QtWebEngine signing issues
For some reason I have recently started having issues with the QtWebEngine. It seems to not be loading. I am a little confused because I didnt change xcode or the qt version, im not sure why the issue started now. However I have tracked it down to my signing step. If I build the application and test the .app on another system it works fine. As soon as I sign the .app, the QtWebEngine stops loading. Here is the command I am using.
sudo codesign --deep --force --verify --verbose --sign "Developer ID Application: ***" --options runtime Output/MyApp.app
I have been around the block and back with this now. This seems to be related enabling hardened runtime. Im not publishing to the Mac Store, but I was using the new process of notarizing the application so I had to enable this. I have found a lot of info of similar situations.
I have tried pretty much everything and it still breaks when I enable the hardened runtime. I can get it to run fine using the steps in the first article but then if I go back and sign the QtWebEngineProcess.app with hardened runtime enabled I see the following error.
ERROR:mach_port_broker.mm(43)] bootstrap_look_up: Permission denied (1100)
From the articles I believed this was from the BaseBundleID method not being set, but I did that.
I feel like I'm close, but also running in circles. If anyone has any tips on what I might still be doing wrong it would be appreciated.
With a little more work on it tonight I can get the main application signed with hardened runtime enabled and it still works. As soon as I sign the QtWebEngineProcess with hardened runtime enabled it quits working. At this point it seems to be crashing.
SEGV_MAPERR 000000000010 [0x000105ed6f56] [0x7fff69dddb5d] [0x00010d091fe0] [0x00010784c761] [0x0001078484ba] [0x00010784827e] [0x000107bc38b9] [0x00010795c58b] [0x000107bcc4d4] [0x00010748b1d1] [0x000107451d54] [0x0001088659c3] [0x00010886660d] [0x00010885ec4f] [0x0001087dbf0b] [0x00010840ff1e] [0x00010840e52c] [0x00010840dcb4] [0x00010840d6cc] [0x000108440246] [0x000105e75328] [0x000105e74436] [0x0001052e6e76] [0x00010529ff54] [0x7fff69bf83d5] [end of stack trace]
I found a solution to this issue after much trial and error. I am fairly certain this will need to be done for anyone who is attempting to notarize a macOS application using the QtWebEngine. Hopefully this will save someone some time in the future.
The solution for me was to sign the QtWebEngineProcess with with the com.apple.security.cs.disable-executable-page-protection exception. Here is the process.
Sign the main application with the following command
sudo codesign --deep --force --verify --verbose --sign "Developer ID Application: ***" --options runtime MyApp.app
Create an entitlements file for the QtWebEngineProcess
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> </dict> </plist>
Sign the QtWebEngineProcess with the following command
sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
Sign the main executable with the following command
sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --options runtime Output/MyApp.app/Contents/MacOS/MyApp
After following these steps I am able to successfully notarize the application.
Edit: Added more details