pkamb/gist:5585751

## gistfile1.txt
Hello Peter,

I'm responding to your question about App Sandbox.

I checked with Mac App Review. The issue is that your login helper /LOGIN/HELPER/APP/PATH is not sandboxed. In other words, it does not have the com.apple.security.app-sandbox entitlement.

All executables are required to be sandboxed, whether they are the main app or an embedded helper.

Since your app is built from more than one target, the main app and the helper app, here's how we recommend to build this kind of project. Set the Code Signing Identity build setting at the project level to your development code signing identity (starts with "Mac Developer:") and not your distribution signing identity (starts with "3rd Party Mac Developer Application:"). Then delete the Code Signing Identity build setting from all targets by selecting the build setting and pressing the delete key to return the setting to its default value.

You should still see the project level setting in each target but not in bold text. (Xcode uses bold text to indicate build settings that have been changed from the default value.)

Set the Code Signing Entitlements setting in each target. This is how you can specify separate entitlements for your helper and your main app.

Once you're ready to submit the app, do a Product > Archive. Then go to the Organizer, select Archives, select the archive you want to submit and click Distribute.

You'll be asked what kind of distribution you want to do, such as Submit to the Mac App Store. Then you'll be prompted to select a distribution code signing identity. This process will sign everything again with the distribution identity, including any embedded helpers. This means you don't have to sign those helpers separately.
	Hello Peter,

	I'm responding to your question about App Sandbox.

	I checked with Mac App Review. The issue is that your login helper /LOGIN/HELPER/APP/PATH is not sandboxed. In other words, it does not have the com.apple.security.app-sandbox entitlement.

	All executables are required to be sandboxed, whether they are the main app or an embedded helper.

	Since your app is built from more than one target, the main app and the helper app, here's how we recommend to build this kind of project. Set the Code Signing Identity build setting at the project level to your development code signing identity (starts with "Mac Developer:") and not your distribution signing identity (starts with "3rd Party Mac Developer Application:"). Then delete the Code Signing Identity build setting from all targets by selecting the build setting and pressing the delete key to return the setting to its default value.

	You should still see the project level setting in each target but not in bold text. (Xcode uses bold text to indicate build settings that have been changed from the default value.)

	Set the Code Signing Entitlements setting in each target. This is how you can specify separate entitlements for your helper and your main app.

	Once you're ready to submit the app, do a Product > Archive. Then go to the Organizer, select Archives, select the archive you want to submit and click Distribute.

	You'll be asked what kind of distribution you want to do, such as Submit to the Mac App Store. Then you'll be prompted to select a distribution code signing identity. This process will sign everything again with the distribution identity, including any embedded helpers. This means you don't have to sign those helpers separately.