Are you kidding me?

Where Gamecraft has been recently.

As regular readers will have noticed, this blog has spent a little time offline, and even more time without new content, although even occasional browsers will see that it now has an exciting new look.

In the past two months, we have had crashes of our most important Mac OS X, Linux, and Windows systems (in that order).  These were significant setbacks in and of themselves, but when a microISV is producing at full speed, and roadblocks are encountered, something has to give.  In this case, this Gamecraft blog was one of the casualties.

The initial Mac OS X issue was a terminal hardware failure of the primary development system, but it was compounded into a major problem by Apple’s ill-advised deprecation policy, since no new replacement hardware would run the version of Xcode and build tools we use to support all of our Mac customers.  (Say what you want about Microsoft, but they treat developers way better than Apple.)  We finally resolved the development issues by obtaining and installing old server versions of OS X in Parallels, but we are still screwed out of being able to properly test under Lion, Snow Leopard, or Leopard without buying old used equipment.  [insert appropriate expletives here]

The Linux (Ubuntu) issue was a bootstrap failure on our web server caused by a power outage during a major upgrade (and assisted by the new procedure of displaying update text and requiring user input to continue, without which the window of “opportunity” would have been much smaller).  Once it became clear that there was not going to be any reasonable way to recover/continue, it was not too bad rebuilding the system, and a little bit (including the entire database for this site) survived intact without requiring restoration.  Unfortunately, the server configuration (i.e., the hard part) was not fully recoverable, so that took some time to get working (and is still not completely to my liking).

The Windows issue stemmed from a (poorly timed) decision to upgrade my primarily development system to Windows 7 prior to public release of Windows 8 (a.k.a., Windows Ugh).  I almost always do clean installations, rather than upgrades, for my Windows systems, but the above issues suggested to me that I should do a 32-bit upgrade to minimize the disruption.  What I did not know is that in the interest of “security”, Win7 no longer supports the domain controller we have been using internally for many years, so the upgrade could not sign in, so it could/would not access the user information for my account, so the Start menu, registry, and other user-specific settings were all gone.  Result: All of the program files were installed, but the products ranged from working if manually launched to completely unusable.

After all of this, as a side note, everybody in the office experienced a tenacious respiratory illness that interfered with productivity as well.  (I would draw a parallel, except that only in the physical world was a virus involved.)

So, at present, all of our systems are back in working order.  We used the opportunity to improve our Mac OS X development process, including the introduction of code signing to support Gatekeeper, and the builds are running on a faster machine (which almost counterbalances the slower virtualized system).  Likewise, we ended up maxing out the Windows system memory and installing Windows 7 (64-bit) from scratch, giving better performance all around (except for the few old 16-bit tools I still used, which no longer run).  For the web, we decided to build a better blog (first) and then devote appropriate attention to our other sites, which, frankly, had been mostly neglected.

In the meantime, of course, we have remained steadily engaged in development, producing several new game versions and upgrades, as well as progress on a few new products, so expect a number of announcements (many after the fact) soon.

In the future, we will be utilizing the new and newly rebuilt development systems to full capacity, producing new and updated products for a multitude of different platforms, including (primarily) iOS, Windows, and Mac OS X.  Our new web sites will (also) be announced here as they are published, and we have plans to begin publishing game reviews for both Indie and AAA titles.

Please be sure to subscribe to our feed.  Thanks!

ISVCon 2012: Success!

This conference reboot was the best in years.

You shoulda been there!

We have returned safely from ISVCon 2012, which was presented last week in Reno, Nevada [USA] with a mixture of physical exhaustion and mental exhilaration, as is often the case with great conferences.  ISVCon was a relaunch of the old Software Industry Conference, and the consensus was that this was the most beneficial event in several years.  The content was geared towards microISVs (Independent Software Vendors), software companies with just a few people (often, only one person), and the networking/socializing was with others who are facing the same challenges (as well as those who provide services to help).

 The main question: Why were you not there?

 

Before our departure for Reno, I added the Twitter box [edit: formerly] on the right of this blog, and I was “live tweeting” as much as possible throughout the conference, as well as during our journey (and quasi-vacation).  If you follow my personal account at @GreggSeelhoff, you can still see the updates, as well as more going forward.

In the coming days, I will review the highlights of the conference, and I have it on good authority that the Association of Software Professionals (new conference owners) will be making some or all of the session videos publicly available for viewing.

