Feat/mac sandbox pre release pyinstaller

[toofar]

Switch to PyInstaller develop branch to get v6.0 changes which brings:

• WebEngine/Chromium sandboxing for macOS builds
• Removes the need for our downstream patching of the app on macOS
• Unifies resource lookups to be via importlib_resources (this is actually possible as of 2021 but we hadn't picked up on it)

This is a pretty standard adaptation to a new major version of a dependency except in this case the major version isn't released yet, so I'm pointing at a specific commit on their develop branch (the latest commit as of today).

In my opinion we probably want to do a little more testing of the resulting binaries before committing to this. Although I don't think the testing surface area is huge? Like it runs, resource files can be loaded, it can be signed? There are binaries here, based of this test branch with a custom CI job.

Potential testing checklist:

• installs over an old version with no warnings
• it launches
• can prompt to capture audio or location
  • test with jitsi meet
• :help is rendered like normal
• userscripts work (if packaged?)
• pdf-js works
  • https://www.ipcc.ch/site/assets/uploads/2021/06/Fact_sheet_AR6.pdf
  • or qute://pdfjs/build/pdf.js on builds with 5.15.2
• application icon on shortcut and taskbar is correct
• extensions are loaded
  • the reload command is registered

TODO:

• open issue to track reverting the temp stuff for the pre-release pyinstaller once a release comes out (requirements files and PYINSTALLER_COMPILE_BOOTLOADER) ✔️ Switch back to released PyInstaller #7806
• probably move the PYINSTALLER_COMPILE_BOOTLOADER=true out of tox into the build script so that it gets set for local builds too ✔️
• do manual testing I guess. I went through a few earlier, but not all of them. ✔️
• remove the warning page and the place that triggers it qutebrowser/html/warning-sandboxing.html ✔️
• apologies to @rokm for pulling in the develop branch

Should I, GitHub, should I? 🤔

Testing (it seems userscripts are not packaged):

Windows (10)

• installs over an old version with no warnings
• it launches
• can prompt to capture audio or location
  * tested with jitsi meet
• :help is rendered like normal
• pdf-js works
  * https://www.ipcc.ch/site/assets/uploads/2021/06/Fact_sheet_AR6.pdf
• application icon on shortcut and taskbar is correct
• extensions are loaded
  * the reload command is registered

macOS (11.7.8)

• installs over an old version with no warnings
• it launches
• can prompt to capture audio or location
  * tested with jitsi meet
• :help is rendered like normal
• pdf-js works
  * https://www.ipcc.ch/site/assets/uploads/2021/06/Fact_sheet_AR6.pdf
• application icon on shortcut and taskbar is correct
• extensions are loaded
  * the reload command is registered

Closes: #7278

[toofar]

I've pushed again to:

1. remove the re-signing
2. move the PYINSTALLER_COMPILE_BOOTLOADER env var setting into build_release instead of tox.ini so that if you run build_release not via tox you don't have to remember to set it. It's a bit ugly, and while we are going to remove that stuff after the new pyinstaller release comes out, let me know if you do manual builds via tox anyway and I might move it back to how it was before

While looking through the spec file I saw this note and that the comment it refers to was removed a couple of years ago in pyinstaller/pyinstaller@af23dcceb3f997bda40. So it might not be needed anymore.

I'll update the PR description with potential testing notes based off of looking through the spec file.

[rokm]

While looking through the spec file I saw this note and that the comment it refers to was removed a couple of years ago in pyinstaller/pyinstaller@af23dcceb3f997bda40. So it might not be needed anymore.

This looks like a work-around for PyInstaller butchering the QtWebEngineCore.framework bundle.

It should be safe to replace that ID with your actual bundle ID now that the .framework bundles are preserved.

[toofar]

I updated the bundle ID and went through my manual testing stuff and everything seemed to work 🎉. Although I'm not sure how I'm supposed to reproduce the original failure, did it just stop the app from starting?

Also realized there is the macOS sandbox warning page which is probably unneeded now? Or at least should have references to the PyInstaller issue removed.

More interestingly the extensions are no longer being loaded on macOS. Resulting in messages like: "scroll-to-perc: no such command" and "reload: no such command".

>>> from qutebrowser.extensions import loader
>>> list(loader.walk_components())
[]

>> components.__path__
['/Applications/qutebrowser.app/Contents/Frameworks/qutebrowser/components']
>> components.__name__
'qutebrowser.components'

>> pkgutil.iter_importers('qutebrowser.components')
[FileFinder(...)]

However /Applications/qutebrowser.app/Contents/Frameworks/qutebrowser/components is not a real path (the parent folder does exist, it's just got data files in it though).

The workaround of using the PyInstaller importer toc manually (removed in dd2fc8e) seems like it'll still work though:

>>> {p for p in list(pkgutil.iter_importers('qutebrowser'))[2].toc if p.startswith('qutebrowser.components')}
{'qutebrowser.components',
'qutebrowser.components.adblockcommands',
'qutebrowser.components.braveadblock',
'qutebrowser.components.caretcommands',
'qutebrowser.components.hostblock',
'qutebrowser.components.misccommands',
'qutebrowser.components.readlinecommands',
'qutebrowser.components.scrollcommands',
'qutebrowser.components.utils',
'qutebrowser.components.utils.blockutils',
'qutebrowser.components.zoomcommands'}

[The-Compiler]

Thanks for all the great work, this definitely gets us a big step closer! <3

I've pinned this to a specific commit in both requirements files for now.

