Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

QtWebEngine signing issues



  • For some reason I have recently started having issues with the QtWebEngine. It seems to not be loading. I am a little confused because I didnt change xcode or the qt version, im not sure why the issue started now. However I have tracked it down to my signing step. If I build the application and test the .app on another system it works fine. As soon as I sign the .app, the QtWebEngine stops loading. Here is the command I am using.

    sudo codesign --deep --force --verify --verbose --sign "Developer ID Application: ***" --options runtime Output/MyApp.app
    


  • I have been around the block and back with this now. This seems to be related enabling hardened runtime. Im not publishing to the Mac Store, but I was using the new process of notarizing the application so I had to enable this. I have found a lot of info of similar situations.

    https://mediaarea.net/blog/2018/02/14/QtWebEngine-MacAppStore
    https://forum.qt.io/topic/78518/sandbox-app-for-the-mac-app-store-with-qt-5-8-and-qtwebengineprocess/13
    https://lists.qt-project.org/pipermail/development/2017-May/029881.html

    I have tried pretty much everything and it still breaks when I enable the hardened runtime. I can get it to run fine using the steps in the first article but then if I go back and sign the QtWebEngineProcess.app with hardened runtime enabled I see the following error.

    ERROR:mach_port_broker.mm(43)] bootstrap_look_up: Permission denied (1100)

    From the articles I believed this was from the BaseBundleID method not being set, but I did that.

    I feel like I'm close, but also running in circles. If anyone has any tips on what I might still be doing wrong it would be appreciated.



  • With a little more work on it tonight I can get the main application signed with hardened runtime enabled and it still works. As soon as I sign the QtWebEngineProcess with hardened runtime enabled it quits working. At this point it seems to be crashing.

    SEGV_MAPERR 000000000010
     [0x000105ed6f56]
     [0x7fff69dddb5d]
     [0x00010d091fe0]
     [0x00010784c761]
     [0x0001078484ba]
     [0x00010784827e]
     [0x000107bc38b9]
     [0x00010795c58b]
     [0x000107bcc4d4]
     [0x00010748b1d1]
     [0x000107451d54]
     [0x0001088659c3]
     [0x00010886660d]
     [0x00010885ec4f]
     [0x0001087dbf0b]
     [0x00010840ff1e]
     [0x00010840e52c]
     [0x00010840dcb4]
     [0x00010840d6cc]
     [0x000108440246]
     [0x000105e75328]
     [0x000105e74436]
     [0x0001052e6e76]
     [0x00010529ff54]
     [0x7fff69bf83d5]
    [end of stack trace]
    


  • I found a solution to this issue after much trial and error. I am fairly certain this will need to be done for anyone who is attempting to notarize a macOS application using the QtWebEngine. Hopefully this will save someone some time in the future.

    The solution for me was to sign the QtWebEngineProcess with with the com.apple.security.cs.disable-executable-page-protection exception. Here is the process.

    Sign the main application with the following command

    sudo codesign --deep --force --verify --verbose --sign "Developer ID Application: ***" --options runtime MyApp.app
    

    Create an entitlements file for the QtWebEngineProcess

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>com.apple.security.cs.disable-executable-page-protection</key>
        <true/>
    </dict>
    </plist>
    

    Sign the QtWebEngineProcess with the following command

    sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
    

    Sign the main executable with the following command

    sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --options runtime Output/MyApp.app/Contents/MacOS/MyApp
    

    After following these steps I am able to successfully notarize the application.

    Edit: Added more details



  • @krobinson thank you so much for taking the time to share your solution, this saved me a lot of headaches. I knew I'd probably need to add some entitlements to WebEngine, but I had no idea what.



  • @krobinson thank you so much for this!



  • I tried what is suggested in this topic, but it didn't help - QtWebEngineProcess still crashes. I created another topic: https://forum.qt.io/topic/106949/qtwebengine-signing-issues



  • @krobinson a HUGE thank you from me also. I would never have figured this out.