Prior to all that, however, I must give a HUGE shout out to Susan Pichotta of Alta Web Works, who deserves most of the credit for bringing this fantastic 3.0 version of the long-running conference together, and without whom ISVCon would never have happened.  Plans are already in the works for next year, and I really look forward to being there in 2013.

URGENT: ISVCon 2012 is almost here!

Register NOW and save with our discount code.

ISVCon.orgISVCon 2012 takes place July 13-15, which is only a couple weeks (!) away.  ISVCon is the spiritual successor to (or, in entertainment terms, reboot of) SIC, the Software Industry Conference, which I have attended numerous times, and which has always been a great investment.  This conference brings together scores of independent software publishers (or “vendors”, hence ISV) to discuss and learn about the industry  It is a unique opportunity to meet face-to-face with many other people who share similar business challenges; I now call lots of them “friends”.

ISVCon will be taking place in Reno, Nevada (USA) at the Atlantis Casino Resort.

Here is the catch: Time is running out!

Step 1: Register (at a discount)

First, register for ISVCon before the prices go up.  As an incentive, we at Digital Gamecraft can offer you this 10% discount code: “Gamecraft2012“.  Limited time only; prices increase July 1st.

Step 2: Get your hotel room (at a discount)

Next, make your hotel reservations now (using that link) to receive discount pricing and no resort fee.  Offer ends in only a couple of days!

Step 3: Attend ISVCon 2012

Join us in Reno for the conference.  We will be arriving before the Welcome Reception on Thursday evening, during which we will be able to have a drink or two, socialize with friends and colleagues (both long lost and brand new), and switch from travel mode into conference mode.

The conference sessions take place Friday, July 13, through Sunday, July 15, and specifics can be found on this complete conference schedule.  Note that the Friday sessions are Power Sessions, while the Saturday and Sunday sessions provide a couple of options for each timeslot.  There is so much content at ISVCon that we are sending most of the staff (okay, just two of us) to make sure that we can have full coverage of the relevant topics.  Additionally, the networking value and information exchange between (and sometimes during) sessions is possibly even more valuable than the speakers.

That said, let me draw your attention particularly to Paradise Room A on Saturday from 1:45pm to 2:45pm, for my presentation, Quality Assurance for Small Software Publishers, and on Sunday from 9:00am to 10:00am, where I will serve on a panel of game developers for the session, How Games are Different.  The answer to your question is: I will be there and awake at 9am because, with the time difference, that will be noon back home.  (Also, I never work the B room.)

We will there at the conference through the After Hours MeetUp on Sunday evening, before beginning our (more) lengthy journey back to the office.  From experience, this will involve an odd mixture of being physically spent, but mentally energized, full of plans and ideas.  Honestly, attending ISVCon 2012 is probably one of the best ways to spend a few days improving your business; I strongly recommend it for any ISV.

Follow me on Twitter @GreggSeelhoff for live conference updates.  See you there!

Software Marketing 101

An outstanding resource to online marketing

logoI admit it: I am not the best at marketing.  This is why I am always looking for resources to help me learn more, get better, and ultimately sell more software.  On my system, I keep a large list of bookmarks to pages I need to read, and the ‘marketing’ folder includes, literally, scores of links to pages from DP Directory.

If you, like me, can use all of the marketing resources you can find, you will find their encyclopaedic Software Marketing Glossary very useful.  [In fact, I recently created a new ‘Resources’ category for it, on your right, beneath the blogroll.]  However, there are also more than one hundred articles about online marketing on the site as well.  Specifically for game publishers, they also provide a game press release writing and submission service (which has been used in the past for some of our games, and will be again).

DP Directory is a small company run by Al Harberg, who has decades of experience in the field and provides personal service to clients.  I first interacted with Al through the Association of Software Professionals, where he often dispenses advice (freely) to other members, and I first met him in person at SIC (now ISVCon) 2000 in Tampa.  Interestingly, I recently stumbled across a DP Directory mailing (to our company) from the late 80s, which shows that Al is not new to this game.  He actually offers a service whereby you can Rent Al’s Brain and tap (almost) directly into his many years of expertise.

This week, Digital Gamecraft has begun realigning some internal responsibilities [see opening sentence], and our prospective Director of Marketing/Business Development will be starting her transition by reading the DP Directory website, plus a couple of marketing books originally recommended by Al Harberg.  I am very hopeful…

Pretty Good Solitaire Mac Edition 2.34

A free update is now available.

