Applescript to save mail attachments failing in Mountain Lion

Hey Pict,

This may be a few days too late, but I recently upgraded to Mountain Lion and found that my old applescripts that automatically download mail attachments don't work anymore. I would highly suggest putting a dialog in that last try/catch block, it might give you some more info. Here's my own script for reference:

-----------------------------------------------------------

using terms from application "Mail"

on perform mail action with messagesmatching_messages

set report_type to "throughput"

set folder_path to "Macintosh HD:Users:rguerra:code:Rice_WiFi_Data:automatic_reports:" & report_type

set file_path to (folder_path & ":")

tell application "Mail"

set the num_messages to the count of matching_messages

--display dialog "0. Found " & num_messages & " messages!"

repeat with i from 1 to the num_messages

set this_message to (itemi of matching_messages)

tell this_message

--display dialog "1. Processing \"" & (subject of this_message) & "\" which has " & (count of mail attachments of this_message) & " attachment(s)."

repeat with z from 1 to the (count of mail attachments of this_message)

set theAttachment to itemz of (mail attachments of this_message)

--display dialog "2. Got attachment " & (name of theAttachment)

with timeout of 10 seconds

set myname to do shell script "whoami"

display dialog "3.Trying to save " & (name of theAttachment) & " to the path " & (file_path & (name of theAttachment) as string) & " as user " & myname

try

savetheAttachmentin (file_path & name of theAttachment)

on error number errNum

display dialog "ERROR: problem saving file, ernum: " & errNum

error number -128 --User Ended error; this should stop script execution

end try

end timeout

end repeat

end tell

end repeat

end tell

end perform mail action with messages

end using terms from

-----------------------------------------------------------

Anyway, when this automatically triggers in Mail, the other dialogs execute just fine with the expected results. The final error dialog informs me that the attachment save failed with an error code -10000.

I've been researching this problem and it appears to be something with the sandboxd that other people have run into but there isn't a good solution for it yet. The following is the output of my system.log as shown in the console.app (just type "console" into Spotlight to launch the application).

Jul 30 11:24:21 Ryans-MacBook-Air.local Mail[13362]: An exception was thrown during execution of an NSScriptCommand...

Jul 30 11:24:21 Ryans-MacBook-Air kernel[0]: Sandbox: sandboxd(13571) deny mach-lookup com.apple.coresymbolicationd

Jul 30 11:24:23 Ryans-MacBook-Air.local sandboxd[13571] ([13362]): Mail(13362) deny file-write-create /Users/rguerra/code/Rice_WiFi_Data/automatic_reports/throughput/Client_Traffic_ 20120730_094501_442.csv

Clearly, there is a problem with the file permissions for the Mail application. I'm still trying to work out the rules for sandboxing since I don't know precisely what I'm allowed to do.

Does anyone have any more information about where you are allowed to write files from a sandboxed application in OS X 10.8 (Mountain Lion)? More specifically, how one can script such a task?

A brief update... I found a good discussion of the new sandbox restrictions here:

http://www.macworld.com/article/1165641/how_increased_mac_security_measures_will _impact_applescript.html

http://developer.apple.com/library/ios/#DOCUMENTATION/Miscellaneous/Reference/En titlementKeyReference/Chapters/AboutEntitlements.html

That explains why I had to place my old scripts in a new location (I honestly thought this was a Mail idiosyncracy instead of a new OS idiosyncracy). It also explains why our save paths are not allowed--the Mail application has not been "entitled" to save files where we want to place them.

For my application, I don't care where the files end up--I can always make an alias to that location. I just need them to be downloaded automatically. The next step will be to see what Mail is actually entitled to do. :/

Well, I'm halfway there. The following is an XML list of the "entitlements" that Mail.app has. You can see that even Apple has their "hack" with temporary entitlements in there. Nice, Apple.

Now I just gotta figure out what on earth any of these actually DO.

Ryans-MacBook-Air:~ rguerra$ codesign -d --entitlements - /Applications/Mail.app/

Executable=/Applications/Mail.app/Contents/MacOS/Mail

??qq ?<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.developer.ubiquity-container-identifiers</key>

<array>

<string>com.apple.mail</string>

</array>

<key>com.apple.developer.ubiquity-kvstore-identifier</key>

<string>com.apple.mail</string>

<key>com.apple.private.ubiquity-additional-kvstore-identifiers</key>

<array>

<string>com.apple.mail.recents</string>

<string>com.apple.mail.vipsenders</string>

</array>

<key>com.apple.private.dark-wake-push</key>

<true/>

<key>com.apple.private.dark-wake-network-reachability</key>

<true/>

<key>com.apple.private.aps-connection-initiate</key>

<true/>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.files.user-selected.read-write</key>

