Post by Amos in cant log in to the itch.io app - itch.io

Viewing post in cant log in to the itch.io app

↑ View parent post

Amos4 years ago (2 edits)

Hey Nikki,

Any particular reason why you launched the Setup instead of the app directly?

Also, was the app running when you ran the setup? This might explain why it gets stuck at “moving it into place” - macOS might not like it trying to replace a running application.

I’m going to try and reproduce that particular problem, then fix it, but in the meantime, you can quit the setup with Cmd+Q and just run itch by doing Cmd+Space, searching for itch and pressing enter.

Edit: I’m not able to reproduce the issue, running itch Setup while itch is running works just fine for me:

Nikki Nyx4 years ago

Any particular reason why you launched the Setup instead of the app directly?
I had no choice. When I download the app from the website, the only thing in the .dmg is install itch.app. When I run that file, itch setup starts. There was no option to bypass it. And it repeatedly gets stuck at the screenshot I posted above.

Also, was the app running when you ran the setup?
No. I had used AppCleaner to clear all the old itch files, so it was a fresh installation.

I tried another fresh installation, but still got stuck at that screenshot I posted. So I checked in my /ApplicationSupport and found two folders. The first one, named /itch-setup, contains app-25.4.0 and state.json. I opened app-25.4.0 and it looked like it was going to work, but them I got the same error message when I tried to login. (And I tried logging in with my user name, then my email. Same result for both.)

The second one, named /itch, contains the following hierarchy:

I see the butler 15.17.2, but can't login to the app to choose it in preferences. Also, /itch/logs/itch.txt is the weirdest log I've ever seen. It's sprinkled with emojis throughout, specifically these: 📦 🔧 🙏. No idea if that makes a difference, but I can upload it if you want.

Amos4 years ago (4 edits)

Alright, so, the setup works, itch starts up, it installs the latest version of butler (you don’t have to “choose it from preferences”, it’s automatically used, since you have it on disk it’s using it), and you’re seeing the exact same error on login, ie. this one?

Post https://api.itch.io/login: x509: certificate signed by unknown authority.

Edit: also, what’s your exact version of macOS? I’ve seen multiple reports of this error but haven’t been able to reproduce it across multiple machines and asking specific folks to test it :/

Edit 2: I see you mentioned El Capitan earlier (my bad), unfortunately that’s exactly what one of the versions I tested earlier today.

Are you running any specific software that would “enhance the security” of your mac? I see you’re using AppCleaner, anything else?

Edit 3: If you’re comfortable with the terminal, you can try to download https://broth.itch.ovh/butler/darwin-amd64-head/45dab99ef1c1908cc18b3b86bcdb0dad78de7789/archive/default then extract it, run “chmod +x butler” if needed, and run “./butler diag –all”

Edit 4: by the way, my current theory is that the issue is linked to that Go issue - it seemed to result in a fix, hence my trying to rebuild butler with a newer Go version. There are some troubleshooting steps in there that might help you. If you find a solution, please post it here!

Nikki Nyx4 years ago

Yes. My latest try... I first searched my entire hard drive for any leftover itch files. Found an itch.app where I didn't expect it and used AppCleaner to remove it and its files. Then I DL'd a fresh installation app. It didn't get stuck at setup, but I still got that same error when trying to log in.

My computer is an iMac 12,1 running 10.11.6 (El Capitan).
Processor: Intel Core i5 2.5 GHz.
Memory: 16 GB 1333 MHZ DDR3.

I don't run any virus software or anything like that. Macs are pretty safe as long as you don't download indiscriminately. I tried your suggesting about DL'ing the archive file, but I didn't get a .zip file, just a file my Mac didn't know what to do with. Its name: "Unconfirmed 382498.crdownload".

Isn't there a repository of previous itch.app versions where I can DL an earlier one? Because it seems as if it's this new update that's the issue, at least for me. The app was working perfectly before this. Lastly, I really appreciate all the work you're putting into this...thank you!

Amos4 years ago

When you get some time, could you try rebooting, starting the itch app, and trying to log in again?

I’ve gotten some more confirmations that the update did indeed fix that particular problem (the “x509” message), so I’m more and more surprised it’s not fixed for you.

A last minute theory could be that even though the files were deleted on disk, the older version was still running, and the installer “brought it to front” instead of starting a fresh copy of the app. (*nix systems like macOS don’t have problems with executable files being removed while they’re running, unlike on Windows)

Dreemore4 years ago

Ok but I do own a windows laptop too

Amos4 years ago

I’m not sure you and Nikki Nyx are having the same problem.

I’ve read your messages too, but I can’t figure out exactly what problem you’re having. A screenshot would help!

Dreemore4 years ago

ok

Nikki Nyx4 years ago

Ok, here's what I did...

Using AppCleaner, I double checked to make sure everything having to do with itch was deleted, including hidden files.

