Chrome 71.0.3578.98 suddenly not working with 1password [7.2.617 update is out]

darktygur

@MikeT here's what Windows is telling me about chrome.exe. I don't see any message about an invalid certificate, even though "Valid to" is in the past. I assume this is due to the timestamping which @RogerD mentioned.

RogerD

Hi @MikeT, thanks for the detail. May I ask what API call and params 1Password uses to verify? similar to @darktygur's GUI approach above, I tried the Windows SDK's signtool.exe. Per the documentation at https://docs.microsoft.com/en-us/windows/desktop/seccrypto/using-signtool-to-verify-a-file-signature , it requires the /pa switch to use the codesigning method of auth, else it defaults to a driver-signing policy which is a different crypto spec and fails. Maybe the API is the same?

So when I do this, it succeeds:

C:\Users\Roger>"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" verify /v /pa "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

Verifying: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Signature Index: 0 (Primary Signature)
Hash of file (sha256): 999E256D3C01169C3B734EA8AC8F34EC49369DB0F0D4CBB3711E79BEF8C3DAB7

Signing Certificate Chain:
    Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
    Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
    Expires:   Wed Jul 16 15:59:59 2036
    SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

        Issued to: Symantec Class 3 SHA256 Code Signing CA
        Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
        Expires:   Sat Dec 09 15:59:59 2023
        SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5

            Issued to: Google Inc
            Issued by: Symantec Class 3 SHA256 Code Signing CA
            Expires:   Sun Dec 16 15:59:59 2018
            SHA1 hash: 5A9272CE76A9415A4A3A5002A2589A049312AA40

The signature is timestamped: Thu Nov 15 21:43:04 2018
Timestamp Verified by:
    Issued to: VeriSign Universal Root Certification Authority
    Issued by: VeriSign Universal Root Certification Authority
    Expires:   Tue Dec 01 15:59:59 2037
    SHA1 hash: 3679CA35668772304D30A5FB873B0FA77BB70D54

        Issued to: Symantec SHA256 TimeStamping CA
        Issued by: VeriSign Universal Root Certification Authority
        Expires:   Sat Jan 11 15:59:59 2031
        SHA1 hash: 6FC9EDB5E00AB64151C1CDFCAC74AD2C7B7E3BE4

            Issued to: Symantec SHA256 TimeStamping Signer - G3
            Issued by: Symantec SHA256 TimeStamping CA
            Expires:   Thu Mar 22 15:59:59 2029
            SHA1 hash: A9A4121063D71D48E8529A4681DE803E3E7954B0


Successfully verified: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

toobs

How do we update 1Password?

Smileybarry

Chiming in to say that, yes, Windows accepts that certificate on my end too thanks to timestamping when the EXE was signed. signtool.exe verify /pa /v chrome.exe succeds the same way as Roger's did, except my Chrome version is newer (signed December 12th) and thus has a different file hash, timestamp time & server.

If timestamping isn't being respected due to a bug then I'd understand, but otherwise I don't see a reason why an expired but valid at time of signing cert is bad, so far as the cert isn't revoked/compromised?

MikeT

Hi guys,

@toobs, you can check for the update either via the 1Password menu, which automatically triggers the update check or you can go to 1Password menu > Settings > Update to check for an update there.

@Smileybarry, @RogerD, we use .NET APIs to validate the certificate chain; we would have to explicitly add a flag to ignore the time verification to see the signature as valid but for right now, the API returns it as not valid if there is a certificate in the entire chain that is not valid merely because it is expired. It is possible that in a future update, we will be more flexible with regarding expired signing certificates.

xels

Please inform when comes the update for the beta 7.3
Chrome extension is already not working here
thx

AGAlumB

We've released a stable update to accommodate the new signing keys for Chrome:

https://1password.com/downloads/

xels

Yap, i know
when comes the update for the beta? I don't want to uninstall the beta and reinstall the stable
thx

AGAlumB

I don't know. Literally everyone else is sleeping right now. ;) I'm sure we'll have a new one as soon as possible though. We want to keep testing 7.3 so we can get it out to everyone before long. :)

Unknown

This content has been removed.

themontelegend

@MikeT If this issue (or something similar) were to happen again in the future, would rolling back to a previous version of Chrome be a quick fix until an update is released?