<true/>

<key>com.apple.security.print</key>

<true/>

<key>com.apple.security.network.client</key>

<true/>

<key>com.apple.security.personal-information.addressbook</key>

<true/>

<key>com.apple.security.personal-information.calendars</key>

<true/>

<key>com.apple.security.files.downloads.read-write</key>

<true/>

<key>com.apple.security.temporary-exception.mach-lookup.global-name</key>

<array>

<string>com.apple.imagent.desktop.Launched</string>

<string>com.apple.imagent.desktop.auth</string>

<string>com.apple.syncservices.SyncServer</string>

<string>com.apple.pubsub.ipc</string>

<string>com.apple.SystemConfiguration.PPPController</string>

<string>com.apple.icbaccountsd</string>

<string>com.apple.mtmd.xpc</string>

<string>com.apple.accountsd.accountmanager</string>

<string>com.apple.familycontrols</string>

</array>

<key>com.apple.security.temporary-exception.sbpl</key>

<string>(allow mach-lookup (global-name-regex #&quot;^[0-9]+$&quot;))</string>

<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>

<array>

<string>/Library/Images/People/</string>

<string>/AppleInternal/Library/Mail/</string>

<string>/Network/Library/Mail/</string>

<string>/Network/Library/Images/People/</string>

</array>

<key>com.apple.security.temporary-exception.files.home-relative-path.read-write </key>

<array>

<string>/Library/Mail/</string>

<string>/Library/Application Support/iCloud/Accounts/</string>

<string>/Library/Application Support/SyncServices/</string>

</array>

<key>com.apple.private.tcc.allow</key>

<array>

<string>kTCCServiceAddressBook</string>

</array>

</dict>

</plist>

Solved!

Apparently the line with:

<true/>

<key>com.apple.security.files.downloads.read-write</key>

<true/>

...allows Mail.app to read/write to your Downloads folder! I tried it out and it's all working now. For reference, my save path is now the following:

set report_type to "throughput"

set folder_path to "Macintosh HD:Users:rguerra:Downloads:automatic_reports:" & report_type

set file_path to (folder_path & ":")

Thanks for the original email! It definitely got me thinking along this line. Whew.

For the record, a list of all the various entitlements and what they mean can be found here:

http://developer.apple.com/library/ios/documentation/Miscellaneous/Reference/Ent itlementKeyReference/EntitlementKeyReference.pdf

OK, I seem to missing something here. I've got the same problem as you've described but it does not appear as though my script is even running anymore. I changed my script (located in com.apple.mail) to save to the Downloads folder instead of the folder I had been using and it still didn't work. I then threw a Display Dialog at the beginning of the script and the dialog doesn't even pop up. Any ideas?

Not off the top of my head, but do you see any errors in Console.app? What is your script? Can you run it by itself? Are you sure your mail filter is actually triggering? (i.e. try adding the behavior to add a color or move your triggering email, and then run it--does it actually happen?)

I got it working. I compared my script to yours and it appears I was using some syntax or commands that are no longer valid (e.g. I had "on perform_mail_action(theData)" instead of "on perform mail action with messages matching_messages"). I changed my script to match yours and it is working again.

*dork high-five!*

This is great. Thank you for researching it. Where do I find the xml file?

Run the following command in your terminal:

codesign -d --entitlements - /Applications/Mail.app/

I assume you can put in the path to any application and it'll spit out the XML-encoded entitlements for that application. Rean the man page of codesign for more info--perhaps you can make sense of it--this is all a bit outside my specialty.

see I found the info.plist and opened it with bbedit, copied and pasted your post <dict> to </dict> and it gave me an error. should I just copy and paste this? WHere does it belong to then? I appreciate your help.

<true/>

<key>com.apple.security.files.downloads.read-write</key>

<true/>

I don't think you can just add entitlements on the fly, as it were. If you were able to, then applications could just overwrite their entitlements and do anything they wanted. I think those abilities are set when the application is compiled and submitted to the App Store.

The only reason why we were able to do anything was because Mail.app already had the required entitlement to read/write to the ~/Downloads folder, we just didn't know it at the start.

I see, so the only difference with the old (snow leopard) version is the

--set attachmentsFolder to ((path to home folder as text) & "Documents:Symbolic") as text was my old one

set attachmentsFolder to "Macintosh HD:Users:jbublik:Downloads:Symbolic:" is my new one.

I tried - it still doesn't work. Why my scripts won't work? I am really puzzled