Host key verification fail....

Discussion in 'OS X El Capitan (10.11)' started by thomeven, Apr 17, 2016.

  1. thomeven macrumors newbie


    Apr 17, 2016
    I have developed an application for OSX 10.11 as GUI to the rsync command-line tool. There are two versions of the application, one is released by MacUdate the other by Apple App Store. Rsync command-line might be used through ssh and passwordless logins(by private/public key pair).

    The MacUpdate version of my application is working as expected. But the Apple App Store installed version does not. Both applications is used from the same user. The Apple App Store installed version complains about "..Host key verification fail..".

    Both applications uses same code, the only difference is how they are installed. The application is using rsync to do the actual transfer of files...

    My knowledge of ssh is limited and I dont know where to search for a solution?

  2. thomeven thread starter macrumors newbie


    Apr 17, 2016
    I might have found out why, I think it is because of the application is forced to be executed inside Apples sandbox technology (when released from Apple App store)...And to get ssh keys to work inside a Sandbox container is not easy (as far as I can understand)...
  3. mag01 macrumors regular

    Apr 10, 2011
    Yes, I was going to point to the sandboxing but you answered to yourself already.

    Regarding giving the sandboxed app the required permissions, normally you could use the temporary exception entitlements for that:
    at minimum for the /.ssh/ path will be required, or perhaps if you want to give your application the opportunity to write the remote host key into ~/.ssh/known_hosts file then also for the /.ssh/known_hosts path.

    However since you intend to publish that application via MAS it would be most likely rejected by Apple with such entitlements. Fortunately there's another method available, but that can be used only in OS X 10.7.3+. It's called security-scoped bookmarks, from which you can use app-scoped bookmark subset:
    That will also require adding some entitlement, this time
    but that one shouldn't be a problem for MAS approval.
  4. thomeven thread starter macrumors newbie


    Apr 17, 2016
    Thank you very much for pointing out resources for reading about sandbox issues. I will check and test if there might be a solution or workaround for my application. There are some other options as passing passoword to rsync (--password-file=FILE), it might be a solution as well..The -password-file option requieres rsync to talk to a rsync daemon on server I belive..
    Thanks for replying to my question..

Share This Page

3 April 17, 2016