Hi, I'm actually looking into this at the moment, as per the created issue here QTBUG-60443
I haven't completely finished my investigation, which I will post to the bug report. But the gist of it is: - the WebEngine / Chromium sub process calls manually sandbox_init, which is the macOS private API for enabling the sandbox. That interferes with the sandbox which you enable via codesign entitlements, which gives the "sandbox reinit denied' issue, and crashed process. - if the above call is commented out, then you need to make sure that the Qt Application is signed with sandbox setup entitlements, and the WebEngineProcess is signed with sandbox "inherit" entitlements, otherwise I couldn't get it to work. - Both of those entitlements have to specify a valid Team ID + prefix in the entitlment com.apple.security.application-groups key. - Google Chrome itself does not enable sandboxing via codesign entitlements, but only enables it for subprocess via sandbox_init, leaving the main process without a sandbox. Thus my preliminary suggestion is not to enable codesign sandboxing for QtWebengine applications. I'm open to discussion on this though. Note that the private API use inside WebEngine, which is removed via appstore_compliant configure switch, is a separate issue from sandboxing. Regards, Alex. On 04 May 2017, at 14:45, Morten Sørvig <morten.sor...@qt.io<mailto:morten.sor...@qt.io>> wrote: Hi, Not sure if I can be of much help, but: - This thread discusses and solves a similar problem: https://forum.qt.io/topic/49250/solved-qtwebengineprocess-not-working-in-sandboxed-application - If this could be reduced to a simple sandboxed-app-with-helper-process test case (no QtWebEngine usage), that that’s something I could look at, and something we could eventually add an autotest for. Morten On 28 Apr 2017, at 18:49, Adalid Claure <acla...@gmail.com<mailto:acla...@gmail.com>> wrote: I have a desktop app that I have been trying to get onto the Mac App store but I have been having problems getting it to run in sandbox mode. For context I am (preferably) using Qt 5.8 running on macOS 10.11.6. The crux seems to be QtWebEngineProcess.app refuses to run after I codesign the bundle. As a result, my QtWebEngine component doesn't load. I am using this QtWebEngine component as part of my app's UI. When the app starts I see the following errors in Console: kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) mach-lookup org.chromium.Chromium.rohitfork.20763 kernel[0]: Sandbox: QtWebEngineProce(20765) deny(1) mach-lookup org.chromium.Chromium.rohitfork.20763 QtWebEngineProcess[20764]: [0427/071053:ERROR:mach_broker_mac.mm(52)] bootstrap_look_up: Permission denied (1100) QtWebEngineProcess[20765]: [0427/071053:ERROR:mach_broker_mac.mm(52)] bootstrap_look_up: Permission denied (1100) kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) forbidden-sandbox-reinit My build process is pretty straight forward: 1. Run macdeployqt on the app, using the -appstore-compliant. 2. Sign all of the Qt Frameworks and PlugIns individually with my app's entitlement file. 3. Sign QtWebEngineProcess.app with the following entitlements file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> </dict> </plist> 4. Call codesign on the overall MyProgram.app bundle with the entitlements file from Step 2. I have tried numerous things all in combination with one another, including: a. built QtWebEngine using WEBENGINE_CONFIG+=use_appstore_compliant_code (per the notes here: https://doc.qt.io/qt-5/qtwebengine-platform-notes.html#mac-app-store-compatibility) b. use macdeployqt's -codesign, even though the binarys have to be signed a second time after this in order to apply the entitlements c. sign QtWebEngineProcess.app with CFBundleIdentifier equal to 'com.qt-project.Qt.QtWebEngineProcess' and with my own app's bundle ID. d. tried linking with Qt 5.7 e. tried linking with Qt 5.6.2 which *did* run but then gets rejected by Apple because: ------------------------------- Your app uses or references the following non-public API(s): framework: '/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit' : NSAccessibilityUnregisterUniqueIdForUIElement : _NSAppendToKillRing : _NSDrawCarbonThemeBezel : _NSDrawCarbonThemeListBox : _NSInitializeKillRing : _NSNewKillRingSequence : _NSPrependToKillRing : _NSSetKillRingToYankedState : _NSYankFromKillRing framework: '/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices' : CGSSetDenyWindowServerConnections : CGSShutdownServerConnections : CTFontCopyDefaultCascadeList The use of non-public APIs is not permitted on the App Store as it can lead to a poor user experience should these APIs change. ------------------------------- I have chronicled a lot of this in this thread here (https://forum.qt.io/topic/78518/sandbox-app-for-the-mac-app-store-with-qt-5-8-and-qtwebengineprocess) but the problem persists. Does anyone have any suggestions? Does anyone know of any apps on the Mac App Store that use QtWebEngine? Thanks. _______________________________________________ Development mailing list Development@qt-project.org<mailto:Development@qt-project.org> http://lists.qt-project.org/mailman/listinfo/development _______________________________________________ Development mailing list Development@qt-project.org<mailto:Development@qt-project.org> http://lists.qt-project.org/mailman/listinfo/development
_______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
