On 08 May 2017, at 13:33, Adalid Claure 
<acla...@gmail.com<mailto:acla...@gmail.com>> wrote:

> Well, to be fair, it seems you haven't heeded my advice, and are going with 
> the approach of sandboxing the
> whole application, instead of leaving that to be done by Chromium.

Hmm.. I'm not sure what you mean. How exactly should I be signing my app then? 
Per the MAS, I have to sign it my app with "com.apple.security.app-sandbox".


I would have expected that signing without sandboxing should be possible. But 
if it is absolutely required, then that's unfortunate, because of the mentioned 
"unsupported by Chromium" territory.

> Regarding the issues you are seeing now, it is because of the 
> "com.apple.security.application-groups"
> entitlement key. That value (team id + "." + random domain-like suffix 
> string) has to be used by Chromium
> code, so that access is granted to the cross-process resources. By default 
> Chromium uses
> "org.chromium.Chromium" prefix as the application group key, which results in 
> the permission denied
> issues.

I see. I've been using the <teamid>.<app bundle id> entitlement for my main 
app, but I guess Chromium's code ignores that and uses this hard coded value?

Yes, currently the chromium part of WebEngine ignores the bundle id, and just 
hardcodes it.

> You can modify the "BaseBundleID" method in "/qt_source/qtwebengine/src/
> 3rdparty/chromium/base/mac/foundation_util.mm:241<http://foundation_util.mm:241/>"
>  to hardcode the bundle id to your "team_id + suffix"
> entitlement key. That made it work for me.

Ok, I will give this a try.

Thanks again for your help.


On Mon, May 8, 2017 at 4:43 AM, Alexandru Croitor 
<alexandru.croi...@qt.io<mailto:alexandru.croi...@qt.io>> wrote:
Hi,

Well, to be fair, it seems you haven't heeded my advice, and are going with the 
approach of sandboxing the whole application, instead of leaving that to be 
done by Chromium.

Regarding the issues you are seeing now, it is because of the 
"com.apple.security.application-groups" entitlement key. That value (team id + 
"." + random domain-like suffix string) has to be used by Chromium code, so 
that access is granted to the cross-process resources. By default Chromium uses 
"org.chromium.Chromium" prefix as the application group key, which results in 
the permission denied issues.

You can modify the "BaseBundleID" method in 
"/qt_source/qtwebengine/src/3rdparty/chromium/base/mac/foundation_util.mm:241<http://foundation_util.mm:241/>"
 to hardcode the bundle id to your "team_id + suffix" entitlement key. That 
made it work for me.

Regards, Alex.

On 06 May 2017, at 14:46, Adalid Claure 
<acla...@gmail.com<mailto:acla...@gmail.com>> wrote:

FWIW, I tried these changes but like you said I ran into another error (though, 
I'm pretty sure it's one I've seen before).

5/6/17 08:35:40.000 kernel[0]: Sandbox: QtWebEngineProce(5958) deny(1) 
mach-lookup org.chromium.Chromium.rohitfork.5957
5/6/17 08:35:40.000 kernel[0]: Sandbox: QtWebEngineProce(5959) deny(1) 
mach-lookup org.chromium.Chromium.rohitfork.5957
5/6/17 08:35:40.070 QtWebEngineProcess[5958]: 
[0506/083540:ERROR:mach_port_broker.mm<http://mach_port_broker.mm/>(43)] 
bootstrap_look_up: Permission denied (1100)
5/6/17 08:35:40.070 QtWebEngineProcess[5959]: 
[0506/083540:ERROR:mach_port_broker.mm<http://mach_port_broker.mm/>(43)] 
bootstrap_look_up: Permission denied (1100)

Does this look like the other issues you were referring to?

There is progress in the sense that the QtWebEngine widget is now white, 
instead of invisible (since it wasn't loading, I presume) like before. Of 
course, nothing renders inside it though.



On Thu, May 4, 2017 at 9:32 AM, Alexandru Croitor 
<alexandru.croi...@qt.io<mailto:alexandru.croi...@qt.io>> wrote:
It's in the function SandboxCompiler::CompileAndApplyProfile in
qt59_source/qtwebengine/src/3rdparty/chromium/content/common/sandbox_mac.mm:150<http://sandbox_mac.mm:150/>
the whole if branch.

But please do note my warning, even if it appears to work, it does not mean you 
will not have issues. Chromium has its own special sandbox profile (set of 
rules) that it applies to the subprocess, and it never applies it to the main 
process. So by simply enabling default sandboxing for both, you invite untested 
territories.


On 04 May 2017, at 15:26, Adalid Claure 
<acla...@gmail.com<mailto:acla...@gmail.com>> wrote:

I am the one who logged the bug.

Can you point me to the line of code that you commented out where you were able 
to get it to work?

On Thu, May 4, 2017 at 9:15 AM, Alexandru Croitor 
<alexandru.croi...@qt.io<mailto:alexandru.croi...@qt.io>> wrote:
Hi,

I'm actually looking into this at the moment, as per the created issue here 
QTBUG-60443

I haven't completely finished my investigation, which I will post to the bug 
report.

But the gist of it is:
- the WebEngine / Chromium sub process calls manually sandbox_init, which is 
the macOS private API for enabling the sandbox. That interferes
with the sandbox which you enable via codesign entitlements, which gives the 
"sandbox reinit denied' issue, and crashed process.

