[Interest] signing webenginewidgets issue

[Alexander Carôt]

Hello all,

I just saw an issue when signing and notarizing an app containing a web browser based on webenginewidgets (applies also for the Qt example minibrowser):

1.) Codesigning via 

codesign --options=runtime --deep ./minibrowser.app -s "Developer ID Application: XXX" 

works fine but breaks the app: Launching minibrowser afterwards makes the webprocess crash.

2.) Including the following keys into an entitlements file:

<key>com.apple.security.cs.allow-jit</key><true/>
<key>com.apple.security.cs.disable-library-validation</key><true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>

and then signing via 

codesign --options=runtime --entitlements ./entitlements.xml --deep ./minibrowser.app -s "Developer ID Application: XXX"

does not lead to the crash anymore and

codesign --verify --deep --strict --verbose=2 ./minibrowser.app

tells that all is signed just fine, however, when I package the app as a DMG, load it up to the web, load it down to my desktop and launch it, it tells me that the developer cannot be verified – so it basically tells that it is not signed.

The same happens when I only include the first key:

<key>com.apple.security.cs.allow-jit</key><true/>

but here comes the message that the package cannot be opened because it cannot be checked in terms of malware etc.

Can anyone help with this ?

Thanks a lot in advance,
best

Alex




--
http://www.carot.de
Email : Alexander at Carot.de
Tel.: +49 (0)177 5719797