From 3690bfecb09deb5f069f26d9ff44be94cdbf79ed Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Thu, 6 Jan 2022 07:43:24 -0800
Subject: [PATCH] ipn/ipnlocal: fix cert fetching on macOS GUI platforms

And clarify the directory they get written to when under the sandbox.

Fixes #3667

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 cmd/tailscale/cli/cert.go | 2 +-
 ipn/ipnlocal/local.go     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/tailscale/cli/cert.go b/cmd/tailscale/cli/cert.go
index fa2a3e4fb..1cb7d3ba4 100644
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -108,7 +108,7 @@ func runCert(ctx context.Context, args []string) error {
 		if version.IsMacSysExt() {
 			dir = "io.tailscale.ipn.macsys"
 		}
-		printf("Warning: the macOS CLI runs in a sandbox; this binary's filesystem writes go to $HOME/Library/Containers/%s\n", dir)
+		printf("Warning: the macOS CLI runs in a sandbox; this binary's filesystem writes go to $HOME/Library/Containers/%s/Data\n", dir)
 	}
 	if certArgs.certFile != "" {
 		certChanged, err := writeIfChanged(certArgs.certFile, certPEM, 0644)
diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index d858c5982..7c9db799a 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -2121,7 +2121,7 @@ func (b *LocalBackend) TailscaleVarRoot() string {
 		return b.varRoot
 	}
 	switch runtime.GOOS {
-	case "ios", "android":
+	case "ios", "android", "darwin":
 		dir, _ := paths.AppSharedDir.Load().(string)
 		return dir
 	}