[Development] Getting QtWebEngineProcess.app to run in sandbox after being signed

Adalid Claure aclaure at gmail.com
Fri Apr 28 18:49:16 CEST 2017

I have a desktop app that I have been trying to get onto the Mac App store
but I have been having problems getting it to run in sandbox mode. For
context I am (preferably) using Qt 5.8 running on macOS 10.11.6.

The crux seems to be QtWebEngineProcess.app refuses to run after I codesign
the bundle. As a result, my QtWebEngine component doesn't load. I am using
this QtWebEngine component as part of my app's UI.

When the app starts I see the following errors in Console:

kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) mach-lookup
kernel[0]: Sandbox: QtWebEngineProce(20765) deny(1) mach-lookup
QtWebEngineProcess[20764]: [0427/071053:ERROR:mach_broker_mac.mm(52)]
bootstrap_look_up: Permission denied (1100)
QtWebEngineProcess[20765]: [0427/071053:ERROR:mach_broker_mac.mm(52)]
bootstrap_look_up: Permission denied (1100)
kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) forbidden-sandbox-reinit

My build process is pretty straight forward:

1. Run macdeployqt on the app, using the -appstore-compliant.
2. Sign all of the Qt Frameworks and PlugIns individually with my app's
entitlement file.
3. Sign QtWebEngineProcess.app with the following entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
<plist version="1.0">

4. Call codesign on the overall MyProgram.app bundle with the entitlements
file from Step 2.

I have tried numerous things all in combination with one another, including:

a. built QtWebEngine using WEBENGINE_CONFIG+=use_appstore_compliant_code
(per the notes here: https://doc.qt.io/qt-5/qtwebengine-platform-notes.
b. use macdeployqt's -codesign, even though the binarys have to be signed a
second time after this in order to apply the entitlements
c. sign QtWebEngineProcess.app with CFBundleIdentifier equal to
'com.qt-project.Qt.QtWebEngineProcess' and with my own app's bundle ID.
d. tried linking with Qt 5.7
e. tried linking with Qt 5.6.2 which *did* run but then gets rejected by
Apple because:

Your app uses or references the following non-public API(s):

framework: '/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit'
: NSAccessibilityUnregisterUniqueIdForUIElement
: _NSAppendToKillRing
: _NSDrawCarbonThemeBezel
: _NSDrawCarbonThemeListBox
: _NSInitializeKillRing
: _NSNewKillRingSequence
: _NSPrependToKillRing
: _NSSetKillRingToYankedState
: _NSYankFromKillRing

framework: '/System/Library/Frameworks/ApplicationServices.framework/
: CGSSetDenyWindowServerConnections
: CGSShutdownServerConnections
: CTFontCopyDefaultCascadeList

The use of non-public APIs is not permitted on the App Store as it can lead
to a poor user experience should these APIs change.

I have chronicled a lot of this in this thread here (
app-store-with-qt-5-8-and-qtwebengineprocess) but the problem persists.

Does anyone have any suggestions? Does anyone know of any apps on the Mac
App Store that use QtWebEngine?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20170428/a51c4ccb/attachment.html>

More information about the Development mailing list