Chrome 71.0.3578.98 suddenly not working with 1password [7.2.617 update is out]

2»

Comments

  • @MikeT here's what Windows is telling me about chrome.exe. I don't see any message about an invalid certificate, even though "Valid to" is in the past. I assume this is due to the timestamping which @RogerD mentioned.



  • Hi @MikeT, thanks for the detail. May I ask what API call and params 1Password uses to verify? similar to @darktygur's GUI approach above, I tried the Windows SDK's signtool.exe. Per the documentation at https://docs.microsoft.com/en-us/windows/desktop/seccrypto/using-signtool-to-verify-a-file-signature , it requires the /pa switch to use the codesigning method of auth, else it defaults to a driver-signing policy which is a different crypto spec and fails. Maybe the API is the same?

    So when I do this, it succeeds:

    C:\Users\Roger>"C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64\signtool.exe" verify /v /pa "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
    
    Verifying: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    
    Signature Index: 0 (Primary Signature)
    Hash of file (sha256): 999E256D3C01169C3B734EA8AC8F34EC49369DB0F0D4CBB3711E79BEF8C3DAB7
    
    Signing Certificate Chain:
        Issued to: VeriSign Class 3 Public Primary Certification Authority - G5
        Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
        Expires:   Wed Jul 16 15:59:59 2036
        SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
    
            Issued to: Symantec Class 3 SHA256 Code Signing CA
            Issued by: VeriSign Class 3 Public Primary Certification Authority - G5
            Expires:   Sat Dec 09 15:59:59 2023
            SHA1 hash: 007790F6561DAD89B0BCD85585762495E358F8A5
    
                Issued to: Google Inc
                Issued by: Symantec Class 3 SHA256 Code Signing CA
                Expires:   Sun Dec 16 15:59:59 2018
                SHA1 hash: 5A9272CE76A9415A4A3A5002A2589A049312AA40
    
    The signature is timestamped: Thu Nov 15 21:43:04 2018
    Timestamp Verified by:
        Issued to: VeriSign Universal Root Certification Authority
        Issued by: VeriSign Universal Root Certification Authority
        Expires:   Tue Dec 01 15:59:59 2037
        SHA1 hash: 3679CA35668772304D30A5FB873B0FA77BB70D54
    
            Issued to: Symantec SHA256 TimeStamping CA
            Issued by: VeriSign Universal Root Certification Authority
            Expires:   Sat Jan 11 15:59:59 2031
            SHA1 hash: 6FC9EDB5E00AB64151C1CDFCAC74AD2C7B7E3BE4
    
                Issued to: Symantec SHA256 TimeStamping Signer - G3
                Issued by: Symantec SHA256 TimeStamping CA
                Expires:   Thu Mar 22 15:59:59 2029
                SHA1 hash: A9A4121063D71D48E8529A4681DE803E3E7954B0
    
    
    Successfully verified: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    
    Number of files successfully Verified: 1
    Number of warnings: 0
    Number of errors: 0
    
  • How do we update 1Password?

  • Chiming in to say that, yes, Windows accepts that certificate on my end too thanks to timestamping when the EXE was signed. signtool.exe verify /pa /v chrome.exe succeds the same way as Roger's did, except my Chrome version is newer (signed December 12th) and thus has a different file hash, timestamp time & server.

    If timestamping isn't being respected due to a bug then I'd understand, but otherwise I don't see a reason why an expired but valid at time of signing cert is bad, so far as the cert isn't revoked/compromised?

  • MikeTMikeT Agile Samurai

    Team Member

    Hi guys,

    @toobs, you can check for the update either via the 1Password menu, which automatically triggers the update check or you can go to 1Password menu > Settings > Update to check for an update there.

    @Smileybarry, @RogerD, we use .NET APIs to validate the certificate chain; we would have to explicitly add a flag to ignore the time verification to see the signature as valid but for right now, the API returns it as not valid if there is a certificate in the entire chain that is not valid merely because it is expired. It is possible that in a future update, we will be more flexible with regarding expired signing certificates.

  • Please inform when comes the update for the beta 7.3
    Chrome extension is already not working here
    thx

  • brentybrenty

    Team Member

    We've released a stable update to accommodate the new signing keys for Chrome:

    https://1password.com/downloads/

  • Yap, i know
    when comes the update for the beta? I don't want to uninstall the beta and reinstall the stable
    thx

  • brentybrenty

    Team Member

    I don't know. Literally everyone else is sleeping right now. ;) I'm sure we'll have a new one as soon as possible though. We want to keep testing 7.3 so we can get it out to everyone before long. :)

  • edited December 2018

    @MikeT If this issue (or something similar) were to happen again in the future, would rolling back to a previous version of Chrome be a quick fix until an update is released?