I rebooted, then downloaded a fresh copy of the itch install app. The package contents:

(executable) Install itch.app
(folder) Contents
  (folder) _CodeSignature
(file) CodeResources
(file) Info.plist
(folder) MacOS
  (executable) itch-setup
(folder) Resources
  (resource) itch.icns

I double clicked on "Install itch.app" and a popup window entitled "Itch Setup" appeared and started DL'ing and installing. The itch app's window appeared, asking me to login. I tried using my email then my user name, and got the same error message both times:

Post https://api.itch.io/login: x509: certificate signed by unknown authority

Like I said, the only thing I've done since accessing the itch app last is update Java.

Amos4 years ago

Thanks for the detailed update.

I’m officially out of ideas, seeing as: everything works for me on that same macOS version, and: someone who used to have the x509 error with previous butler versions no longer has it since the update.

My only idea would be to find the corresponding Root certificate and see if the trust settings are set to “Always trust” or “Custom”, see https://github.com/golang/go/issues/24652#issuecomment-378340252

Nikki Nyx4 years ago

I may have found the issue. But first...

I checked in Keychain and all certificates are set to "always trust". (I have no idea how to figure out which one of dozens of certificates is actually for itch.app, short of opening each one. Can you specify a certificate name?)

I then opened Terminal and typed in...

spctl -a -vvvv /Applications/itch.app

...which returned...

/Applications/itch.app: cannot find code object on disk

Upon searching for itch.app, I discovered that the itch installation program put it in ~/Applications, which has never happened before. It's always been put in /Applications. I tried again, typing the same command into Terminal with the correct directory, which returned...

/Users/NikkiNyx/Applications/itch.app: accepted
source=Developer ID
origin=Developer ID Application: Amos Wenger (B2N6FSRTPV)

...so it seems the certificate is valid. Yet I still get the same x509 error message on login.

I'm wondering if the installation is the problem. Why is itch.app suddenly being put into ~/Applications instead of /Applications? And is that affecting how the app accesses what it needs, like a valid certificate? (Note: Moving it didn't help, unsurprisingly. Still couldn't login.)

Except for you, I feel like itch really doesn't give a crap that I can't access games I've paid for. This issue has been going on for several months now, and it's one of the many reasons I bloody hate game website apps. Half the time, they don't work. Plus, they take up a crapload of space to basically function as a folder and connection to the website (mining my gaming habits in the bargain). I have four different game website apps and they all suck.

Sorry, but I'm seriously pissed that I can't play games I've paid for. I do appreciate all the work you've done. Please let me know what I should try next.

Amos4 years ago

About the certificate - it’s the one for api.itch.io, here’s what Chrome tells me on Windows (gotten from visiting https://api.itch.io/profile and clicking the lock to the left of the address bar, choosing “Certificate (Valid)”, which opens the default Windows dialog for certificates):

/Applications and ~/Applications are both fine places to put an app bundle. I made itch-setup install to the latter so that it doesn’t need Administrator access (I strongly believe installing games should never require Administrator access), so that’s not the problem.

Except for you, I feel like itch really doesn’t give a crap that I can’t access games I’ve paid for.

We try to provide the app to make it easier to play games, but there’s always “downloading directly from the website” as a fallback - you can do some from the download pages for any games you’ve bought! So I wouldn’t say that statement is accurate.

When directly downloading, though, you are going to run into other issues - many games aren’t signed, let alone notarized, so you’ll have to right click -> Open, but those are decisions Apple made that affect a lot of developers, and not something we personally have control over

it’s one of the many reasons I bloody hate game website apps. Half the time, they don’t work. Plus, they take up a crapload of space to basically function as a folder and connection to the website (mining my gaming habits in the bargain). I have four different game website apps and they all suck.

I feel you. I’m the sole maintainer of the itch app, and believe me when I say I’m trying - hard - to make it lighter and faster. I’m also not fond of our competitors’ apps either.

The problem you’re encountering here is quite fundamental - it’s not some small feature that doesn’t work, it’s that the app can’t verify the certificate of the itch.io API server on your machine. According to the Go issue I linked earlier, this may be caused by “enabling cgo” - but that’s not something I can disable, because butler (which powers the core features of the app - fetching your library, installing/updating/configuring/launching games) is written in Go and uses a handful of C libraries, like sqlite, a brotli compressor, bindings to 7-zip, etc.

If I had access to a mac that had the same issue I might be able to find a workaround, but short of that, I’m really not sure what to do. Disabling certificate validation is not really an option, because that would allow anyone to snoop at traffic between you and itch.io.