This week, Goodsol Development released Pretty Good Solitaire Mac Edition 2.34, a maintenance update that fixes a few bugs (introduced by yours truly) in the previous release version.  This is a free update for any customers who have purchased the downloadable version of Pretty Good Solitaire Mac Edition (ever).  [This version is functionally equivalent to PGSME 2.33 from the Mac App Store.]

As a refresher, PGSME is a Solitaire program for Mac containing 350 different games, plus 50 bonus games, with over 2 billion deals of each.  It runs on Mac OS X 10.4 (Tiger) and higher, including both Intel and PPC systems.  You can download a trial version, and you can purchase a copy for only $24.95 US.

This is the latest product in a long series of upcoming game releases from Goodsol.  Next up:  Look for an upgrade to Action Solitaire (free to anyone purchasing the game between now and then).

 

Pretty Good Solitaire 13.2

Goodsol’s flagship Windows game gets even bigger.

PGS 13.2 for WindowsThis week, Goodsol Development released Pretty Good Solitaire 13.2, the leading Solitaire program for Windows.  This new version now includes 780 (!) different Solitaire games, including all of your favorites, such as Klondike (a.k.a., “Solitaire“), FreeCell, and Spider, as well as many games not available anywhere else.

Pretty Good Solitaire 13.2 is available for download here, and it is a free upgrade for any customers who have purchased since version 12 (i.e., in the last 4 or 5 years).

The 10 new games in this update are:

  • Alloway Kirk
  • Five Pirates
  • Kettle Hill
  • McCarver
  • Open Peek
  • Pyramid Rank
  • Richard’s Patience
  • Undercover Aces Easy
  • Weddings
  • Yukon Two Suits

Aside from a little bit of play testing, I actually did no development work on this product; this is actually a triumph because our GDcard playing card library, which still runs the display of cards, symbols, and backgrounds, as well as the card animations, continues to work flawlessly.  Thomas Warfield (Goodsol) did all of the development work for this update.

Of course, now that Thomas has added yet another 10 games to the Windows version, it is now time for me to retaliate on Mac OS X, so look for a Pretty Good Solitaire Mac Edition update, with 400 games, coming soon to an internet near you!

Where the Macgic Happens

A cozy Mac OS X and iOS development corner

I thought I should give readers a little glimpse behind the curtain here at Digital Gamecraft, so here is a picture of my personal Apple technology desk on one of those unusual days during which a full complement of devices have gathered.  Usually, most of the mobile devices live in other places, but they occasionally come together for an ultra-local technology conference.  (In this case, they were all anxiously anticipating new provisioning profiles after the previous batch had expired.)
This desk in the corner of the office is used for the bulk of primary development and debugging for Mac OS X and iOS products.

Here you see a simple key to the components of this image.  First, the parts labeled in red are the development components:

  1. MacBook Pro (“late 2007”), 17-inch 2.4GHz, running Mac OS X 10.4 (Tiger) through Mac OS X 10.7 (Lion), and soon the developer preview of 10.8 (Mountain Lion), with the help of an external FireWire hard drive, mostly hidden from view by the next item.
  2. iPad (original) 16G running iOS 3.2, the minimum iPad platform supported by our products.
  3. iPod touch (2nd generation) 8G, running iOS 4.2.1, sans (unsupported) multitasking.
  4. iPhone 4 with 32G, running iOS 4.2.6, with multitasking, GPS, camera, and (most importantly) a Retina display.
  5. iPad 2 (Wi-Fi + 3G) with 64G, running iOS 4.3.5, named “Rabbit”.
  6. Mac Mini PPC running Mac OS X 10.4 (Tiger), the minimum Mac OS X platform supported by our software.
  7. Mag Innovision widescreen monitor with dual inputs, running natively at 1680 x 1050, acting as an external display for both Mac systems.
  8. Microsoft Mouse attached via Apple keyboard.  After a year of trying to keep this desk Apple-only, I had to surrender to the fact that Microsoft is just far better at making mouses.
  9. Herman Miller Aeron chair, brand new, also known as my horizontal trans-workstation transport device (for quickly moving between this workspace and my Windows workspace).  After breaking chairs every 2-3 years, the 12-year warranty actually made this purchase seem much more reasonable.