    If rolling chrome back is possible...

  • MikeTMikeT Agile Samurai

    Team Member

    Hi guys,

    @xels:

    when comes the update for the beta? I don't want to uninstall the beta and reinstall the stable

    We will be releasing a new 7.3 beta update today, first we have to port the changes from yesterday's late Sunday evening fix to put it in 7.3 beta to support the expired signing key.

    @themontelegend:

    @MikeT If this issue (or something similar) were to happen again in the future, would rolling back to a previous version of Chrome be a quick fix until an update is released?

    Well, first the new signing key is good for the next three years, we most likely will have a better implementation in time that may accept expired signing keys as long as the rest of the chain is still valid as others have suggested in this thread.

    Secondly, if you're using 1Password.com account, we recommend switching to the 1Password X extension as a temporary measure as it wouldn't be impacted.

    Finally, the last option is to use a different Chrome version or Chrome-based browser (Vivaldi, Brave) or Firefox until we release an update to fix the issue, we almost always will release an update on the stable channel within hours if not within the first day.

    Do not roll back to the previous Chrome version, that's not safe to do especially if they disclosed any security issues in the update notes.

    @Bernfrin

    Thank you for the excellent work to get a fix released for an issue that was not caused by any error on the part of AgileBits. Your efforts are truly appreciated (especially on a weekend) by most if not all of us.

    You're welcome. We do think we can do better here and we're going to review all certificates of browsers we support; add the dates to our calendar, make sure we warn our contacts about an expiring anything and then try to accommodate them weeks prior to the expiration.

    But first, we'll finish up the work on 1Password 7.3 and we'll then review how we can prevent this again.

  • @MikeT thank you for the updates. I've been getting calls from users all morning about the refused browser connection issue.

  • kevwilkevwil Junior Member

    @SergeyTheAgile and @MikeT and @brenty - thanks for staying on top of this and being so transparent. Since Chrome doesn't make it easy to "roll back" it's reassuring to know exactly what's going on and that everyone is on the ball.

  • MikeTMikeT Agile Samurai

    Team Member

    Hi guys,

    @twiddlesThumbs, sorry about that. Hopefully, they're all updating without any issues now.

    @kevwil, on behalf of the team, you're welcome.

  • xelsxels
    edited December 2018

    Yea, top performance.
    Works with the update :-)
    Thanks a lot!

  • MikeTMikeT Agile Samurai

    Team Member

    On behalf of our team, you're welcome!

    We've just shipped 7.3 Beta 3 with the same Chrome fixes.

  • Thanks, working well with 7.3.619

  • Everything works now, thank you guys for the quick update!

  • brentybrenty

    Team Member

    Likewise, thanks for the kind words! We also appreciate your understanding and patience -- though only a little was required in this case thanks to the quick turnaround. Cheers! :chuffed:

  • Just a followup - when the new beta came down it looks like it somehow changes the path and the shortcut for the program I have in the start menu lost it's icon. So I removed it and when to the Program List to just pin the new one to the Start Menu but it doesn't exist there.

    I can launch it from the system tray icon or I can type "1 password for windows" on the run line. But I can't pin it to the start menu
    Can we please add the Start Menu entry back on the next beta please.

  • brentybrenty

    Team Member

    This discussion is about a browser change, not about icons or the beta. Also, please don't post the same thing in multiple places. That just slows down response time for everyone. :blush: I'll follow up with you in the relevant discussion.

  • rbmanian75rbmanian75 Junior Member

    Chrome 72 is released and i am using 1password 4 for windows and it is not working with chrome browser. Any fix for 1password for windows 4 who are still tied to dropbox

  • bundtkatebundtkate

    Team Member

    Hey, @rbmanian75! This thread was specifically about an issue with Chrome's new signing certificate and 1Password 7, so it's not related to the issue you're seeing. I see you've reached out via e-mail as well, so I'll go ahead and respond to your specific issue there. :+1:

  • hi guys,
    seems we cant use the browser extension with the 1Password 4 on windows. im using chrome 72.

  • brentybrenty

    Team Member

    @kuhyon: 1Password 4 was discontinued years ago, and does not know about the new code signature in Chrome 72, which did not exist at that time. You'd need to either upgrade to 1Password 7, which is being actively developed and has the new signature, or use one of the other supported browsers (such as Brave, Firefox, Opera, etc.)

This discussion has been closed.