phaworth wrote:Hi Guglielmo,
Useful links, thank you! In Obleo's video, he says you have to codesign any externals used by your app - should we be doing that for MAS receipt checking external?
Pete

Hi Pete,
if you use the "RB Package Maker Studio" (which I really suggest), all the signatures are automatically added by this program, so ... sign nothing and leave "RB Package Maker" to do the job for you

Guglielmo

P.S. : Anyway, yes, also the bundle should be codesigned.

Hi,
I've already sended and pubblished in Mac App Store three App (PollingFTP, Phonema Converter and PWGen) and wrapped with "App Wrapper" without problems.

Paolo

Hi All,
I tried to download RB Package Maker Studio over the holidays and couldn't get it. So I've created one just for Livecode and made it available to everyone for free. It should auto discover your certificates and enable you to adjust your .app settings for sandbox entitlements and languages. PM me if you need assistance with it.

http://www.pidigital.co.uk/OSXPackageMaker.zip

All the best
Sean Cole
Pi Digital

Hello seaniepie

This is a great app !
Thanks a lot

When I try to sign my app (Certificate is installed) I get the following error "cannot read entitlement data", also
I do not have a entitlement.plist ?

How do I create an entitlement.plist ?

Cheers
Kangaroo SW