codesign - Unable to sign QtWebEngineProcess with --options runtime
-
wrote on 29 Oct 2023, 23:22 last edited by
I sign my app like this:
codesign --deep --force --verify --verbose --sign "CERTIFICATE" --entitlements ./QtWebEngineProcess.entitlements --options runtime ./MyApp.appInside /QtWebEngineProcess.entitlements I have:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> </dict> </plist>I execute the command with no errors. However when I start my app looks like it can't properly load any WebPage. In the terminal I observe these warning/errors:
[24413:11297630:20231030,010843.805451:WARNING in_range_cast.h:38] value -634136515 out of range [24413:11297630:20231030,010843.813111:WARNING crash_report_exception_handler.cc:257] UniversalExceptionRaise: (os/kern) failure (5) [24413:11297630:20231030,010843.933477:WARNING in_range_cast.h:38] value -634136515 out of range [24413:11297630:20231030,010843.941292:WARNING crash_report_exception_handler.cc:257] UniversalExceptionRaise: (os/kern) failure (5) [24413:11297630:20231030,010844.059220:WARNING in_range_cast.h:38] value -634136515 out of range [24413:11297630:20231030,010844.066488:WARNING crash_report_exception_handler.cc:257] UniversalExceptionRaise: (os/kern) failure (5) [24413:11297630:20231030,010844.180254:WARNING in_range_cast.h:38] value -634136515 out of range [24413:11297630:20231030,010844.187770:WARNING crash_report_exception_handler.cc:257] UniversalExceptionRaise: (os/kern) failure (5) [24413:11297630:20231030,010844.303606:WARNING in_range_cast.h:38] value -634136515 out of range [24413:11297630:20231030,010844.311464:WARNING crash_report_exception_handler.cc:257] UniversalExceptionRaise: (os/kern) failure (5) [24413:11297630:20231030,010844.427331:WARNING in_range_cast.h:38] value -634136515 out of range [24413:11297630:20231030,010844.434919:WARNING crash_report_exception_handler.cc:257] UniversalExceptionRaise: (os/kern) failure (5) [24413:11297630:20231030,010844.563522:WARNING in_range_cast.h:38] value -634136515 out of range [24413:11297630:20231030,010844.571230:WARNING crash_report_exception_handler.cc:257] UniversalExceptionRaise: (os/kern) failure (5)If I want to run my app and it to load web views/pages with no problems I have to run this command:
codesign --force --verify --verbose --sign "CERTIFICATE" --entitlements ./QtWebEngineProcess.entitlements ./MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/A/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcessBasically removing --options runtime. However if I do that this leads to another issue when trying to notarise the app which is expected:
{ "severity": "error", "code": null, "path": "MyApp.zip/MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/A/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess", "message": "The executable does not have the hardened runtime enabled.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724", "architecture": "x86_64" },That pretty much mean that I have to have MyApp.zip/MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/A/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess signed with --option runtime, but if I do that I am unable to load any web pages in my Qt app.
Looks like a dead end. Anyone have solved this issue before or can give an advice ?
-
wrote on 31 Oct 2023, 21:45 last edited by
Can anyone please reply and help ?
-
Can anyone please reply and help ?
Hi @BeastBurst, and welcome!
Does it work if you use macdeployqt to do the signing? It can sign while enabling hardened-runtime and applying the appropriate entitlements:
macdeployqt ./simplebrowser.app -sign-for-notarization=<IDENTITY>See https://doc.qt.io/qt-6/macos-deployment.html#the-mac-deployment-tool
-
wrote on 7 Dec 2023, 18:10 last edited by
I ran into this problem as well. The issue turned out to be that QtWebEngineProcess.app now needs additional entitlements. macdeployqt uses the following entitlements file instead:
QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/Resources/QtWebEngineProcess.entitlements
This requests some additional entitlements that are required:
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/> -
I ran into this problem as well. The issue turned out to be that QtWebEngineProcess.app now needs additional entitlements. macdeployqt uses the following entitlements file instead:
QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/Resources/QtWebEngineProcess.entitlements
This requests some additional entitlements that are required:
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>@Will-Stokes hi and welcome to devnet,
Thanks for sharing your findings !
Would you consider opening a ticket on the bug tracker to fix macdeployqt ?
-
@Will-Stokes hi and welcome to devnet,
Thanks for sharing your findings !
Would you consider opening a ticket on the bug tracker to fix macdeployqt ?
@Will-Stokes Welcome, and thanks again for sharing your findings!
@SGaist Nothing needs fixing here. The OP's entitlements weren't enough; Will found the correct entitlements that macdeployqt uses.