    BTW My procedure is slightly different. I

    • run macdeployqt
    • sign the .app with the hardened runtime and with the deep option
    • use your entitlements step (above) with force to replace the signing just on QtWebEngineProcess
    • notarize the .app,
    • put the .app in a DMG,
    • sign the DMG with the hardened runtime, then
    • notarize the DMG.

    Everything works! Thanks again.



  • @krobinson Thank you, Sir! Apple really likes to make devs lives harder every day.



  • It's doesn't work form me, console output is: code object is not signed at all
    In subcomponent: Myapp/Contents/PlugIns/mediaservice/libqavfmediaplayer.dylib.
    but when i try sign with -deep, it's crash again.



  • Hi,

    and thanks, this post helped me a lot. From a technical point of view:

    Reading this, Apple says 'The system causes an app that attempts to directly modify
    sections of its own executable files on disk to forcefully exit.'

    What kind of technique or practice is it, that makes
    qtwebengine run into Apple's executable memory protection issues?
    Is it possible to nail this down on a certain piece of code?

    Adressing this issue, has this code changed from Qt 5.9 to 5.12?

    Thanks,
    -Markus



  • Create an entitlements file for the QtWebEngineProcess
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    </dict>
    </plist>

    Sign the QtWebEngineProcess with the following command
    sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess

    Where exactly does one "Create an entitlements file for the QtWebEngineProcess"?

    Can this process be done once or must it be done each time you create a build or run MacDeployQt?

    Can the QtWebEngineProcess.entitlements file be added to the QtWebEngineCore.framework ?

    If so, where does it go exactly?

    Should it be in the Helpers folder? Inside the QWebEngineProcess app.bundle?

    If in the QWebEngineProcess app.bundle, what folder? In Contents where the info.plist is? In Resources?

    Why can't the ..<key>com.apple.security.cs.disable-executable-page-protection</key>..be added directly to the QWebEngineProcess plist file?



  • Not working for me. 5.12.5 & 5.12.8

    As soon as I sign QtWebEngineProcess with "runtime" option and entitlements QtWebEngineProcess crashes.

    I even listed all available entitlements - but no difference.

    Cannot text with 5.14.x because of bug: https://bugreports.qt.io/browse/QTBUG-75262



  • @mjsmithers said in QtWebEngine signing issues:

    @krobinson a HUGE thank you from me also. I would never have figured this out.

    BTW My procedure is slightly different. I

    • run macdeployqt
    • sign the .app with the hardened runtime and with the deep option
    • use your entitlements step (above) with force to replace the signing just on QtWebEngineProcess
    • notarize the .app,
    • put the .app in a DMG,
    • sign the DMG with the hardened runtime, then
    • notarize the DMG.

    Everything works! Thanks again.

    Thanks! This worked for me with a slight modification. The first time I tried it there was an error on the entitlement signing step. Because of a path problem.

    sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
    

    The actual path to the QtWebEngineProcess after MacDeployQt is :

    MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS/
    

    discovered when doing a "GetInfo" on the QtWebEngineProcess executable. Not sure why the "/Versions/5/" is not visible in finder but is on the GetInfo, and maybe it will change with different versions of MacDeployQt or OSX..IDK.

    FWIW..The codesign line is less cluttered by doing a "cd' to the folder with the executable and entitlement files..

    cd '/pathto/MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS/'
    sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime QtWebEngineProcess
    


  • Here is my step:

    ~/Qt5.10.1/5.10.1/clang_64/bin/macdeployqt my.app -dmg

    sudo codesign --deep -f -v -s "Developer ID Application: XXX" -o runtime my.app

    sudo codesign -f -v -s "Developer ID Application: XXX" --entitlements QtWebEngineProcess.entitlements -o runtime
    my.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess

    use DropDMG create my.dmg

    sudo codesign -f -v -s "Developer ID Application: XXX" -o runtime my.dmg

    xcrun altool --notarize-app -t osx -f my.dmg --primary-bundle-id "XXX" --username "XXX" --password "XXX"

    xcrun altool --notarization-info "RequestUUID" -u "XXX" -p "XXX"

    xcrun stapler staple my.dmg

    entitlements file is the same as above, works fine on macos 10.15.3


Log in to reply