Validly signed .dmg is flagged as "harmful" in the UI (sometimes)
Reported by
ccno...@gmail.com,
May 23 2016
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36 Example URL: http://app.domo.com/DomoBuzz/v0_4_8/Buzz-0.4.8.dmg Steps to reproduce the problem: 1. Visit http://app.domo.com/DomoBuzz/v0_4_8/Buzz-0.4.8.dmg to download the file. 2. File will likely be flagged harmful -- keep it anyways. (Paradoxically, this behavior *usually* happens but not always. You may have to try more than once.) 3. Open the dmg, drag the .app out and run: codesign --verbose=4 --deep --strict Buzz.app/ spctl -av --raw Buzz.app/ Both will return that it's a valid, safe app. What is the expected behavior? It downloads without being flagged as harmful. What went wrong? It was flagged as harmful by Chrome despite it passing OSX's security check tools (codesign and spctl), and OSX Gatekeeper allowing the application to run. Additionally, both Safari and Firefox download it without issue. Did this work before? N/A Chrome version: 50.0.2661.102 Channel: stable OS Version: OS X 10.11.5 Flash Version: Shockwave Flash 21.0 r0 It'd be great if you could provide ways to test that whether my app is going to be flagged by Chrome as harmful. I'd also like to know if there's any caching behavior on URLs or any logic that says "this user trusted downloads from this URL/host before, trust them again later". Thanks!
,
May 23 2016
Thanks for reporting this issue! I cannot reproduce on either stable or canary version. I tried to download this file 10 times on each version, none of them triggered download protection warning. Generally speaking, chrome safe browsing uses both blacklisting checking and content analysis to check the downloads, therefore, might show different results from OSX security check tools. And no, chrome does not cache user's decision on certain host or url since a domain/url can go bad anytime. For now, I'll mark this bug as won't fix due to unable to reproduce it. If you encounter download warning again, please take a screenshot and attach it to this bug. It would be even more helpful if you can test this download on other's computer to rule out causes of compromised browser or operating system. Thanks! |
||
►
Sign in to add a comment |
||
Comment 1 by zhongyi@chromium.org
, May 23 2016