[Development] Getting QtWebEngineProcess.app to run in sandbox after being signed

Morten Sørvig Morten.Sorvig at qt.io
Thu May 4 14:45:16 CEST 2017 

Hi,

Not sure if I can be of much help, but:

- This thread discusses and solves a similar problem: https://forum.qt.io/topic/49250/solved-qtwebengineprocess-not-working-in-sandboxed-application

- If this could be reduced to a simple sandboxed-app-with-helper-process test case (no QtWebEngine usage), that that’s something I could look at, and something we could eventually add an autotest for.


Morten


> On 28 Apr 2017, at 18:49, Adalid Claure <aclaure at gmail.com> wrote:
> 
> I have a desktop app that I have been trying to get onto the Mac App store but I have been having problems getting it to run in sandbox mode. For context I am (preferably) using Qt 5.8 running on macOS 10.11.6.
> 
> The crux seems to be QtWebEngineProcess.app refuses to run after I codesign the bundle. As a result, my QtWebEngine component doesn't load. I am using this QtWebEngine component as part of my app's UI.
> 
> When the app starts I see the following errors in Console:
> 
> kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) mach-lookup org.chromium.Chromium.rohitfork.20763
> kernel[0]: Sandbox: QtWebEngineProce(20765) deny(1) mach-lookup org.chromium.Chromium.rohitfork.20763
> QtWebEngineProcess[20764]: [0427/071053:ERROR:mach_broker_mac.mm(52)] bootstrap_look_up: Permission denied (1100)
> QtWebEngineProcess[20765]: [0427/071053:ERROR:mach_broker_mac.mm(52)] bootstrap_look_up: Permission denied (1100)
> kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) forbidden-sandbox-reinit
> 
> My build process is pretty straight forward:
> 
> 1. Run macdeployqt on the app, using the -appstore-compliant.
> 2. Sign all of the Qt Frameworks and PlugIns individually with my app's entitlement file.
> 3. Sign QtWebEngineProcess.app with the following entitlements file:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
>     <key>com.apple.security.app-sandbox</key>
>     <true/>
>     <key>com.apple.security.inherit</key>
>     <true/>
> </dict>
> </plist>
> 
> 4. Call codesign on the overall MyProgram.app bundle with the entitlements file from Step 2.
> 
> I have tried numerous things all in combination with one another, including:
> 
> a. built QtWebEngine using WEBENGINE_CONFIG+=use_appstore_compliant_code (per the notes here: https://doc.qt.io/qt-5/qtwebengine-platform-notes.html#mac-app-store-compatibility)
> b. use macdeployqt's -codesign, even though the binarys have to be signed a second time after this in order to apply the entitlements
> c. sign QtWebEngineProcess.app with CFBundleIdentifier equal to 'com.qt-project.Qt.QtWebEngineProcess' and with my own app's bundle ID.
> d. tried linking with Qt 5.7
> e. tried linking with Qt 5.6.2 which *did* run but then gets rejected by Apple because:
> 
> -------------------------------
> Your app uses or references the following non-public API(s):
> 
> framework: '/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit'
> : NSAccessibilityUnregisterUniqueIdForUIElement
> : _NSAppendToKillRing
> : _NSDrawCarbonThemeBezel
> : _NSDrawCarbonThemeListBox
> : _NSInitializeKillRing
> : _NSNewKillRingSequence
> : _NSPrependToKillRing
> : _NSSetKillRingToYankedState
> : _NSYankFromKillRing
> 
> framework: '/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices'
> : CGSSetDenyWindowServerConnections
> : CGSShutdownServerConnections
> : CTFontCopyDefaultCascadeList
> 
> The use of non-public APIs is not permitted on the App Store as it can lead to a poor user experience should these APIs change.
> -------------------------------
> 
> I have chronicled a lot of this in this thread here (https://forum.qt.io/topic/78518/sandbox-app-for-the-mac-app-store-with-qt-5-8-and-qtwebengineprocess) but the problem persists. 
> 
> Does anyone have any suggestions? Does anyone know of any apps on the Mac App Store that use QtWebEngine?
> 
> Thanks.
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development

More information about the Development mailing list