The components labeled in green in the key are fundamental to productivity, though not directly part of the development process:

  1. Head, the head head.  Head is responsible for employee morale, and keeping his minions in line.  (“I am so important that my minions have minions.”)
  2. Minions.  These (4) heads each have individual names, and they keep things lively by moving around the desk, often at night, very unlike their larger relatives.  You’ve heard of “talking heads”?  These are not those.
  3. Pioneer stereo receiver, practically an antique, from the days where radio was broadcast through the air.  This magic box plays news from NPR as well as classic rock and blues (and, previously, jazz), and special shows are regularly recorded digitally for later/repeat listening.  [Not shown: separate cassette player/recorder and turntable components.]

That is a small look at one corner of my office, which serves as an important piece of our development effort.  With this range of equipment, we can develop and test products for the last 4 major versions of Mac OS X, on both Intel and PPC hardware, as well as on versions of iOS since the iPad was introduced, with at least one device with each technology.  (Of course, things change again on Friday with the availability of “The new iPad” and its large 2048×1536 Retina display.)

Note that the view just to the left of this picture is out a window into a small courtyard where birds and squirrels (black, brown, and red), as well as our cats, frolic during the day.  At night, you can hear the raccoons and opossums wandering through and, alas, smell the occasional skunk.

Perhaps, if you are all good girls and boys, I may later show you the desk at which I am currently writing this…

MAS Preparation, Part 6

App Sandboxing implementation

In the previous installment of Preparing for Mac App Store Submission, I discussed the reasons and methods for implementating Mac App Store receipt validation within your project.  At this point in the series, you may have already completed all of the currently necessary and recommended changes for converting your Mac OS X game, available for direct download, into an application suitable for the Mac App Store (MAS); you may have even submitted it already.

This final part is a discussion of the latest imposition by Apple, a technology known as application sandboxing, which was introduced with Mac OS X 10.7 Lion.  The general concept of sandboxing is that an application simply runs in its is own “sandbox”, unable to do anything outside its own little piece of the file system, except in specific cases, for which it must have entitlements.  The idea is that a compromised program (via malware or bad programming) is limited in the amount of system damage that can be done.  This is the way that all iOS applications work, and this is, in fact, just a transference of that approach to OS X.  The problem, of course, is that desktop systems are (and should be) different than tablets and phones, so certain types of programs are left out, including those which interact with other programs, such as those which provide ease of access to people who need assistance using computers.  (This is a very poorly considered decision on Apple’s part.)

Frankly, the main reason that you need to understand application sandboxing is that, as of June 1, 2012, all new applications and significant updates submitted to the Mac App Store are required to be sandboxed.  (This deadline was recently pushed back from the original date of March 1 in light of a considerable number of issues that Apple is still having with their implementation.)  If you already have a MAS application (or submit one before the deadline), you will be allowed to apply bug fixes without adding sandboxing, but otherwise, you will need to have sandboxing implemented.  (At least, that is what they are saying right now.)

0. Understand sandboxing

The first step is to understand application sandboxing and the implications of using it for your game.  The definitive documentation for Apple’s implementation of this technology is App Sandbox Design Guide, which is recommended reading.

Essentially, by default, your application is contained entirely within its own (read-only) bundle and a directory named by your bundle identifier (e.g., ‘com.goodsol.com/PrettyGoodSolitaire’) under the ‘~/Library/Containers’ folder.  An internal technology called Powerbox regulates (reads: mostly disallows) any access outside these two folders.  Most access to hardware features and user information is also disallowed without a specific entitlement.

If your game is entirely self-contained, then sandboxing may not present much of a problem.  If you use certain technologies, such as submitting high scores to a web site via the Internet, then you will have to enable appropriate entitlements.  If you have more involved interactions, especially involving other applications (or helpers), you may be forced to redesign/eliminate those features, or else give up on sandboxing (and, hence, the Mac App Store).  Whatever the situation, you will need to determine how this requirement will affect your application.

In our case, we lost the capability to load custom card sets, since the default operation (in the downloadable version) is to read installed files from the ‘Application Support’ folder, though that was not a huge blow since MAS already killed the idea of downloading improvements to the game.  The other feature that is gone is the ability to explicitly load and save games (for now) because the current version of our games are still built with Carbon, which cannot navigate the sandbox/Powerbox.  (Our primary save game feature, AutoSave, still works perfectly fine.)

