Chromium is not code signed

Started by LosInvalidos,

LosInvalidosLosInvalidos Junior Member
edited 8 Nov 2013 in 1Password 4 for Mac #1

Really? It has been working flawlessly with 1P 3. Why the change? Apple restrictions? Brave New World I guess. And again, I'll have to look for alternatives. No doubt 1P is the best kid around. But I honestly hope that competition can get it's act together. No competition isn't good for a market.

  • MikeTMikeT Agile Samurai Administrator
    edited 4 Oct 2013 #2

    Hi @LosInvalidos,

    It has nothing to do with sandboxing nor Apple but rather that Chromium does not have a valid code signature.

    In 1Password 4, we have extra security checks to ensure our browser extensions are in browsers that are co-signed by the developers who made the browsers and not in any random browsers that have not been signed. Chromium is one of those browsers that are not signed. As soon as they can do that, the extension will then work.

  • LosInvalidosLosInvalidos Junior Member
    edited 5 Oct 2013 #3

    And here's the ticket: https://code.google.com/p/chromium/issues/detail?id=304454

    Let's see how this goes. Not sure if it will be public since it was posted in the "security" category which has restricted access afaik.

  • sjksjk oversoul Administrator

    Thanks, @LosInvalidos. I've added that request ticket to our internal tracker for this issue.

  • LosInvalidosLosInvalidos Junior Member

    @sjk, where you able to access it?

    Nice to see you made it into the 1P team. Known you for years and seen this nick on plenty of platforms and forums. :)

  • sjksjk oversoul Administrator

    Thanks, @LosInvalidos! Always a pleasure seeing familiar faces here. :)

    Maybe this answers your access question:

    Is there a public viewable bug tracker where we can vote on bugs/features?

  • LosInvalidosLosInvalidos Junior Member

    @sjk The access question was in regards to the Chromium issue I opened. Also there's news from that front: "Chromium is not a product, it's a developer waterfall build, and so it not going to be signed."

    So much for the OpenSource love of Google. Wow, I really need to get that de-googlefying process started. Sad thing is, Firefox is mostly funded by Google as well. That leaves WebKit as OpenSource browser. Sad to see options shrink. That's not how it was meant to be...

  • MikeTMikeT Agile Samurai Administrator

    Hi @LosInvalidos,

    Yea, that sucks. We saw the same thing in the issue we had, apparently they are encouraging folks to use Google stable instead.

    We'll investigating for another way around this but no promises.

  • sjksjk oversoul Administrator

    Whoops, access is denied to that ticket you referred to, @LosInvalidos. Thanks for posting the followup here, even if unfortunate news.

    For what may be feasible on our end in the future see @jpgoldberg's post #27.

  • LosInvalidosLosInvalidos Junior Member

    @sjk well that is encouraging news. Hightly welcome if that would see the light of the world and make Chromium usable again. But as I see more clearly the ideology behind googles evil plan, I'm moving back to Firefox. Yet nonetheless interested to see where this goes.

  • sjksjk oversoul Administrator

    Have fun back with Firefox, @LosInvalidos. Safari's still my primary browser.

  • This is terrible, as new version of your software is breaking my main browser just because it can. I strongly urge you to consider allowing users to override code signatures. I appreciate your effort to protect me better, but this is software equivalent of breaking my legs so I can't go out of home, so I'll be safer. Will I be safer? Technically, yes. You can be sure that a disproportionate amount of people who have are your customers, because the people who do compile Chromium to prevent Chrome reporting back to mothership and the people who want to be safe enough to use 1Password largely overlap.

    I strongly urge you to reconsider your decision. This is not going to pressure Chromium to add a code signature, they are too large. So I'm the one you're pressuring instead.

  • roustemroustem AgileBits Founder Administrator

    Thank you for the feedback, @rolleiflex.

    We might add a special "you have been warned, don't blame us" option to solve this. I'd love to find a solution that keeps the security intact through.

  • I'll be keeping an eye on this thread for updates. As a Chromium user I don't really want to switch back to Chrome for privacy reasons, and don't really want to switch back over to Firefox.

    Having the ability to work with browsers that aren't code signed in the advanced options would be great.

  • Alex KingAlex King
    edited 10 Oct 2013 #15

    +1 here as well - I'll be staying with 1Password 3.x until I can use it with Chromium.