Works for me.

While looking through the spec file I saw this note and that the comment it refers to was removed a couple of years ago in pyinstaller/pyinstaller@af23dcceb3f997bda40. So it might not be needed anymore.

Nice catch!

let me know if you do manual builds via tox anyway and I might move it back to how it was before

I do indeed to ensure I have a consistent environment with everything it needs. So I suppose dd86483 and 8a327be could be reverted?

Although I'm not sure how I'm supposed to reproduce the original failure, did it just stop the app from starting?

I believe renderer processes just didn't start, yeah.

Also realized there is the macOS sandbox warning page which is probably unneeded now? Or at least should have references to the PyInstaller issue removed.

Yep, reverting that was the right call IMHO!

More interestingly the extensions are no longer being loaded on macOS. Resulting in messages like: "scroll-to-perc: no such command" and "reload: no such command".

That's weird! Might be good to try and see if we can get a more minimal reproducer to report this as a PyInstaller regression? pyinstaller/pyinstaller#5959 comes with a testcase which hasn't had any changes and still seems to pass, so I'm not sure what it is that we do differently?

[toofar]

Alright, last call for comments on this one! Latest changes:

• I added a Windows 10 minimum version check to the installer
  • based on @bitraid's comment here New Windows installer #7315 (comment)
  • but with an added conditional to do the old check for the Qt5 installer
  • and I naughtily bumped the Qt6 OS requirements down a bit from Win 10 build 1809 -> build 1607 based on our testing. This is lower than the Qt advice but seems to work. Easier enough to increase it again if someone finds an issue?
• dropped the two ugly commits around moving the pyinstaller bootload compiling stuff out of tox into the build_release script
• adaptions from Drop 32bit Windows release support #7804
• I added the Qt5 builds back to my test CI job and actually tested them too
  • latest binaries are here: https://github.com/qutebrowser/qutebrowser/actions/runs/5839589092
  • I had one fright where installing the windows Qt5 build over top of the Qt6 build causes the application to fail to launch with a stack trace about failing to import PyQt6.QtCore. It seems there was a leftover, empty, _internal\PyQt6\Qt6\bin\locales folder left in the install dir that was tricking the autoselect logic. I expect doing an uninstall first would resolve this, as that should remove the whole install dir
  • pdfjs doesn't work on the binary Qt5 version we are packaging, as probably noted elsewhere. Changed the testing instructions to just check that qute://pdfjs/build/pdf.js returns JS
• I didn't update scripts/dev/download_release.sh, easy enough to do that during the release

Too old win10 warning (before I dropped the requirement lower):

Error dialog on launch after installing the Qt5 version over the Qt6 version:

Testing the autoselect logic with the above issue (after starting with --qt-wrapper PyQt5):

Tomorrow I'll look at doing a new test case for pyinstaller and move to main my changes around getting better smoke test error logs, but that's all the stuff I have planned for this PR.

[The-Compiler]

@bitraid could you give this a look?

[The-Compiler]

If you plan on doing another round of testing with your latest changes, maybe worth bumping up this again? If you'd rather not, I'm fine with that too.

[toofar]

I've done more testing but I don't plan on updating the commit. I've been checking in on subsequent commits and I don't see anything relevant to us.

[The-Compiler]

Note to self, we still should try to figure out whether this has regressed.

[toofar]

I don't think it has, but I'm not sure if we can test it on an old version because of the workarounds we had to do symlinking stuff around. I suppose this might be an issue with the upstream fix for that stuff breaking this use case.

This only started happening with c0d31d3 where the data files changed to be under /Frameworks/qutebrowser/. That's the same path that the python files are reported to be under so the issue is that somehow the /Frameworks/qutebrowser/ folder existing is causing importlib to use the file loader instead of the frozen ones. But it seems to work fine on Windows (TODO: triple check with https://github.com/qutebrowser/qutebrowser/actions/runs/5846907490), so it might be some mac specific workaround going wonky.

I tried to make an upstream test fail here, but it didn't. I think the script in that test as the right structure (a folder with data files at the same level as a folder with python files). I might switch tack and try to do a minimal reproducer based on qutebrowser (including spec file).

Anyway, I don't intend to treat this oddity as blocking (I really want to see all the nightly tests working again!). So I'll probably merge this PR tomorrow.

[rokm]

This might be fixed by pyinstaller/pyinstaller#7885.

[toofar]

Looks like that fixes it indeed. Data files and dynamic modules are both being loaded fine with no special casing for frozen builds from us! Yet another issue that gets solved with me doing nothing but procrastinating 😂

I just did a quick build to check. Will double check in more detail tomorrow.

[The-Compiler]

As for the "empty PyQt6 dir" thing: I've seen that too, and considered changing the logic to account for that - but then decided this is one of the "user's environment is in a weird inconsistent thing" situations I'd much rather report to the user rather than just painting over it and assuming something.