1. Identify possible sandboxing issues

The next step is to identify possible issues with sandboxing your application, so let’s look at three different categories of features…

What you CAN do:
  • You may read files from your application bundle, as usual.  (Bundles should always be considered read-only, so your code should never attempt to write here.)
  • You may read and write files within your sandbox folders; this process is transparent provided you are using system calls to obtain the correct user folders (and you should never hard-code folder paths, anyway).
  • You may update your application preferences (.plist) using a standard API.
  • You may provide a simple link to a web page; this is allowed by default entitlements (i.e., not considered an outbound connection).
What you CANNOT do:
  • You may not read from nor write to most locations outside your sandbox, including the user desktop and document folders, without the user explicitly selecting the location (and the appropriate entitlement set).
  • You may not use any Carbon navigation dialogs, nor any Cocoa navigation dialogs other than NSOpenPanel and NSSavePanel, and you may not simulate user input to those panels.
  • You may not use “incompatible” functions, including those included in the Authorization Services and Accessibility APIs.
  • You may not send Apple events to arbitrary applications, nor broadcast user-info dictionaries.
  • You may not load any kernel extensions.
  • You may not alter preferences of other applications, nor terminate other applications, including helper applications.
  • You may not sign future updates with a different certificate than the original; doing so will cause Mac OS X to deliberately crash the program.
What requires an entitlement:
  • You need an entitlement to allow outbound network sockets (i.e., for sending information to the internet, operating as a client).
  • You need an entitlement to allow inbound network connections (i.e., for acting as a server).
  • You need an entitlement to allow read or write access to folders or files selected explicitly by the user (via NSOpenPanel/NSSavePanel).
  • You need entitlements to access the user’s ‘Movies’, ‘Music’, and ‘Pictures’ folders.
  • You need entitlements to access camera, microphone, or Bluetooth devices.
  • You need entitlements to access serial, USB, or FireWire ports.
  • You need an entitlement to allow printing.
  • You need entitlements to access the user’s address book or calendars.
  • You need an entitlement to allow the use of Core Location for determining geographical location.

 

After perusing the notes above, write down a list of features that may (or should) fall afoul of application sandboxing and be sure to test each of these features to confirm that they are working prior to enabling sandboxing entitlements.

2. Enable default entitlements

The next step is to enable the default entitlements for sandboxing; essentially, this disables all restricted access types, which allows us to verify which features of the game really need entitlements, and which work without modification.

To do this in Xcode 4.2.1 (under Lion) is fairly simple: Just open the ‘Summary’ tab for your target settings, scroll down to the ‘Entitlements’ section, and check the ‘Enable Entitlements’ (top) checkbox, and then confirm that the ‘Enable App Sandboxing’ checkbox is also selected.  If you are not already using iCloud in your project, then you should make sure that the ‘iCloud Key-Value Store’ is unchecked and cleared, and that that ‘iCloud Containers’ table is empty.

What the first checkbox actually does is create an entitlements file, a property list with the root name from ‘Entitlements File’ (defaults to the project name) and ‘.entitlements’ as the extension (e.g., ‘Pretty Good Solitaire.entitlements’), and it adds that file to your project.  The other (app sandboxing) checkbox automatically adds the ‘com.apple.security.app-sandbox‘ key to the entitlements file, which sets the default/maximum restrictions.

In order to build with application sandboxing enabled, you must be code signing the project.  Clearly this is already the case for projects being submitted to the Mac App Store.  However, if you are only testing and/or do not have an appropriate certificate (such as in our case where, as a contractor, I do not have access to the distribution certificate), you can follow the instructions in the ‘Create a Code Signing Certificate for Testing‘ section of the App Sandbox Quick Start[Editor: Sorry for no direct link, but section links on that page are fuzzled.]  The next section, ‘Specify the Code Signing Identity’, explains how to make the new certificate work with your project.

3. Verify access failures

Your next step is to verify access failures with application sandboxing enabled in the project.  To do this, start by launching the Console utility (from ‘Utilities’) and clearing its display.  This will show log entries to confirm a service denied by sandboxing.

Now, work through the list of suspect features that you created earlier and retest every one of those features with the new signed/sandboxed build.  Failures are, of course, expected, and for every failure there should be a log entry in Console from “sandboxd” and usually containing the text “deny” and an indication of the restricted service.

Note each confirmed failure, and determine which (if any) of the entitlements listed on the target ‘Summary’ page is likely to resolve the issue.  Do not make any changes to the entitlements until all of the suspect features are tested and notated.  A complete list of available entitlements can be found on the Enabling App Sandbox page of the Entitlement Key Reference.  (Note that some entitlements may not be listed on the ‘Summary’ page, requiring direct editing of the entitlements property file.)