If rolling chrome back is possible...

MikeT

Hi guys,

@xels:

when comes the update for the beta? I don't want to uninstall the beta and reinstall the stable

We will be releasing a new 7.3 beta update today, first we have to port the changes from yesterday's late Sunday evening fix to put it in 7.3 beta to support the expired signing key.

@themontelegend:

@MikeT If this issue (or something similar) were to happen again in the future, would rolling back to a previous version of Chrome be a quick fix until an update is released?

Well, first the new signing key is good for the next three years, we most likely will have a better implementation in time that may accept expired signing keys as long as the rest of the chain is still valid as others have suggested in this thread.

Secondly, if you're using 1Password.com account, we recommend switching to the 1Password X extension as a temporary measure as it wouldn't be impacted.

Finally, the last option is to use a different Chrome version or Chrome-based browser (Vivaldi, Brave) or Firefox until we release an update to fix the issue, we almost always will release an update on the stable channel within hours if not within the first day.

Do not roll back to the previous Chrome version, that's not safe to do especially if they disclosed any security issues in the update notes.

@Bernfrin

Thank you for the excellent work to get a fix released for an issue that was not caused by any error on the part of AgileBits. Your efforts are truly appreciated (especially on a weekend) by most if not all of us.

You're welcome. We do think we can do better here and we're going to review all certificates of browsers we support; add the dates to our calendar, make sure we warn our contacts about an expiring anything and then try to accommodate them weeks prior to the expiration.

But first, we'll finish up the work on 1Password 7.3 and we'll then review how we can prevent this again.

twiddlesThumbs

@MikeT thank you for the updates. I've been getting calls from users all morning about the refused browser connection issue.

kevwil

@SergeyTheAgile and @MikeT and @brenty - thanks for staying on top of this and being so transparent. Since Chrome doesn't make it easy to "roll back" it's reassuring to know exactly what's going on and that everyone is on the ball.

MikeT

Hi guys,

@twiddlesThumbs, sorry about that. Hopefully, they're all updating without any issues now.

@kevwil, on behalf of the team, you're welcome.

xels

Yea, top performance.
Works with the update :-)
Thanks a lot!

MikeT

On behalf of our team, you're welcome!

We've just shipped 7.3 Beta 3 with the same Chrome fixes.

cromm

Thanks, working well with 7.3.619

Myko

Everything works now, thank you guys for the quick update!

AGAlumB

Likewise, thanks for the kind words! We also appreciate your understanding and patience -- though only a little was required in this case thanks to the quick turnaround. Cheers! :chuffed:

cromm

Just a followup - when the new beta came down it looks like it somehow changes the path and the shortcut for the program I have in the start menu lost it's icon. So I removed it and when to the Program List to just pin the new one to the Start Menu but it doesn't exist there.

I can launch it from the system tray icon or I can type "1 password for windows" on the run line. But I can't pin it to the start menu
Can we please add the Start Menu entry back on the next beta please.

AGAlumB

This discussion is about a browser change, not about icons or the beta. Also, please don't post the same thing in multiple places. That just slows down response time for everyone. :blush: I'll follow up with you in the relevant discussion.

rbmanian75

Chrome 72 is released and i am using 1password 4 for windows and it is not working with chrome browser. Any fix for 1password for windows 4 who are still tied to dropbox

bundtkate

Hey, @rbmanian75! This thread was specifically about an issue with Chrome's new signing certificate and 1Password 7, so it's not related to the issue you're seeing. I see you've reached out via e-mail as well, so I'll go ahead and respond to your specific issue there. :+1:

kuhyon

hi guys,
seems we cant use the browser extension with the 1Password 4 on windows. im using chrome 72.

AGAlumB

@kuhyon: 1Password 4 was discontinued years ago, and does not know about the new code signature in Chrome 72, which did not exist at that time. You'd need to either upgrade to 1Password 7, which is being actively developed and has the new signature, or use one of the other supported browsers (such as Brave, Firefox, Opera, etc.)