client certificate auth on MacOS 10.12 blocked by securityd due to "code signing check failed"
Reported by
m...@stohn.de,
Oct 5 2016
|
||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Example URL: any https url which requires client auth Steps to reproduce the problem: 1. install new client certificate + key in MacOS keychain 2. go to a https web site which requires (this) client certificate 3. chrome shows UI offering the correct client certificate 4. select the client certificate and press "OK" What is the expected behavior? client cert (+key) is used to authenticate and access to web site is granted What went wrong? chrome shows: ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED Did this work before? N/A Chrome version: 53.0.2785.116 Channel: stable OS Version: OS X 10.12.0 Flash Version: Shockwave Flash 23.0 r0 system log filtered for "chrome" shows: Standard 14:38:58.419359 +0200 Google Chrome switching to keychain-db: /Users/maik/Library/Keychains/login.keychain-db from /Users/maik/Library/Keychains/login.keychain (0 1 1 1) Standard 14:38:58.419530 +0200 Google Chrome not switching: /Users/maik/Library/Keychains/Microsoft_Entity_Certificates-db from /Users/maik/Library/Keychains/Microsoft_Entity_Certificates (0 1 1 0) Standard 14:38:58.419658 +0200 Google Chrome not switching as we're not in ~/Library/Keychains/: /Library/Keychains/System.keychain (0) Standard 14:38:58.420898 +0200 Google Chrome getting current attributes... Standard 14:38:58.420985 +0200 Google Chrome filling 27 attributes for type 16 Standard 14:38:58.421928 +0200 Google Chrome CSSM Exception: -2147416017 CSSMERR_CSP_ACL_ENTRY_TAG_NOT_FOUND Standard 14:38:58.422050 +0200 Google Chrome CSSM Exception: -2147416017 CSSMERR_CSP_ACL_ENTRY_TAG_NOT_FOUND Standard 14:38:58.422152 +0200 Google Chrome caught CssmError: -2147416017 CSSMERR_CSP_ACL_ENTRY_TAG_NOT_FOUND Standard 14:38:58.474729 +0200 securityd suppressing keychain prompt /Applications/Google Chrome.app(338); code signing check failed rc=-67034 Standard 14:38:58.474975 +0200 Google Chrome CSSM Exception: -2147416032 CSSMERR_CSP_OPERATION_AUTH_DENIED Last 2 lines showing the problem. It looks like securityd denies showing the UI from keychain to ask for permission to use the cert+priv key since it complains about " code signing check failed rc=-67034" for "Google Chrome.app" Chrome was installed / updated using the stable channel only. No modifications been done to "Google Chrome.app" package. "Settings->Security->Allow Apps downloaded from" is set to "App Store and identified developers" I think it might been due to the MacOS 10.12 update which I applied recently.
,
Oct 6 2016
Very good catch, I don't know how I could miss the outstanding update. My last restart of chrome was just 1 day ago. After I applied the update the keychain dialog popped up and ask for permission and everything worked fine afterwards. Maybe a change of the update procedure or a better visualisation of the update would be good in future to prevent this kind of situation. Many thanks for the fast and good feedback. Your support is great for such a big project!
,
Oct 6 2016
As per comment#2 , closing this issue . Please raise a new issue if you come across the similar in any of the latest chrome versions. Thank You ! |
||
►
Sign in to add a comment |
||
Comment 1 by mattm@chromium.org
, Oct 5 2016