[Qtwebengine] Getting QtWebEngineProcess.app to run in sandbox after being signed

Adalid Claure aclaure at gmail.com
Thu Apr 27 23:13:18 CEST 2017 

I have a desktop app that I have been trying to get onto the Mac App store
but I have been having problems getting it to run in sandbox mode. For
context I am (preferrably) using Qt 5.8 running on macOS 10.11.6.

The crux seems to be QtWebEngineProcess.app refuses to run after I codesign
the bundle. As a result, my QtWebEngine component doesn't load. I am using
this QtWebEngine component as part of my app's UI.

When the app starts I see the following errors in Console:

kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) mach-lookup
org.chromium.Chromium.rohitfork.20763
kernel[0]: Sandbox: QtWebEngineProce(20765) deny(1) mach-lookup
org.chromium.Chromium.rohitfork.20763
QtWebEngineProcess[20764]: [0427/071053:ERROR:mach_broker_mac.mm(52)]
bootstrap_look_up: Permission denied (1100)
QtWebEngineProcess[20765]: [0427/071053:ERROR:mach_broker_mac.mm(52)]
bootstrap_look_up: Permission denied (1100)
kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) forbidden-sandbox-reinit

My build process is pretty straight forward:

1. Run macdeployqt on the app, using the -appstore-compliant.
2. Sign all of the Qt Frameworks and PlugIns individually with my app's
entitlement file.
3. Sign QtWebEngineProcess.app with the following entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

4. Call codesign on the overall MyProgram.app bundle with the entitlements
file from Step 2.

I have tried numerous things all in combination with one another, including:

a. built QtWebEngine using WEBENGINE_CONFIG+=use_appstore_compliant_code
(per the notes here:
https://doc.qt.io/qt-5/qtwebengine-platform-notes.html#mac-app-store-compatibility
)
b. use macdeployqt's -codesign, even though the binarys have to be signed a
second time after this in order to apply the entitlements
c. sign QtWebEngineProcess.app with CFBundleIdentifier equal to
'com.qt-project.Qt.QtWebEngineProcess' and with my own app's bundle ID.
d. tried linking with Qt 5.7
e. tried linking with Qt 5.6.2 which *did* run but then gets rejected by
Apple because:

-------------------------------
Your app uses or references the following non-public API(s):

framework: '/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit'
: NSAccessibilityUnregisterUniqueIdForUIElement
: _NSAppendToKillRing
: _NSDrawCarbonThemeBezel
: _NSDrawCarbonThemeListBox
: _NSInitializeKillRing
: _NSNewKillRingSequence
: _NSPrependToKillRing
: _NSSetKillRingToYankedState
: _NSYankFromKillRing

framework:
'/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices'
: CGSSetDenyWindowServerConnections
: CGSShutdownServerConnections
: CTFontCopyDefaultCascadeList

The use of non-public APIs is not permitted on the App Store as it can lead
to a poor user experience should these APIs change.
-------------------------------

I have chronicled a lot of this in this thread here (
https://forum.qt.io/topic/78518/sandbox-app-for-the-mac-app-store-with-qt-5-8-and-qtwebengineprocess)
but the problem persists.

Does anyone have any suggestions? Does anyone know of any apps on the Mac
App Store that use QtWebEngine?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/qtwebengine/attachments/20170427/5a0144be/attachment.html>

More information about the QtWebEngine mailing list