Touch ID/Biometric authentication not available

[rvsit]

In the current build of ungoogled chromium on macos there is no option to authenticate with Touch ID through webauthn.

Steps to reproduce:

• Go to webauthn.io.
• Fill in a username and click register.
• Chrome will show "This device" as an option, which triggers TouchID, Ungoogle Chromium does not.

Left is Ungoogled Chromium, right is Chrome

I understand this might have something to do with signatures, is there anything we could do to possibly self sign it or something?

[networkException]

Does this work in vanilla chromium?

[rvsit]

Unsure, but it seems to have something to do with the signature/entitlements, see https://chromium.googlesource.com/chromium/src/+/lkgr/device/fido/mac/touch_id_context.mm
So I don't think there is anything we can do to fix it?

[PF4Public]

This is an old issue, that didn't show much activity recently and probably lost its significance — closing.
If you have any more information to add, let us know.

[MrChocolatine]

Can we reopen this ticket please? This is still an issue, for instance with GitHub:

• Version used: 122.0.6261.69

[PF4Public]

Sure, to improve the visibility, but apart from that it could very well be that this issue is inherently unsolvable.

[MrChocolatine]

Sure, to improve the visibility, but apart from that it could very well be that this issue is inherently unsolvable.

because of this previous message? #93 (comment)

[PF4Public]

because of this previous message? #93 (comment)

Partially, yes. Someone has to debug it, but no one seems to be eager enough.

[MrChocolatine]

Unfortunately I do not have the knowledge to help, not my field.

[Cubik65536]

@MrChocolatine Can you confirm how this behaves on Vanilla Chromium (Chromium w/ Google)?

[MrChocolatine]

@Cubik65536

I cannot test with vanilla Chromium as it conflicts with Ungoogled-Chromium:

➜  ~ brew install --cask chromium
==> Downloading https://formulae.brew.sh/api/cask.jws.json
...
Error: Cask 'chromium' conflicts with 'eloston-chromium'.

Maybe there is a way to bypass this conflict I am not aware of.

[Cubik65536]

@Cubik65536

I cannot test with vanilla Chromium as it conflicts with Ungoogled-Chromium:

➜  ~ brew install --cask chromium
==> Downloading https://formulae.brew.sh/api/cask.jws.json
...
Error: Cask 'chromium' conflicts with 'eloston-chromium'.

Maybe there is a way to bypass this conflict I am not aware of.

Don't download via HomeBrew, just download dmg from Chromium site and directly run the .app.

[Cubik65536]

Any updates? And can you check if signed binaries at https://github.com/claudiodekker/ungoogled-chromium-binaries works with this? /cc @MrChocolatine

[MrChocolatine]

Don't download via HomeBrew, just download dmg from Chromium site and directly run the .app.

Still unable to execute Chromium:

“Chromium.app” is damaged and can’t be opened. You should move it to the Bin.

And I tried several times.

[Cubik65536]

Don't download via HomeBrew, just download dmg from Chromium site and directly run the .app.

Still unable to execute Chromium:

“Chromium.app” is damaged and can’t be opened. You should move it to the Bin.

And I tried several times.

@MrChocolatine Right-Click the app, select open, and then the system will prompt you with the option to run anyway.

[Cubik65536]

Oh I might misunderstood your issue, you need to download the version with the right architecture (arm or intel). The Chromium page seems to provide only one.

[MrChocolatine]

Yep, that's what I did and I get the above error.
I just tried again and same result when running the .app file, even with Ungoogled-Chromium closed.

https://download-chromium.appspot.com/dl/Mac_arm?type=snapshots

[Cubik65536]

Ummm, this runs very well for me. Are you running M-series chips?

[Cubik65536]

I tested on Vanilla Chromium, and it seems that auth doesn't work either with Vanilla Chromium...

I got a different prompt though (it is just the QR Code with a message saying USB key is available as option). Do you have the most recent version of UGC? If not, can you update and test again? /cc @MrChocolatine

[RobusK]

This was also discussed here: ungoogled-software/ungoogled-chromium#2606

Apparently it's because of a missing entitlement: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_web-browser_public-key-credential?changes=_3

[MrChocolatine]

Sorry for my lack of response.
Still same issue, Touch ID not recognised.

