Split entitlements files into child and parent, and try using them both

install/build_osx.sh

@@ -23,9 +23,12 @@ if [ "$1" = "--release" ]; then
   PKG_PATH="$ROOT/dist/OnionShare.pkg"
   IDENTITY_NAME_APPLICATION="Developer ID Application: Micah Lee"
   IDENTITY_NAME_INSTALLER="Developer ID Installer: Micah Lee"
+  ENTITLEMENTS_CHILD_PATH="$ROOT/install/macos_sandbox/child.plist"
+  ENTITLEMENTS_PARENT_PATH="$ROOT/install/macos_sandbox/parent.plist"
 
   echo "Codesigning the app bundle"
-  codesign --deep -s "$IDENTITY_NAME_APPLICATION" "$APP_PATH" --entitlements "$ROOT/install/OnionShare.entitlements"
+  codesign --deep -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_CHILD_PATH" "$APP_PATH"
+  codesign -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_PARENT_PATH" "$APP_PATH"
 
   echo "Creating an installer"
   productbuild --sign "$IDENTITY_NAME_INSTALLER" --component "$APP_PATH" /Applications "$PKG_PATH"

install/macos_sandbox/child.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.inherit</key>
+  <true/>
+</dict>
+</plist>

install/macos_sandbox/parent.plist

@@ -4,10 +4,10 @@
 <dict>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
-	<key>com.apple.security.files.user-selected.read-only</key>
-	<true/>
 	<key>com.apple.security.network.client</key>
 	<true/>
+	<key>com.apple.security.files.user-selected.read-only</key>
+	<true/>
 	<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
 	<array>
     <string>/OnionShare</string>