[Interest] signing webenginewidgets issue

Hamish Moffatt hamish at risingsoftware.com
Sun Jun 16 12:18:45 CEST 2024 

Hmm, I have different entitlements set here, as per 
https://forum.qt.io/topic/102212/qtwebengine-signing-issues/20

In short, the QtWebEngineProcess.app Helper within 
QtWebEngineCore.framework is signed with 
com.apple.security.cs.disable-executable-page-protection true.

Runtime is hard and the application is signed, notarised and packaged 
(and signed).

Hamish

On 15/6/24 22:23, Alexander Carôt via Interest wrote:
> P.S.: Nevermind – I simply did not wait long enough for the app to be notarized. The solution for me was to only include this key:
>
> <key>com.apple.security.cs.allow-jit</key><true/>
>
> and then I could sign, notarize and launch.
>
>
> --
> http://www.carot.de
> Email : Alexander at Carot.de
> Tel.: +49 (0)177 5719797
>
>
>> Gesendet: Samstag, 15. Juni 2024 um 13:44 Uhr
>> Von: "Alexander Carôt via Interest" <interest at qt-project.org>
>> An: "qt qt" <interest at qt-project.org>
>> Betreff: [Interest] signing webenginewidgets issue
>>
>> Hello all,
>>
>> I just saw an issue when signing and notarizing an app containing a web browser based on webenginewidgets (applies also for the Qt example minibrowser):
>>
>> 1.) Codesigning via
>>
>> codesign --options=runtime --deep ./minibrowser.app -s "Developer ID Application: XXX"
>>
>> works fine but breaks the app: Launching minibrowser afterwards makes the webprocess crash.
>>
>> 2.) Including the following keys into an entitlements file:
>>
>> <key>com.apple.security.cs.allow-jit</key><true/>
>> <key>com.apple.security.cs.disable-library-validation</key><true/>
>> <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
>> <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
>>
>> and then signing via
>>
>> codesign --options=runtime --entitlements ./entitlements.xml --deep ./minibrowser.app -s "Developer ID Application: XXX"
>>
>> does not lead to the crash anymore and
>>
>> codesign --verify --deep --strict --verbose=2 ./minibrowser.app
>>
>> tells that all is signed just fine, however, when I package the app as a DMG, load it up to the web, load it down to my desktop and launch it, it tells me that the developer cannot be verified – so it basically tells that it is not signed.
>>
>> The same happens when I only include the first key:
>>
>> <key>com.apple.security.cs.allow-jit</key><true/>
>>
>> but here comes the message that the package cannot be opened because it cannot be checked in terms of malware etc.
>>
>> Can anyone help with this ?
>>
>> Thanks a lot in advance,
>> best
>>
>> Alex
>>
>>
>>
>>
>> --
>> http://www.carot.de
>> Email : Alexander at Carot.de
>> Tel.: +49 (0)177 5719797
>>
>> _______________________________________________
>> Interest mailing list
>> Interest at qt-project.org
>> https://lists.qt-project.org/listinfo/interest
>>
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest

More information about the Interest mailing list