Merge pull request #24 from kdroidFilter/fix/sandboxed-dylibs-to-frameworks

kdroidFilter · web-flow · commit b18bbf51ed3f · 2026-02-18T14:14:07.000+02:00
fix(packaging): move sandboxed dylibs to Contents/Frameworks/
diff --git a/docs/sandboxing.md b/docs/sandboxing.md
@@ -34,7 +34,7 @@ When at least one store format is configured, Nucleus registers additional Gradl
 
 ### 1. Extract Native Libraries from JARs
 
-Sandboxed apps (especially macOS App Sandbox) cannot load unsigned native code extracted to temp directories at runtime. The plugin scans all dependency JARs for `.dylib`, `.jnilib`, `.so`, and `.dll` files and extracts them to the app's `resources/` directory.
+Sandboxed apps (especially macOS App Sandbox) cannot load unsigned native code extracted to temp directories at runtime. The plugin scans all dependency JARs for `.dylib`, `.jnilib`, `.so`, and `.dll` files and extracts them. On macOS, these are placed in the app's `Contents/Frameworks/` directory (Apple convention); on other platforms they go into the app's `resources/` directory.
 
 **Task:** `extractNativeLibsForSandboxing`
 
@@ -52,8 +52,18 @@ A separate `Sync` task merges the user's `appResources` with the extracted nativ
 
 ### 4. Inject Sandboxing JVM Arguments
 
-The sandboxed app-image is configured with JVM arguments that redirect native library loading to the pre-extracted resources directory:
+The sandboxed app-image is configured with JVM arguments that redirect native library loading to the pre-extracted location. On macOS, the path points to `Contents/Frameworks/` (`$APPDIR/../Frameworks`); on other platforms it points to `$APPDIR/resources`:
 
