QtWebEngine signing issues

  • For some reason I have recently started having issues with the QtWebEngine. It seems to not be loading. I am a little confused because I didnt change xcode or the qt version, im not sure why the issue started now. However I have tracked it down to my signing step. If I build the application and test the .app on another system it works fine. As soon as I sign the .app, the QtWebEngine stops loading. Here is the command I am using.

    sudo codesign --deep --force --verify --verbose --sign "Developer ID Application: ***" --options runtime Output/MyApp.app

  • I have been around the block and back with this now. This seems to be related enabling hardened runtime. Im not publishing to the Mac Store, but I was using the new process of notarizing the application so I had to enable this. I have found a lot of info of similar situations.


    I have tried pretty much everything and it still breaks when I enable the hardened runtime. I can get it to run fine using the steps in the first article but then if I go back and sign the QtWebEngineProcess.app with hardened runtime enabled I see the following error.

    ERROR:mach_port_broker.mm(43)] bootstrap_look_up: Permission denied (1100)

    From the articles I believed this was from the BaseBundleID method not being set, but I did that.

    I feel like I'm close, but also running in circles. If anyone has any tips on what I might still be doing wrong it would be appreciated.

  • With a little more work on it tonight I can get the main application signed with hardened runtime enabled and it still works. As soon as I sign the QtWebEngineProcess with hardened runtime enabled it quits working. At this point it seems to be crashing.

    SEGV_MAPERR 000000000010
    [end of stack trace]

  • I found a solution to this issue after much trial and error. I am fairly certain this will need to be done for anyone who is attempting to notarize a macOS application using the QtWebEngine. Hopefully this will save someone some time in the future.

    The solution for me was to sign the QtWebEngineProcess with with the com.apple.security.cs.disable-executable-page-protection exception. Here is the process.

    Sign the main application with the following command

    sudo codesign --deep --force --verify --verbose --sign "Developer ID Application: ***" --options runtime MyApp.app

    Create an entitlements file for the QtWebEngineProcess

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">

    Sign the QtWebEngineProcess with the following command

    sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess

    Sign the main executable with the following command

    sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --options runtime Output/MyApp.app/Contents/MacOS/MyApp

    After following these steps I am able to successfully notarize the application.

    Edit: Added more details

  • @krobinson thank you so much for taking the time to share your solution, this saved me a lot of headaches. I knew I'd probably need to add some entitlements to WebEngine, but I had no idea what.

  • @krobinson thank you so much for this!

  • I tried what is suggested in this topic, but it didn't help - QtWebEngineProcess still crashes. I created another topic: https://forum.qt.io/topic/106949/qtwebengine-signing-issues

  • @krobinson a HUGE thank you from me also. I would never have figured this out.

    BTW My procedure is slightly different. I

    • run macdeployqt
    • sign the .app with the hardened runtime and with the deep option
    • use your entitlements step (above) with force to replace the signing just on QtWebEngineProcess
    • notarize the .app,
    • put the .app in a DMG,
    • sign the DMG with the hardened runtime, then
    • notarize the DMG.

    Everything works! Thanks again.

Log in to reply