Wednesday, June 27, 2012

Chrome broken in OS X due to certificate change: Issue 108238 - Canary asks for access to every keychain item

I got hit with this bug on my Air: Issue 108238 - chromium - Canary asks for access to every keychain item.

We had to change the certificate we use to sign Chrome.

Transition code was included in (stable channel) Chrome 19.0.1084.53 and 19.0.1084.54 to migrate your Keychain items. If you’re on the stable channel but did not launch one of these two versions, upon update to 19.0.1084.56, your Keychain items were “lost” and need to be reauthorized manually.

There is a mitigation in place for 19.0.1084.56 and newer: when Chrome automatically updates itself, the updater will perform the transition. Unfortunately, this is only effective if the updater has permission to do this, and that’s generally only the case when you’re on a “user ticket,” and not when “Set Up Automatic Updates for All Users” has been used.

The correct thing to do when such a dialog appears is to click “Always Allow”. We don’t anticipate any further Keychain changes like this for a very long time, and we hope that in the future, if we do need to make such changes, to have a longer time in which to let the transition run.

It's an interaction bug between Chrome Sync, OS X Keychain, Lion, and a certificate signing change with a short overlap period:

The at-update reauthorization is intended to handle the reauthorization for users who rarely restart Chrome and might miss out on the at-launch step during the window where Chrome is signed by the old certificate but has the new reauthorization code in place.

It hit a machine I rarely use where Chrome was probably running, so when I restarted it the old cert had expired.

There's no plausible workaround, the Google support forum thread on this topic has quite a few deleted messages. The fix seems to be to switch to Safari or Firefox. In a case like mine, where there are hundreds or even thousands of passwords in the Keychain, tapping "Always Allow" repeatedly can take a very long time. Chrome is unusable for now on my Air.

I'm curious as to why Google made this fairly urgent change to their Chrome code signing cert. My Google searches didn't turn anything up. I assume it's related to a significant security breach.  The silence is curious.

Update: Since this was not my main machine I applied the drastic "fix" of deleting my entire #$#$ user login keychain because Google was supposed to 'regenerate it'. Which it sort of did, but the process turned into a slog of bugs and issues far too tedious to list (including a password displayed in a font that rendered a zero as an o. Even after the Google sync was done I am still out many passwords on that machine that are used by other apps. I really don't recommend this approach. It's easier to switch to Firefox or Safari.

So far tonight Google and Apple are causing me similar amounts of pain.

1 comment:

Anonymous said...

Seeing same issues as you .. in my case anything that uses SSL whether a browser app or native app is broken .. even App Store app is broken!