Code-signed Chromium build doesn't work with 1Password Extension.

CGDisplayBounds
CGDisplayBounds
Community Member
edited August 2018 in Mac

So, since 1Password ver. 6.7 or 6.8, browser integration has been more secured.
First of all, I'm aware that 1Password today doesn't accept apps without code-signing. So for instance, browsers like Chromium nightly builds won't work with 1Password, while it works with browsers like Firefox or Vivaldi which makes sense, those are built and code-signed by valid team.

Now, Chromium. Chromium, but very one built by FreeSMUG: http://www.freesmug.org/chromium
This one is code-signed but doesn't work with 1Password Extension.
I verified it's code-signed by codesign -dvvv /Applications/Chromium.app and it returns valid authentication info.
I've already tried this workaround: https://support.1password.com/kb/201707/

I'm not here to argue about how browser verification works nor anything, it's just ... based on info available from community, it should work.
So... why? Am I misunderstanding something? Or is Chromium hard-coded to be rejected by the app's extension?

Thanks.

1Password Version: 7.0.7 (70007000)
Extension Version: 4.7.2.90
OS Version: 10.13.6 (17G65)
Sync Type: iCloud

Comments

  • CGDisplayBounds
    CGDisplayBounds
    Community Member
    edited August 2018

    So far as I know, 1Password had adopted more secure way to verify browser to work with on ver. 6.7 or 6.8. That is, it works with browsers only when it's code-signed. So, Chromium nightly builds wouldn't work which is natural.

    I'm using Chromium built by FreeSMUG: http://www.freesmug.org/chromium.
    Chromium releases by FreeSMUG are code-signed, which you can inspect by: codesign -dvvv /Applications/Chromium.app but it doesn't work with 1Password Chrome extension and I wonder why. Is Chromium hard-coded to be rejected or am I missing/misunderstanding something?
    Maybe I'm misunderstanding the meaning of Signed...?

    To see the authentication of the Chromium I'm talking about, please do below (assuming brew and cask are installed):
    brew cask install freesmug-chromium && codesign -dvvv /Applications/Chromium.app

    FYI, I'm aware of those article already:
    https://support.1password.com/kb/201707/
    https://support.1password.com/code-signature/

    I'm not here to argue about how verification is done or something, but just curious why it doesn't work because it must be working like a charm as long as information from articles above and this community are correct.

    Thanks.

    1Password Version: 7.0.7 (70007000)
    Extension Version: 4.7.2.90
    OS Version: 10.13.6 (17G65)
    Sync Type: iCloud

  • Ben
    Ben

    Hi @CGDisplayBounds

    Officially, 1Password supports Safari, Firefox, Chrome, and Opera. Some other browsers that are variants of Chromium/Chrome or Firefox are recognized and allowed, but not guaranteed (e.x. Brave, Chrome Canary, and Yandex). Browsers must be whitelisted in addition to being codesigned. We don’t add more browsers to this whitelist because each one increases the size of the attack surface (imagine a browser’s author leaks their code signing certificate; any app could use it and impersonate the browser). Every additional browser also adds to the code signature verification time for all processes that connect. As such we’re not going to be able to support FreeSMUG’s build; my apologies.

    Ben

  • CGDisplayBounds
    CGDisplayBounds
    Community Member
    edited August 2018

    Hi @Ben

    First of all, thanks much for your quick response.
    Well,

    imagine a browser’s author leaks their code signing certificate; any app could use it and impersonate the browser

    This totally makes sense! Indeed! How indeed. Yes, this might happen easily and I've had actually seen that kind of accident on some apps years ago.
    Now, I need to reconsider which one to use as main browser. :chuffed:

    So, in other words, you can say browsers supported by 1Password are secure/verified enough, at least on that aspect...

    As such we’re not going to be able to support FreeSMUG’s build; my apologies.

    No apologies needed, I'm impressed that security is deeply considered and structured in your team, really. Please keep it up.

  • Ben
    Ben

    So, in other words, you can say browsers supported by 1Password are secure/verified enough, at least on that aspect...

    We’re confident enough in the process by which the signing certificates for Safari, Firefox, Chrome, and Opera official builds are managed to consider them supported browsers. :)

    No apologies needed, I'm impressed that security is deeply considered and structured in your team, really. Please keep it up.

    Thanks for saying so. There is always a fine balance between security and convenience when building a product like 1Password. We carefully evaluate this balance on a regular basis and every time a decision must be made that could affect either.

    Ben

  • Ben
    Ben

    Replying to fix a bug in the forum’s display. Disregard this post. :)

    Ben

This discussion has been closed.