QtWebEngine signing issues



  • For some reason I have recently started having issues with the QtWebEngine. It seems to not be loading. I am a little confused because I didnt change xcode or the qt version, im not sure why the issue started now. However I have tracked it down to my signing step. If I build the application and test the .app on another system it works fine. As soon as I sign the .app, the QtWebEngine stops loading. Here is the command I am using.

    sudo codesign --deep --force --verify --verbose --sign "Developer ID Application: ***" --options runtime Output/MyApp.app
    


  • I have been around the block and back with this now. This seems to be related enabling hardened runtime. Im not publishing to the Mac Store, but I was using the new process of notarizing the application so I had to enable this. I have found a lot of info of similar situations.

    https://mediaarea.net/blog/2018/02/14/QtWebEngine-MacAppStore
    https://forum.qt.io/topic/78518/sandbox-app-for-the-mac-app-store-with-qt-5-8-and-qtwebengineprocess/13
    https://lists.qt-project.org/pipermail/development/2017-May/029881.html

    I have tried pretty much everything and it still breaks when I enable the hardened runtime. I can get it to run fine using the steps in the first article but then if I go back and sign the QtWebEngineProcess.app with hardened runtime enabled I see the following error.

    ERROR:mach_port_broker.mm(43)] bootstrap_look_up: Permission denied (1100)

    From the articles I believed this was from the BaseBundleID method not being set, but I did that.

    I feel like I'm close, but also running in circles. If anyone has any tips on what I might still be doing wrong it would be appreciated.



  • With a little more work on it tonight I can get the main application signed with hardened runtime enabled and it still works. As soon as I sign the QtWebEngineProcess with hardened runtime enabled it quits working. At this point it seems to be crashing.

    SEGV_MAPERR 000000000010
     [0x000105ed6f56]
     [0x7fff69dddb5d]
     [0x00010d091fe0]
     [0x00010784c761]
     [0x0001078484ba]
     [0x00010784827e]
     [0x000107bc38b9]
     [0x00010795c58b]
     [0x000107bcc4d4]
     [0x00010748b1d1]
     [0x000107451d54]
     [0x0001088659c3]
     [0x00010886660d]
     [0x00010885ec4f]
     [0x0001087dbf0b]
     [0x00010840ff1e]
     [0x00010840e52c]
     [0x00010840dcb4]
     [0x00010840d6cc]
     [0x000108440246]
     [0x000105e75328]
     [0x000105e74436]
     [0x0001052e6e76]
     [0x00010529ff54]
     [0x7fff69bf83d5]
    [end of stack trace]
    


  • I found a solution to this issue after much trial and error. I am fairly certain this will need to be done for anyone who is attempting to notarize a macOS application using the QtWebEngine. Hopefully this will save someone some time in the future.

    The solution for me was to sign the QtWebEngineProcess with with the com.apple.security.cs.disable-executable-page-protection exception. Here is the process.

    Sign the main application with the following command

    sudo codesign --deep --force --verify --verbose --sign "Developer ID Application: ***" --options runtime MyApp.app
    

    Create an entitlements file for the QtWebEngineProcess

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>com.apple.security.cs.disable-executable-page-protection</key>
        <true/>
    </dict>
    </plist>
    

    Sign the QtWebEngineProcess with the following command

    sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
    

    Sign the main executable with the following command

    sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --options runtime Output/MyApp.app/Contents/MacOS/MyApp
    

    After following these steps I am able to successfully notarize the application.

    Edit: Added more details


Log in to reply
 

Looks like your connection to Qt Forum was lost, please wait while we try to reconnect.