QtWebEngine signing issues

krobinson

I found a solution to this issue after much trial and error. I am fairly certain this will need to be done for anyone who is attempting to notarize a macOS application using the QtWebEngine. Hopefully this will save someone some time in the future.

The solution for me was to sign the QtWebEngineProcess with with the com.apple.security.cs.disable-executable-page-protection exception. Here is the process.

Sign the main application with the following command

sudo codesign --deep --force --verify --verbose --sign "Developer ID Application: ***" --options runtime MyApp.app

Create an entitlements file for the QtWebEngineProcess

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
</dict>
</plist>

Sign the QtWebEngineProcess with the following command

sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess

Sign the main executable with the following command

sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --options runtime Output/MyApp.app/Contents/MacOS/MyApp

After following these steps I am able to successfully notarize the application.

Edit: Added more details

sztomi

@krobinson thank you so much for taking the time to share your solution, this saved me a lot of headaches. I knew I'd probably need to add some entitlements to WebEngine, but I had no idea what.

dalamber

@krobinson thank you so much for this!

kdg82

I tried what is suggested in this topic, but it didn't help - QtWebEngineProcess still crashes. I created another topic: https://forum.qt.io/topic/106949/qtwebengine-signing-issues

mjsmithers

@krobinson a HUGE thank you from me also. I would never have figured this out.

BTW My procedure is slightly different. I

• run macdeployqt
• sign the .app with the hardened runtime and with the deep option
• use your entitlements step (above) with force to replace the signing just on QtWebEngineProcess
• notarize the .app,
• put the .app in a DMG,
• sign the DMG with the hardened runtime, then
• notarize the DMG.

Everything works! Thanks again.

miskuu

@krobinson Thank you, Sir! Apple really likes to make devs lives harder every day.

nkqhxj

It's doesn't work form me, console output is: code object is not signed at all
In subcomponent: Myapp/Contents/PlugIns/mediaservice/libqavfmediaplayer.dylib.
but when i try sign with -deep, it's crash again.

markuz

Hi,

and thanks, this post helped me a lot. From a technical point of view:

Reading this, Apple says 'The system causes an app that attempts to directly modify
sections of its own executable files on disk to forcefully exit.'

What kind of technique or practice is it, that makes
qtwebengine run into Apple's executable memory protection issues?
Is it possible to nail this down on a certain piece of code?

Adressing this issue, has this code changed from Qt 5.9 to 5.12?

Thanks,
-Markus

PSI_lbc

Create an entitlements file for the QtWebEngineProcess
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>

Sign the QtWebEngineProcess with the following command
sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess

Where exactly does one "Create an entitlements file for the QtWebEngineProcess"?

Can this process be done once or must it be done each time you create a build or run MacDeployQt?

Can the QtWebEngineProcess.entitlements file be added to the QtWebEngineCore.framework ?

If so, where does it go exactly?

Should it be in the Helpers folder? Inside the QWebEngineProcess app.bundle?

If in the QWebEngineProcess app.bundle, what folder? In Contents where the info.plist is? In Resources?

Why can't the ..<key>com.apple.security.cs.disable-executable-page-protection</key>..be added directly to the QWebEngineProcess plist file?

sk-working

Not working for me. 5.12.5 & 5.12.8

As soon as I sign QtWebEngineProcess with "runtime" option and entitlements QtWebEngineProcess crashes.

I even listed all available entitlements - but no difference.

Cannot text with 5.14.x because of bug: https://bugreports.qt.io/browse/QTBUG-75262

PSI_lbc

@mjsmithers said in QtWebEngine signing issues:

@krobinson a HUGE thank you from me also. I would never have figured this out.

BTW My procedure is slightly different. I

• run macdeployqt
• sign the .app with the hardened runtime and with the deep option
• use your entitlements step (above) with force to replace the signing just on QtWebEngineProcess
• notarize the .app,
• put the .app in a DMG,
• sign the DMG with the hardened runtime, then
• notarize the DMG.

Everything works! Thanks again.

Thanks! This worked for me with a slight modification. The first time I tried it there was an error on the entitlement signing step. Because of a path problem.

sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess

The actual path to the QtWebEngineProcess after MacDeployQt is :

MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS/

discovered when doing a "GetInfo" on the QtWebEngineProcess executable. Not sure why the "/Versions/5/" is not visible in finder but is on the GetInfo, and maybe it will change with different versions of MacDeployQt or OSX..IDK.