And I am using the latest version of UGC available for macOS:
https://github.com/ungoogled-software/ungoogled-chromium-macos/releases/tag/125.0.6422.141-1.1

[Cubik65536]

Sorry for my lack of response. Still same issue, Touch ID not recognised.

And I am using the latest version of UGC available for macOS: 125.0.6422.141-1.1 (release)

Maybe also try the signed version: https://github.com/claudiodekker/ungoogled-chromium-macos/releases/tag/125.0.6422.141-1.1

As it may be this problem:

it's because of a missing entitlement

[RobusK]

The signed app doesn't have the com.apple.developer.web-browser.public-key-credential entitlement either.

Is there a way to locally sign the app with the restricted entitlement? I naively tried running

codesign --force --options runtime --deep --entitlements ./Chromium.app_entitlements.plist --sign 'Apple Development: REDACTED' ./Chromium.app, but as soon as I add a restricted entitlement, I get this:

❯ open Chromium.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600001061950 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

[Cubik65536]

The signed app doesn't have the com.apple.developer.web-browser.public-key-credential entitlement either.

Is there a way to locally sign the app with the restricted entitlement? I naively tried running

codesign --force --options runtime --deep --entitlements ./Chromium.app_entitlements.plist --sign 'Apple Development: REDACTED' ./Chromium.app, but as soon as I add a restricted entitlement, I get this:

❯ open Chromium.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600001061950 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

I'll look into it.

[Cubik65536]

The signed app doesn't have the com.apple.developer.web-browser.public-key-credential entitlement either.

Is there a way to locally sign the app with the restricted entitlement? I naively tried running

codesign --force --options runtime --deep --entitlements ./Chromium.app_entitlements.plist --sign 'Apple Development: REDACTED' ./Chromium.app, but as soon as I add a restricted entitlement, I get this:

❯ open Chromium.app The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600001061950 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

@RobusK There's a codesign command at the end of build.sh, would you like to try to modify it and try to see if you can sign with your entitlement? I don't have a paid developer account and unfortunately cannot test it myself.

[RobusK]

@Cubik65536 I don't have an entitlement, nor a paid development either. I merely used the personal certificate one can generate in Xcode. Sorry for the confusion.

[Cubik65536]

@Cubik65536 I don't have an entitlement, nor a paid development either. I merely used the personal certificate one can generate in Xcode. Sorry for the confusion.

Okay, thanks for the clarification...

@claudiodekker could you try to build one version on your side with the entitlement mentioned above (com.apple.developer.web-browser.public-key-credential)?

I am trying to get a development certificate for UGC, but I just can't afford to pay that at the moment... maybe we need to look further for some solutions.

[claudiodekker]

@Cubik65536 Adding that caused a failure, which has to do with the fact that the web browser entitlement needs to be requested and assigned by Apple manually. I've submitted a request to them to obtain this entitlement for embedding as part of my builds.

https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_web-browser_public-key-credential

[Cubik65536]

@Cubik65536 Adding that caused a failure, which has to do with the fact that the web browser entitlement needs to be requested and assigned by Apple manually. I've submitted a request to them to obtain this entitlement for embedding as part of my builds.

developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_web-browser_public-key-credential

Thanks! Keep me posted please!

[claudiodekker]

No response from Apple yet. I suppose they're just gonna ignore it until the end of time to be honest :')

[Cubik65536]

No response from Apple yet. I suppose they're just gonna ignore it until the end of time to be honest :')

I think that's the best we can get then :(

[Cubik65536]

@Cubik65536 Adding that caused a failure, which has to do with the fact that the web browser entitlement needs to be requested and assigned by Apple manually. I've submitted a request to them to obtain this entitlement for embedding as part of my builds.

developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_web-browser_public-key-credential

I also cannot get this working and as described in Apple Developer Documentation:

To request this entitlement, you must hold the Account Holder role for an organization’s Apple Developer account

Highlight: an organization’s Apple Developer account...

I don't think we'll be able to get that, I will just close this for now as I judge this to be an insolvable issue due to the nature of how we build UGC.

Feel free to ping me if you know some more info to get this working, then I'll maybe come back working on this.