Code-signed Chromium build doesn't work with 1Password Extension.
So, since 1Password ver. 6.7 or 6.8, browser integration has been more secured.
First of all, I'm aware that 1Password today doesn't accept apps without code-signing. So for instance, browsers like Chromium nightly builds won't work with 1Password, while it works with browsers like Firefox or Vivaldi which makes sense, those are built and code-signed by valid team.
Now, Chromium. Chromium, but very one built by FreeSMUG: http://www.freesmug.org/chromium
This one is code-signed but doesn't work with 1Password Extension.
I verified it's code-signed by codesign -dvvv /Applications/Chromium.app
and it returns valid authentication info.
I've already tried this workaround: https://support.1password.com/kb/201707/
I'm not here to argue about how browser verification works nor anything, it's just ... based on info available from community, it should work.
So... why? Am I misunderstanding something? Or is Chromium
hard-coded to be rejected by the app's extension?
Thanks.
1Password Version: 7.0.7 (70007000)
Extension Version: 4.7.2.90
OS Version: 10.13.6 (17G65)
Sync Type: iCloud
Comments
-
So far as I know, 1Password had adopted more secure way to verify browser to work with on ver. 6.7 or 6.8. That is, it works with browsers only when it's code-signed. So, Chromium nightly builds wouldn't work which is natural.
I'm using Chromium built by FreeSMUG: http://www.freesmug.org/chromium.
Chromium releases by FreeSMUG are code-signed, which you can inspect by:codesign -dvvv /Applications/Chromium.app
but it doesn't work with 1Password Chrome extension and I wonder why. IsChromium
hard-coded to be rejected or am I missing/misunderstanding something?
Maybe I'm misunderstanding the meaning ofSigned
...?To see the authentication of the Chromium I'm talking about, please do below (assuming brew and cask are installed):
brew cask install freesmug-chromium && codesign -dvvv /Applications/Chromium.app
FYI, I'm aware of those article already:
https://support.1password.com/kb/201707/
https://support.1password.com/code-signature/I'm not here to argue about how verification is done or something, but just curious why it doesn't work because it must be working like a charm as long as information from articles above and this community are correct.
Thanks.
1Password Version: 7.0.7 (70007000)
Extension Version: 4.7.2.90
OS Version: 10.13.6 (17G65)
Sync Type: iCloud0 -
Officially, 1Password supports Safari, Firefox, Chrome, and Opera. Some other browsers that are variants of Chromium/Chrome or Firefox are recognized and allowed, but not guaranteed (e.x. Brave, Chrome Canary, and Yandex). Browsers must be whitelisted in addition to being codesigned. We don’t add more browsers to this whitelist because each one increases the size of the attack surface (imagine a browser’s author leaks their code signing certificate; any app could use it and impersonate the browser). Every additional browser also adds to the code signature verification time for all processes that connect. As such we’re not going to be able to support FreeSMUG’s build; my apologies.
Ben
0 -
Hi @Ben
First of all, thanks much for your quick response.
Well,imagine a browser’s author leaks their code signing certificate; any app could use it and impersonate the browser
This totally makes sense! Indeed! How indeed. Yes, this might happen easily and I've had actually seen that kind of accident on some apps years ago.
Now, I need to reconsider which one to use as main browser. :chuffed:So, in other words, you can say browsers supported by 1Password are secure/verified enough, at least on that aspect...
As such we’re not going to be able to support FreeSMUG’s build; my apologies.
No apologies needed, I'm impressed that security is deeply considered and structured in your team, really. Please keep it up.
0 -
So, in other words, you can say browsers supported by 1Password are secure/verified enough, at least on that aspect...
We’re confident enough in the process by which the signing certificates for Safari, Firefox, Chrome, and Opera official builds are managed to consider them supported browsers. :)
No apologies needed, I'm impressed that security is deeply considered and structured in your team, really. Please keep it up.
Thanks for saying so. There is always a fine balance between security and convenience when building a product like 1Password. We carefully evaluate this balance on a regular basis and every time a decision must be made that could affect either.
Ben
0 -
Replying to fix a bug in the forum’s display. Disregard this post. :)
Ben
0