+**macOS:**
+```
+-Djava.library.path=$APPDIR/../Frameworks
+-Djna.nounpack=true
+-Djna.nosys=true
+-Djna.boot.library.path=$APPDIR/../Frameworks
+-Djna.library.path=$APPDIR/../Frameworks
+```
+
+**Windows / Linux:**
 ```
 -Djava.library.path=$APPDIR/resources
 -Djna.nounpack=true
@@ -64,13 +74,13 @@ The sandboxed app-image is configured with JVM arguments that redirect native li
 
 This ensures JNA/JNI libraries are loaded from signed, pre-extracted locations instead of being dynamically extracted to temp at runtime.
 
-### 5. Sign Native Libraries in Resources (macOS)
+### 5. Sign Native Libraries (macOS)
 
-On macOS, all `.dylib` files in the sandboxed app's `resources/` directory are individually code-signed so they pass Gatekeeper checks.
+On macOS, all `.dylib` files in the sandboxed app's `Contents/Frameworks/` directory are individually code-signed so they pass Gatekeeper checks.
 
 ### 6. Handle Skiko and icudtl.dat
 
-The Skiko library path is adjusted to point to `resources/` instead of the app root. The companion `icudtl.dat` file is copied alongside the Skiko native library.
+The Skiko library path is adjusted to point to `Contents/Frameworks/` (macOS) or `resources/` (other platforms) instead of the app root. The companion `icudtl.dat` file is placed alongside the Skiko native library.
 
 ## macOS App Sandbox
 
diff --git a/plugin-build/plugin/src/main/kotlin/io/github/kdroidfilter/nucleus/desktop/application/internal/configureJvmApplication.kt b/plugin-build/plugin/src/main/kotlin/io/github/kdroidfilter/nucleus/desktop/application/internal/configureJvmApplication.kt
@@ -586,7 +586,8 @@ private fun JvmApplicationContext.configurePackageTask(
                 args = args + "-splash:\$APPDIR/resources/$splash"
             }
             if (sandboxed) {
-                args = args + sandboxingJvmArgs("\$APPDIR/resources")
+                val nativeLibPath = if (currentOS == OS.MacOS) "\$APPDIR/../Frameworks" else "\$APPDIR/resources"
+                args = args + sandboxingJvmArgs(nativeLibPath)
             }
             args
         },
diff --git a/plugin-build/plugin/src/main/kotlin/io/github/kdroidfilter/nucleus/desktop/application/tasks/AbstractElectronBuilderPackageTask.kt b/plugin-build/plugin/src/main/kotlin/io/github/kdroidfilter/nucleus/desktop/application/tasks/AbstractElectronBuilderPackageTask.kt
@@ -523,10 +523,10 @@ abstract class AbstractElectronBuilderPackageTask
                 signer.sign(runtimeDir, runtimeEntitlements, forceEntitlements = true)
             }
 
-            // Re-sign native libs in resources directory (PKG is always sandboxed)
-            val resourcesDir = appDir.resolve("Contents/app/resources")
-            if (resourcesDir.exists()) {
-                resourcesDir.walk().forEach { file ->
+            // Re-sign native libs in Frameworks directory (PKG is always sandboxed)
+            val frameworksDir = appDir.resolve("Contents/Frameworks")
+            if (frameworksDir.exists()) {
+                frameworksDir.walk().forEach { file ->
                     val path = file.toPath()
                     if (path.isRegularFile(LinkOption.NOFOLLOW_LINKS) && file.name.isDylibPath) {
                         signer.sign(file, appEntitlements)
diff --git a/plugin-build/plugin/src/main/kotlin/io/github/kdroidfilter/nucleus/desktop/application/tasks/AbstractJPackageTask.kt b/plugin-build/plugin/src/main/kotlin/io/github/kdroidfilter/nucleus/desktop/application/tasks/AbstractJPackageTask.kt
@@ -75,6 +75,7 @@ import java.io.File
 import java.io.ObjectInputStream
 import java.io.ObjectOutputStream
 import java.io.Serializable
+import java.nio.file.Files
 import java.nio.file.LinkOption
 import java.util.ArrayList
 import java.util.Calendar
@@ -373,7 +374,12 @@ abstract class AbstractJPackageTask
                 launcherJvmArgs.orNull?.forEach {
                     javaOption(it)
                 }
-                val skikoPath = if (sandboxingEnabled.get()) appDir("resources") else appDir()
+                val skikoPath =
+                    when {
+                        sandboxingEnabled.get() && currentOS == OS.MacOS -> appDir("..", "Frameworks")
+                        sandboxingEnabled.get() -> appDir("resources")
+                        else -> appDir()
+                    }
                 javaOption("-D$SKIKO_LIBRARY_PATH=$skikoPath")
                 if (currentOS == OS.MacOS) {
                     macDockName.orNull?.let { dockName ->
@@ -588,18 +594,8 @@ abstract class AbstractJPackageTask
                 }
             }
 
-            // When sandboxing is enabled, also sign native libs in the resources directory
-            // so they pass Gatekeeper checks in sandboxed App Store apps.
             if (sandboxingEnabled.get()) {
-                val resourcesDir = appDir.resolve("Contents/app/resources")
-                if (resourcesDir.exists()) {
-                    resourcesDir.walk().forEach { file ->
-                        val path = file.toPath()
-                        if (path.isRegularFile(LinkOption.NOFOLLOW_LINKS) && file.name.isDylibPath) {
-                            macSigner.sign(file, appEntitlementsFile)
-                        }
-                    }
-                }
+                moveNativeLibsToFrameworks(appDir, macSigner, appEntitlementsFile)
             }
 
             macSigner.sign(runtimeDir, runtimeEntitlementsFile, forceEntitlements = true)
@@ -615,6 +611,46 @@ abstract class AbstractJPackageTask
             }
         }
 
+        /**
+         * Moves native libraries from `Contents/app/resources/` to `Contents/Frameworks/`
+         * (Apple convention for sandboxed apps) and signs them.
+         */
+        private fun moveNativeLibsToFrameworks(
+            appDir: File,
+            macSigner: MacSigner,
+            entitlementsFile: File?,
+        ) {
+            val resourcesDir = appDir.resolve("Contents/app/resources")
+            val frameworksDir = appDir.resolve("Contents/Frameworks")
+            if (resourcesDir.exists()) {
+                frameworksDir.mkdirs()
+                resourcesDir.walk().forEach { file ->
+                    if (file == resourcesDir) return@forEach
+                    if (file.isDirectory) return@forEach
+                    if (file.name.isDylibPath || file.name == "icudtl.dat") {
+                        val target = frameworksDir.resolve(file.relativeTo(resourcesDir).path)
+                        target.parentFile.mkdirs()
+                        Files.move(file.toPath(), target.toPath())
+                    }
+                }
+                // Clean up empty directories left in resources/
+                resourcesDir
+                    .walk()
+                    .sortedDescending()
+                    .filter { it.isDirectory && it != resourcesDir && it.listFiles()?.isEmpty() == true }
+                    .forEach { it.delete() }
+            }
+            // Sign native libs in Frameworks/
+            if (frameworksDir.exists()) {
+                frameworksDir.walk().forEach { file ->
+                    val path = file.toPath()
+                    if (path.isRegularFile(LinkOption.NOFOLLOW_LINKS) && file.name.isDylibPath) {
+                        macSigner.sign(file, entitlementsFile)
+                    }
+                }
+            }
+        }
+
         override fun initState() {
             jvmRuntimeInfo = JvmRuntimeProperties.readFromFile(javaRuntimePropertiesFile.ioFile)
 

Original file line number	Diff line number	Diff line change
`@@ -586,7 +586,8 @@ private fun JvmApplicationContext.configurePackageTask(`
`586`	`586`	`args = args + "-splash:\$APPDIR/resources/$splash"`
`587`	`587`	`}`
`588`	`588`	`if (sandboxed) {`
`589`		`- args = args + sandboxingJvmArgs("\$APPDIR/resources")`
	`589`	`+ val nativeLibPath = if (currentOS == OS.MacOS) "\$APPDIR/../Frameworks" else "\$APPDIR/resources"`
	`590`	`+ args = args + sandboxingJvmArgs(nativeLibPath)`
`590`	`591`	`}`
`591`	`592`	`args`
`592`	`593`	`},`