If there are any features that are confirmed to fail only under sandboxing and for which there is not an appropriate entitlement, you may want to check the App Sandbox Temporary Exception Entitlements page for a solution that, as the name suggests, may work for the time being, but will probably not be available in the future.  If none of the entitlements nor temporary exceptions will resolve the problem, then you may need to redesign or remove that feature and/or lobby Apple to add an entitlement for the particular action you are attempting.

4. Add necessary entitlements

The next step is adding the necessary entitlements to the project, which should be done as an iterative process.  For each entitlement that you anticipate requiring, enable that entitlement, rebuild the project, then test every feature that is confirmed to have failed with sandboxing previously, noting each one that now functions correctly.

The general idea is that one should minimize the number of entitlements included (requested?) in a sandboxed application.  If you add an entitlement that does not actually help any of your features function, then you should immediately remove that entitlement.  Using excessive entitlements, in addition to reducing the (dubious) security, is a potential cause for rejection from the Mac App Store.  (In other words, simply checking all of the boxes may work in testing, but not for MAS submission.)

When you have completed this process, you should have a reasonably small number of entitlement keys (perhaps even zero) enabled, and all of the features of your program should be functioning properly.  It is always a good idea to double-check all of the identified features, as well as do some additional testing, once the “final” list of entitlements is enabled.  If you still have features that do not work under sandboxing (only), and have no appropriate entitlements, then you may have a decision to make.

In our case, we only had to add the ‘com.apple.security.network.client’ entitlement key, in order to perform submissions to our online high score server, but then we had to make the hard decision to lose the ‘Open…’ and ‘Save…’ features from our store version (for reasons stated previously).

5. Create file migration rules

The penultimate step in the process is creating file migration rules which is simply a property information file that is used only once (on a system) to indicate which existing files should be moved (not copied) into the sandbox.  If you have a new project, without existing users, then you have the luxury of skipping the final two steps.

The rest of us need to create a new property list, named (exactly) “container-migration.plist“, and add it to the project.  This file contains a dictionary key, ‘Move‘, which contains string keys indicating the names of folders and/or individual files to be moved into the equivalent location within the sandbox (or array pairs of strings if you wanted to both move files into the sandbox and relocate them within the relative folder hierarchy, though I cannot think of a good reason why you would).

The specific documentation for the (simple) format of this migration file is in Migrating an App to a Sandbox (which read).  The relevant portion of our migration file is as follows:

<dict>
    <key>Move</key>
    <array>
        <string>${Library}/Pretty Good Solitaire</string>
    </array>
</dict>

This is all it takes to move the entire (unsandboxed) ‘~/Library/Pretty Good Solitaire’ folder into the equivalent sandboxed folder (the unwieldy ‘~/Library/Containers/com.goodsol.PrettyGoodSolitaire/Data/Library/Pretty Good Solitaire’).

Important: Note that the files are moved to the sandbox; they are not copied (and there is no documented process to only copy them).  The ramifications of this are that existing users switching to a sandboxed version will automatically have their files and settings moved for them, but those files and settings will no longer be available to any unsandboxed versions, nor to any other application that may have been accessing these files.

6. Test file migration

The final step is to test the file migration process to assure that your migration file works correctly.

On a system on which you have unsandboxed data for the application in question, manually duplicate the folder and/or files (in ‘Finder’), giving you a backup for additional testing (especially important should the migration fail).  Confirm that the sandbox container folder (i.e., ‘~/Library/Containers/<bundle_id>’) does not exist (and delete it and empty the trash if it does).

Build the application with sandboxing enabled and with the ‘container-migration.plist’ file included in the project.  Run the application.  A container folder should have been created and the specified files/folders moved into appropriate locations within the container’s ‘Data’ folder.

If you need to retest (or if you decide against sandboxing entirely), you can completely delete the container folder for your application (‘<bundle_id>’ and below, not the ‘Containers’ folder) and copy the duplicated data back to its original location.

Conclusion

Following the above process to enable application sandboxing in your game, after having updated your project based on the previous five parts, you should be completely ready to submit to the Mac App Store.  Go for it!  Just keep in mind that the process changes, reviewers vary, and if your project is accepted on its first submission, you are very lucky.  However, if you use the available tools to check your code and your project build, and follow the guidelines in this series of posts, your path should be smoother.

I sincerely hope that you have enjoyed, or at least benefited from, all of these posts.  Comments are definitely appreciated, as are links to this blog, good word of mouth, and US currency in both large and small denominations.

MAS Preparation, Part 5

Mac App Store receipt validation

In the last installment of Preparing for Mac App Store Submission, I discussed the (general) source code modifications that you may need to make in order to convert your downloadable Mac OS X project into one acceptable for the Mac App Store (MAS).

