[ai-assisted] fix(mas): add app-sandbox to child entitlements

JooHyung Park · claude · JooHyung Park · commit c1aee773b604 · 2026-02-19T16:58:51.000+08:00
Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/entitlements.child.plist b/entitlements.child.plist
@@ -2,9 +2,10 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-    <!-- Child helpers must inherit sandbox from parent.
-         Do NOT declare app-sandbox again here, or helpers can crash with
-         forbidden-sandbox-reinit in MAS/TestFlight builds. -->
+    <!-- Mac App Store requires explicit app-sandbox declaration
+         even for child helpers. We include both app-sandbox and inherit. -->
+    <key>com.apple.security.app-sandbox</key>
+    <true/>
     <key>com.apple.security.inherit</key>
     <true/>
 </dict>
diff --git a/forge.config.ts b/forge.config.ts
@@ -123,6 +123,18 @@ const config: ForgeConfig = {
             { stdio: 'inherit' }
           );
           console.log(`[postPackage] ✅ Successfully re-signed: ${helperApp}`);
+
+          // Verify the entitlements were applied
+          try {
+            const verifyOutput = execSync(
+              `codesign -d --entitlements - "${helperPath}" 2>&1`,
+              { encoding: 'utf8' }
+            );
+            console.log(`[postPackage] Verifying entitlements for ${helperApp}:`);
+            console.log(verifyOutput);
+          } catch (verifyError) {
+            console.error(`[postPackage] ⚠️  Failed to verify entitlements for ${helperApp}:`, verifyError);
+          }
         } catch (error) {
           console.error(`[postPackage] ❌ Failed to re-sign ${helperApp}:`, error);
           throw error;
