QZ Tray, override.crt - Hail Mary Pass

chadlawson
Contributor
Contributor

Here's hoping someone smarter than me can answer this:

I have a client whose in-house developers have created a system of printing shipping labels from their intranet system. It uses Zebra label printers connected to the Mac Mini stations via USB and an application called QZ Tray by QZ.io. 

To deploy the app, one has to include a self-signed certificated called 'override.crt' embedded in the app bundle's Resources folder. Then when the app is launched for the first time, the logged in user must enter their password to accept the certificate. You can not change the username to use a different (hidden admin) account instead. It must be the username and password of the launching user. It should be noted that at no point does the cert show up in Keychain Access before or after this.

I have tried using openssl to covert the .crt file to a .cer file and deploying it via a Configuration Profile in Jamf. When I do, the cert shows up in Keychain Access and the serial and signature match the file in the Resources folder of the app. But first launch of the app still requires the user to enter their password.

Has anyone encountered either QZ Tray specifically, or some other app that requires its own embedded certificate to work?

The goal is to fully automate the deployment of this application and printer configuration without requiring user intervention.

1 REPLY 1

tresf
New Contributor

The "override.crt" is what QZ Tray historically uses for licensing and ensures that the website is who it claims it is.

The prompt you're talking about is a different file.  It's actually a self-signed SSL certificate, needed for the websocket to be secure.  The prompt, specifically, is a mac-ism.  This problem is best described here: https://developer.apple.com/forums/thread/724006

To view this file, QZ Tray --> Advanced --> Diagnostic --> Browse Shared Folder

To avoid the prompt, the software must ship with a CA-issued SSL certificate to avoid modifying the Apple Keyring.  This may be doable.  For example, let's say you register the domain name "chadlawson.org", you could create a subdomain called "localhost.chadlawson.org" which points to 127.0.0.1 ("localhost").

Next, you can obtain a certificate for this domain using a paid CA-service or a free one like LetsEncrypt.

Then, you must bundle this certificate with QZ Tray in a fashion similar to this tutorial https://qz.io/docs/print-server#remove-localhost-bindings.  The packaging steps for QZ Tray don't currently support this, so you'd need to customize the code a bit to get it to bundle.  This will make sense a bit more later... Please read on.. 

Last, you would need a way to periodically update this certificate on the machine.  There's some boilerplate "certbot" support baked-in, but at time of writing this, I'm not aware of any person or organization using it.

To summarize:

  • What this solves is a self-signed SSL certificate no longer needs to be installed, avoiding the pop-up prompt.
  • What new problems this creates is that it forces you to ship a private key for a real, live certificate with your application.
  • For this reason, few companies use this strategy unless they have a very large, internal deployment, and in those cases, they instead handle the CA-issued certificate component as a post-installation step as to not leak their Trusted SSL private key.

If you choose to ignore all of these risk and bundle a CA-issued SSL certificate anyway, be mindful that a user can report the leaked key and get your trust revoked from the CA.

Alternately, there's one more way to do this and it's to skip the SSL "trust" entirely.  This can be done by modifying the installation steps to not install the certificate locally.  This would avoid the password prompt, but users would need to browse to https://localhost:8181 and "Accept the risk and continue" before the product would work.  This step would be required once per browser, per user.  You may experiment with this approach by clicking "Cancel" on the popup, which would have the same effect.

Finally, if you'd like to avoid production installation entirely, there is experimental support for DMG creation in the latest project source via "ant dmg".

Best of regards