Sandbox MuseScore on Mac OSX

Here is the current status of sandboxing MuseScore on Mac OSX. Sandboxing is now a requirement to enter the mac app store. It's also a good security practice...

Once sandboxed with the following command and the following entitlements file, MuseScore does run. Testing the sandboxing with this procedure(Confirm That the App Is Sandboxed) gives green light.

In package_mac

codesign --deep -s "3rd Party Mac Developer Application: MuseScore" --entitlements build/mscore.entitlements "${VOLUME}/${LONGER_NAME}.app"

mscore.entitlements
see attachment

4/ Then running the app and checking the Mac Console, we can see several Sandbox Violation.

• deny file-read-data /usr/local/lib when launching the start center. Qt tries to load OpenSSL library from this system wide location. It's a sandbox violation. So no SSL except if we recompile Qt :(
• Documents/MuseScore 2 folders for scores, soundfont etc... can't be created since the creation violates the sandbox. The "nice way" would be to ask the user if we can create the directories and then save a secured bookmark for it. Sounds like special coding for Mac... Less nice, default to a standard folder and ask
• Launching the start center after opening some files, the thumbnails are not displayed. We are trying to access files on the disk to extract thumbnails and we don't have authorization.
• deny mach-lookup com.apple.airportd and deny system-socket. Every 30s a component of Qt polls the network status. Apparently the sandbox doesn't allow this. I couldn't find any reference on google yet but it could be the Qt bearer plugin that we deploy. We could try to delete it and see if it works.