Now, in this fifth part, I will talk about a more specific addition to your source code, functionality for checking the presence and validity of a MAS receipt file.  While this change is not required, and would not cause your submission to be rejected, it is strongly recommend for reasons detailed below.  In fact, we will start there…

0. Consider the reason for receipt validation

Before implementation, it is good to understand, in general terms, the purpose of receipt validation.

When somebody “purchases” an application from the Mac App Store, a receipt file is added to the downloaded bundle authenticating it; this includes free products as well.  However, the level of checking provided by the system itself is minimal.  Soon after the MAS launch, it was discovered that there was a fairly simply method [details deliberately omitted] by which even a simple-minded software thief could circumvent the very basic protections and run stolen MAS applications.

The solution, of course, is to verify the validity of the software receipt for your application, which helps prevent “script kiddies” from easily stealing and distributing your products.  Of course, it is never quite as simple as that, especially since code signatures and encryption are inherently complex, and the program needs to validate a receipt file that has not been created yet (making this code rather tricky to test).

Keep in mind that this validation process is optional, so you can choose not to do it all, to fully validate the receipt file, or to implement only partial checks; the choice is up to you.

The official Apple documentation for this process is in Validating Mac App Store Receipts.

1. Obtain a sample receipt for testing

As mentioned above, your first challenge is that the receipt checking code needs to be able to validate a receipt file from a purchase that is to be made in the future.  To do this, you may want to get a sample receipt for testing.

This used to be fairly easy, as Apple provided a sample receipt, along with the associated validation data, to Mac developers.  Unfortunately, recently (as in, since this series began), the certification signature on the original sample receipt expired and, instead of providing a newer one, Apple has decided to remove the sample receipt entirely in favor of connecting to the iTunes servers to obtain one directly.  Whatever.

Now, the process involves getting the application to initially quit with an exit code of 173, which indicates a failed verification, which is supposed to trigger iTunes to prompt you for your (test) account credentials and then download a valid receipt and insert it into the application bundle, as described in Test During the Development Process.  In practice, this definitively does not work all of the time during development, and the prerequisites are not clear.

What is clear is that the application needs to be signed before Mac OS X (version 10.6.6 or higher) will request iTunes credentials, and that they need to be for a test account.  However, any old test account will apparently not do, and a failure to produce and/or download a receipt displays no error message (just no receipt and only a vague “returnCode:1” in the console).  It appears to be that the application needs to already be in iTunes Connect and that the test account must be associated with that application via the master company account.  Unfortunately, for the moment, this remains as an exercise for the reader.

Another (unproven) approach could be simply borrowing a receipt from any purchased application from the Mac App Store.  You will need to know the exact bundle identifier (fairly easy), version number (also easy), and computer GUID (not quite as easy), but you could use such a receipt exactly like the sample receipt previously provided by Apple.

Important: Do NOT include any receipt files in your project.  Receipts are specific to the application, version, and system, and they are generated and added by the Mac App Store/iTunes; including a receipt in your submission bundle will result in summary rejection of the application.

2. Locate the receipt file

The first step to take in your source code is to locate the receipt file for checking.  In the release version, intended for distribution, the location of the receipt is always within your application bundle at ‘Contents/_MASReceipt/receipt‘.

If you decide to use a sample receipt for testing, you will probably want to define its (different) location, the parameters expected from the sample receipt, and a definition to use for conditional compilation.  In our case, the debug versions define USE_SAMPLE_RECEIPT and the other values (from the old sample receipt) like so:

#ifdef APPSTORE
    #define RECEIPT         "Contents/_MASReceipt/receipt"

    #ifdef _DEBUG
        #define USE_SAMPLE_RECEIPT
    #endif

    #ifdef USE_SAMPLE_RECEIPT
        #define SAMPLE_RECEIPT  "/Users/Gregg/Desktop/receipt"
        #define SAMPLE_BUNDLE   "com.example.SampleApp"
        #define SAMPLE_VERSION  "1.0.2"
        #define SAMPLE_GUID     { 0x00, 0x17, 0xF2, 0xC4, 0xBC, 0xC0 }
    #endif
#endif

Note that we explicitly define different path variables (RECEIPT versus SAMPLE_RECEIPT) and only define the sample parameters when USE_SAMPLE_RECEIPT is defined.  This is additional protection against accidentally using a property intended only for testing in release code.  For the same reasons, we also include this check in the code before the main loop:

#ifndef _DEBUG
#ifdef USE_SAMPLE_RECEIPT
    ErrorMessage ( "Warning!  Sample receipt is being checked in release version." );
#endif
#endif

So, our first verification function is GetReceipt(), which returns the path of the (untouched) receipt file.  The routine obtains the path to the bundle and then generates the path directly to the receipt for later verification, adjusted appropriately if USE_SAMPLE_RECEIPT is defined.  Additionally, just for another sanity check, it also verifies that the actual bundle identifier and short version string match definitions within the code (so we can safely use the definitions later).