FWIW..The codesign line is less cluttered by doing a "cd' to the folder with the executable and entitlement files..

cd '/pathto/MyApp.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS/'
sudo codesign --force --verify --verbose --sign "Developer ID Application: ***" --entitlements QtWebEngineProcess.entitlements --options runtime QtWebEngineProcess

MrGuo

Here is my step:

~/Qt5.10.1/5.10.1/clang_64/bin/macdeployqt my.app -dmg

sudo codesign --deep -f -v -s "Developer ID Application: XXX" -o runtime my.app

sudo codesign -f -v -s "Developer ID Application: XXX" --entitlements QtWebEngineProcess.entitlements -o runtime
my.app/Contents/Frameworks/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess

use DropDMG create my.dmg

sudo codesign -f -v -s "Developer ID Application: XXX" -o runtime my.dmg

xcrun altool --notarize-app -t osx -f my.dmg --primary-bundle-id "XXX" --username "XXX" --password "XXX"

xcrun altool --notarization-info "RequestUUID" -u "XXX" -p "XXX"

xcrun stapler staple my.dmg

entitlements file is the same as above, works fine on macos 10.15.3

AmyXS

@krobinson Thanks so much for sharing this solution!!! I'm so glad I found this post after determining that codesigning with hardened runtime causes WebEngine issues. You've saved my day!!!

rdowell

Having this same issue with a QtWebEngine application, but while re-signing QtWebEngineProcess with the entitlements file as shown above does work for signing the app, QtWebEngine is still crashing if I try to run it:

Process:               QtWebEngineProcess [24905]
Path:                  /Applications/Toolbox.app/Contents/Frameworks/QtWebEngineCore.framework/Versions/5/Helpers/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess
Identifier:            QtWebEngineProcess
Version:               ???
Code Type:             X86-64 (Native)
Parent Process:        Toolbox [24821]
Responsible:           Toolbox [24821]
User ID:               503

Date/Time:             2020-09-18 15:38:32.961 -0600
OS Version:            Mac OS X 10.15.6 (19G2021)
Report Version:        12
Anonymous UUID:        0C2B5E8B-1960-EECA-3F0E-16C355B027FB


Time Awake Since Boot: 4400 seconds

System Integrity Protection: enabled

Crashed Thread:        0  CrRendererMain  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (Code Signature Invalid)
Exception Codes:       0x0000000000000032, 0x0000002aafe05a60
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x2

Based on a comment in @kdg82 's thread, I tried adding additional entitlements to the QtWebEngineProcess to mimic the entitlements required by Chrome/Chromium, but that doesn't have any effect. I've seen some indication from looking at posts about other non-Qt projects having similar issues that there may be an entitlement inheritance setting that also needs to be updated?

Tim Angus

@krobinson You, sir, are a steely-eyed missile man. Saved me so much time.

For what it's worth, the console output I got when I was experiencing this issue was:

#
# Fatal process OOM in CodeRange setup: allocate virtual memory
#

Just to add to Google's index of variations of "QtWebEngine not working fatal process oom".

Thanks again!

J0Nes

Thanks a ton! This was my issue as well, see https://forum.qt.io/topic/122388/qtwebenginecore-on-macos-fatal-process-out-of-memory-failed-to-reserve-memory-for-new-v8-isolate

If you stumble upon this error "Fatal process out of memory: Failed to reserve memory for new V8 Isolate" - read this thread carefully :)

jazzalex

Thanks a lot for this thread !

It really helped, however (three years later), for me it was simpler than described in the thread:

Hardened runtime was not the issue – I just need to add the above mentioned key into my entitlements file and this already did the job. At the end I signed this way:

codesign --options=runtime --entitlements ./entitlements.xml --deep ./soundjack.app -s "my developer ID"

without having the app crash afterwards and being able to notarize.

Best

Alex

jmarrec

Just in case you stumble onto this issue, the Qt Documentation now contains instructions

cf https://doc.qt.io/qt-6/qtwebengine-deploying.html#macos-specific-deployment-steps

Here is the content of the QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/Resources/QtWebEngineProcess.entitlements for reference, for my macos install, v 6.5.2

$ cat /Users/julien/Qt/6.5.2/macos/lib/QtWebEngineCore.framework/Versions/A/Helpers/QtWebEngineProcess.app/Contents/Resources/QtWebEngineProcess.entitlements
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
	<key>com.apple.security.cs.allow-jit</key>
	<true/>
        <key>com.apple.security.cs.disable-executable-page-protection</key>
        <true/>
</dict>
</plist>