- if the above call is commented out, then you need to make sure that the Qt 
Application is signed with sandbox setup entitlements, and the WebEngineProcess 
is signed with sandbox "inherit" entitlements, otherwise I couldn't get it to  
work.

- Both of those entitlements have to specify a valid Team ID + prefix in the 
entitlment com.apple.security.application-groups
key.

- Google Chrome itself does not enable sandboxing via codesign entitlements, 
but only enables it for subprocess via sandbox_init, leaving the main process 
without a sandbox.

Thus my preliminary suggestion is not to enable codesign sandboxing for 
QtWebengine applications.

I'm open to discussion on this though.

Note that the private API use inside WebEngine, which is removed via 
appstore_compliant configure switch, is a separate issue from sandboxing.

Regards, Alex.




On 04 May 2017, at 14:45, Morten Sørvig 
<morten.sor...@qt.io<mailto:morten.sor...@qt.io>> wrote:

Hi,

Not sure if I can be of much help, but:

- This thread discusses and solves a similar problem: 
https://forum.qt.io/topic/49250/solved-qtwebengineprocess-not-working-in-sandboxed-application

- If this could be reduced to a simple sandboxed-app-with-helper-process test 
case (no QtWebEngine usage), that that’s something I could look at, and 
something we could eventually add an autotest for.


Morten


On 28 Apr 2017, at 18:49, Adalid Claure 
<acla...@gmail.com<mailto:acla...@gmail.com>> wrote:

I have a desktop app that I have been trying to get onto the Mac App store but 
I have been having problems getting it to run in sandbox mode. For context I am 
(preferably) using Qt 5.8 running on macOS 10.11.6.

The crux seems to be QtWebEngineProcess.app refuses to run after I codesign the 
bundle. As a result, my QtWebEngine component doesn't load. I am using this 
QtWebEngine component as part of my app's UI.

When the app starts I see the following errors in Console:

kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) mach-lookup 
org.chromium.Chromium.rohitfork.20763
kernel[0]: Sandbox: QtWebEngineProce(20765) deny(1) mach-lookup 
org.chromium.Chromium.rohitfork.20763
QtWebEngineProcess[20764]: 
[0427/071053:ERROR:mach_broker_mac.mm<http://mach_broker_mac.mm/>(52)] 
bootstrap_look_up: Permission denied (1100)
QtWebEngineProcess[20765]: 
[0427/071053:ERROR:mach_broker_mac.mm<http://mach_broker_mac.mm/>(52)] 
bootstrap_look_up: Permission denied (1100)
kernel[0]: Sandbox: QtWebEngineProce(20764) deny(1) forbidden-sandbox-reinit

My build process is pretty straight forward:

1. Run macdeployqt on the app, using the -appstore-compliant.
2. Sign all of the Qt Frameworks and PlugIns individually with my app's 
entitlement file.
3. Sign QtWebEngineProcess.app with the following entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<plist version="1.0">
<dict>
   <key>com.apple.security.app-sandbox</key>
   <true/>
   <key>com.apple.security.inherit</key>
   <true/>
</dict>
</plist>

4. Call codesign on the overall MyProgram.app bundle with the entitlements file 
from Step 2.

I have tried numerous things all in combination with one another, including:

a. built QtWebEngine using WEBENGINE_CONFIG+=use_appstore_compliant_code (per 
the notes here: 
https://doc.qt.io/qt-5/qtwebengine-platform-notes.html#mac-app-store-compatibility)
b. use macdeployqt's -codesign, even though the binarys have to be signed a 
second time after this in order to apply the entitlements
c. sign QtWebEngineProcess.app with CFBundleIdentifier equal to 
'com.qt-project.Qt.QtWebEngineProcess' and with my own app's bundle ID.
d. tried linking with Qt 5.7
e. tried linking with Qt 5.6.2 which *did* run but then gets rejected by Apple 
because:

-------------------------------
Your app uses or references the following non-public API(s):

framework: '/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit'
: NSAccessibilityUnregisterUniqueIdForUIElement
: _NSAppendToKillRing
: _NSDrawCarbonThemeBezel
: _NSDrawCarbonThemeListBox
: _NSInitializeKillRing
: _NSNewKillRingSequence
: _NSPrependToKillRing
: _NSSetKillRingToYankedState
: _NSYankFromKillRing

framework: 
'/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices'
: CGSSetDenyWindowServerConnections
: CGSShutdownServerConnections
: CTFontCopyDefaultCascadeList

The use of non-public APIs is not permitted on the App Store as it can lead to 
a poor user experience should these APIs change.
-------------------------------

I have chronicled a lot of this in this thread here 
(https://forum.qt.io/topic/78518/sandbox-app-for-the-mac-app-store-with-qt-5-8-and-qtwebengineprocess)
 but the problem persists.

Does anyone have any suggestions? Does anyone know of any apps on the Mac App 
Store that use QtWebEngine?

Thanks.
_______________________________________________
Development mailing list
Development@qt-project.org<mailto:Development@qt-project.org>
http://lists.qt-project.org/mailman/listinfo/development

_______________________________________________
Development mailing list
Development@qt-project.org<mailto:Development@qt-project.org>
http://lists.qt-project.org/mailman/listinfo/development







_______________________________________________
Development mailing list
Development@qt-project.org
http://lists.qt-project.org/mailman/listinfo/development

Reply via email to