    I look forward to upgrading to iPassword 4 in the near future.

  • LosInvalidosLosInvalidos Junior Member

    At least I'm not the only OpenSource and privacy fan around here. I've been posting questions about Chromium for years. Great to see, that a small community has evolved around chromium. And after a week of Firefox I have to say, I really prefere Chromium. While Chrome is not on option due to Googlefication and spy mode.

  • Another +1. I use Iron from SRWare. It's a Chromium derivative. Everything worked excellently with 1Password 3.x. With 1Password 4.x things now don't work, no warning was provided, and there is no option to disable this extra layer of security.

    Please, give us the ability to turn off "signed-app" checking.

  • I also use SRWare Iron. Please, please do something so we can use 1Password 4 with it.

  • sergiomirandasergiomiranda Junior Member
    edited 23 Oct 2013 #19

    Here's another one using Chromium and surprised to find out that I might not be able use the 1Password extension.

    From what I read in the thread mentioned in post #9, this might have been solved with an option to disable this check. Can anyone confirm that Chromium works with 4.0.1b1?

  • MikeTMikeT Agile Samurai Administrator

    Hi guys,

    Thanks for your feedback.

    @sergiomiranda

    this might have been solved with an option to disable this check. Can anyone confirm that Chromium works with 4.0.1b1?

    No, we haven't changed anything regarding to this. We're still investigating a better solution for this but right now, we're focusing on the bug fixes we need to fix first and then we'll figure out what we can do about Chromium.

  • I'm confused by this:

    No, we haven't changed anything regarding to this.

    It appears to be in conflict with this post.

  • Would it be possible to disable the check for signed software (Chromium) so the filling with Chromium would work again?

    I like it that you want to make it more secure, but please give an option to disable the check so opensource browsers will work with 1PW again. Otherwise you give the user a bit more security but also remove some options to get more privacy.

    Thank you.

  • sjksjk oversoul Administrator

    Hi, Alex. Maybe @jryans was referring to this extension compatibility change for Firefox, not Chromium:

    [FIXED] Now compatible with Firefox 26 and later.

  • Hmm, this is surprising to hear... I am currently able to use 1P4 successfully with Firefox Nightly (currently Firefox 28), which in the past has shown up as not code signed in the 1P Diagnostics Report, so I just assumed this change had been made already.

    While my use case appears to work (at the moment...) I strongly agree with others in this thread that there really needs to be a way to disable checking code signatures entirely, so that any browser variant, like Chromium or Firefox that I've compiled myself for example, can be used, just like they could be with 1P3.

  • MeganMegan Administrator

    Hi @tylex,

    I merged your post with this existing discussion, because you all seem interested in the same thing. :) As Roustem says above, we are looking into options.

  • Another ping for this. I am using Firefox in the meantime, but I am still waiting for your Chromium support to arrive. I definitely understand you guys might be booked with bugs as per the case in almost every product launch, but this should be a very simple "if not code signed, warn, [yes/no] override" patch.

  • ashebanowashebanow Junior Member

    I am a web developer, and using pre-release browsers is an important part of my work. I can't tell you how disappointed I am that 1password implemented this drastic change in behavior without warning AND without any way for me to turn it off. Even Apple made Gatekeeper optional for precisely these sorts of reasons.

  • Really? The upgrade of your product makes it completely unusable for me (Chromium is my primary browser). Good-bye 1password. You've just lost a customer ....

  • We need Chromium! There has to be a balance of security and usability and a option to disable this feature is a must... Please...

  • MeganMegan Administrator

    Hi all,

    Thanks so much for the feedback here! I'll be sure to let our developers know that you're excited to see an option that will let you use Chromium. As Roustem mentioned above, this is on our radar and we are looking at ways to make this work, in a secure way if possible.

    We really appreciate your patience as we sort this out. Our team is small, but we're doing our very best to ensure that 1Password 4 is stable, secure and user-friendly for you all :)

  • It would be good to be able to override this on a per application basis. I use several Chrome SSBs (Site-Specific Browsers) for certain sites so that they have their own window / icon / etc. (see http://www.tuaw.com/2013/05/28/make-an-ssb-with-chrome-on-the-mac/ for more info).

    1Password breaks for these sites because of the code signature. If there was a way to override it for certain applications that would be perfect. Hide it in advanced settings somewhere and 95% of your users will never use it, but those of us who need it will.