3. Check the signature

The next step in validating a receipt is to check the signature to verify that it is properly signed by Apple.  Sample code for doing this (as well as the next two steps) can be found in the Implementation Tips section of the Validating Mac App Store Receipts document, as well as via a nice web search.

Our second verification function is CheckSignature(), which returns a PKCS7* data pointer (and is essentially a fleshed out version of Listing 1-4 in the section linked above).  It opens the receipt file, validates the data types, adds the “Apple Root CA” certificate, and verifies the receipt signature (via PKCS7_verify), then cleans up everything except the receipt pointer, which is returned for use in the next function.

At this point, you know that the receipt file exists, it contains data, and its signature is valid.

4. Verify the receipt contents

The next step is validating a receipt is to verify the receipt contents and confirm that the receipt is intended for your application and the current version number.  The document referenced above gives more details about implementation, but the process is essentially stepping through the objects in the receipt and processing each one appropriately.

There are four types of objects within each receipt that are relevant to the validation process: bundle identifier, bundle version, opaque value, and hash.  In this step, you want to verify that the bundle identifier and bundle version match the hard-coded definitions for your project.  Note that matching against values retrieved from the bundle is not as safe, since the ‘Info.plist’ file could potentially be modified to match an invalid receipt.  Also, you will want to store the bundle identifier, opaque value, and hash object values for checking during the next step.

Our third verification function is VerifyData(), which accepts the PKCS7* data pointer returned by the previous function.  It loops through the objects in the receipt and processes them appropriately, failing if either bundle identifier or bundle version do not match our hard-coded values (IDENTIFIER and VERSION, or SAMPLE_BUNDLE/SAMPLE_VERSION), or if either of these objects is missing from the receipt.  Additionally, it saves the objects necessary for the next step.

At this point, you know that the receipt is intended specifically for the current version of your application.

5. Verify the system hash

The next (and, perhaps, final) step in validating a receipt is to verify the system hash to confirm that the receipt is intended for the particular system on which it is being launched.  This step prevents the outright copying of entire application bundles from one system to another.  Of course, on failure, users are presented with the opportunity to enter their iTunes account information to obtain a valid receipt automatically, so legitimate customers are protected.

The general process for this step involves two parts: obtaining the computer’s GUID and then computing the hash of the GUID, which is then compared to the hash value stored in the last step.  The sample code in the Apple documentation referenced above describes both steps sufficiently (in listings 1-3 and 1-7, respectively).

Our fourth verification function is VerifySystem(), which calls a CopyMacAddress() function to perform the first part of the process, then uses that information to check the system hash.  More specifically, the GUID returned is added to a digest, along with the opaque value and the bundle identifier, and an expected hash is calculated.  The routine verifies that the computed hash length is the same as that of hash and then checks that the contents are identical.

At this point in the process, you now know (to a reasonable degree) that the receipt file exists and is completely valid for that system running the current version of your application.

6. Take extra validation steps

If you are particularly concerned (or paranoid), you can take extra validation steps, such as verifying the certification authorities, double-checking the bundle signature, or (apparently) even sending a receipt back to the App Store for verification.  You can also take steps to obfuscate your code and make it harder for crackers to find and modify the application to circumvent your checks, and Apple provides some suggestions.

However, just taking the general steps documented here will probably eliminate 99% of the problem, and with robust coding, error checking, and testing, theft of the Mac App Store version of your game should be minimal.  (In fact, you will likely lose significantly more money to downward pricing pressures than to piracy, but that is another topic altogether…)

Conclusion

With the addition of receipt validation checking to your project source code, your application should not be subject to simple receipt spoofing, once accepted into the Mac App Store.  In the next (final) installment, Part 6: App Sandboxing implementation, I will discuss the process of preparing for and implementing application sandboxing, as required for the Mac App Store by June 1, 2012 (recently pushed back from March 1st).