I see that there is another issue opened on the Go repository more recently (27 days ago) with the same error message, with or without cgo enabled: https://github.com/golang/go/issues/35631 - unfortunately there hasn’t been much activity there :(

In any case, I can tell you that:

This is not a problem with Install itch.app or itch.app - they both perform exactly as expected.
This is an issue with the “butler” component that itch.app downloads and extracts (successfully on your machine)
This is not a bug in “butler” itself, but a bug of the Go language standard library on specific configurations on macOS. I’m not sure what’s going on there, and neither are the Go developers apparently.

That last issue mentions that setting certificate trust settings to “Always Trust” fixes it for them, which makes me wonder, were all the certificates set to “Always Trust” ?

I just looked up the certificate chain again and it seems the root is “USERTrust RSA Certification Authority”, which for me on macOS Catalina is set to “Use System Defaults”:

The first Go issue I linked gives a command to inspect certificates, which I just used on my Catalina machine, and it gives:

$ security find-certificate -c "USERTrust RSA Certification Authority" -a ~/Library/Keychains/login.keychain /Library/Keychains/System.keychain /System/Library/Keychains/SystemRootCertificates.keychain

keychain: "/System/Library/Keychains/SystemRootCertificates.keychain"
version: 256
class: 0x80001000 
attributes:
    "alis"<blob>="USERTrust RSA Certification Authority"
    "cenc"<uint32>=0x00000003 
    "ctyp"<uint32>=0x00000001 
    "hpky"<blob>=0x5379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB  "Sy\277Z\252+J\317T\200\341\330\233\300\235\362\262\003f\313"
    "issu"<blob>=0x308188310B3009060355040613025553311330110603550408130A4E4557204A4552534559311430120603550407130B4A45525345592043495459311E301C060355040A131554484520555345525452555354204E4554574F524B312E302C06035504031325555345525452555354205253412043455254494649434154494F4E20415554484F52495459  "0\201\2101\0130\011\006\003U\004\006\023\002US1\0230\021\006\003U\004\010\023\012NEW JERSEY1\0240\022\006\003U\004\007\023\013JERSEY CITY1\0360\034\006\003U\004\012\023\025THE USERTRUST NETWORK1.0,\006\003U\004\003\023%USERTRUST RSA CERTIFICATION AUTHORITY"
    "labl"<blob>="USERTrust RSA Certification Authority"
    "skid"<blob>=0x5379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB  "Sy\277Z\252+J\317T\200\341\330\233\300\235\362\262\003f\313"
    "snbr"<blob>=0x01FD6D30FCA3CA51A81BBC640E35032D  "\001\375m0\374\243\312Q\250\033\274d\0165\003-"
    "subj"<blob>=0x308188310B3009060355040613025553311330110603550408130A4E4557204A4552534559311430120603550407130B4A45525345592043495459311E301C060355040A131554484520555345525452555354204E4554574F524B312E302C06035504031325555345525452555354205253412043455254494649434154494F4E20415554484F52495459  "0\201\2101\0130\011\006\003U\004\006\023\002US1\0230\021\006\003U\004\010\023\012NEW JERSEY1\0240\022\006\003U\004\007\023\013JERSEY CITY1\0360\034\006\003U\004\012\023\025THE USERTRUST NETWORK1.0,\006\003U\004\003\023%USERTRUST RSA CERTIFICATION AUTHORITY"

There’s other commands to run too, see that comment

I was asking about potential “cleaner” or “security” tools, because I suspect some might have changed trust settings on certificates, disabled some, or installed some others, and that would explain why the verification fails (for Go applications, but not for, say, Safari).

I hope you find some more information based on that!

Amos4 years ago

Update: I had another idea (just shipping a CA bundle with butler - only for macOS though), and I just shipped butler v15.7.3, can you try again?

It should upgrade butler when the itch app starts, you can always look at ~/Library/Application Support/itch/broth to make sure it grabbed v15.7.3

Nikki Nyx4 years ago

And it worked! You, my friend, are a rock star! Huge props.

So, I figured I'd post the results of the rest, just in case you need it for someone else. All of the following I did before DL'ing the version that worked.

ITCH PROFILE & CERTIFICATE
Following https://api.itch.io/profile and clicking the lock got me this..

Expanding the Certificate section got me this...

CHECKING ALL CERTIFICATES
The only certificate that wasn't set to "Always Trust" was "Developer ID Certification Authority". The "When using this certificate" section was set to "Use System Defaults", while the rest of the list was set to "no value specified". Once I changed the initial section to "Always Trust", the rest were automatically set to that as well. It still didn't return "This certificate is valid" though. Instead, it now reads "This certificate is marked as trusted for this account".

GO VERSION & TRUST SETTINGS EXPORT
On my list of certificates, there is no "USERTrust RSA Certification Authority". So I went through the github link and did this...

iMac:~ NikkiNyx$ go version

...which returned...

-bash: go: command not found

Maybe this was the problem? I continued to the commands in the comment...

iMac:~ NikkiNyx$ security trust-settings-export user-trust.plist

...which returned...

...Trust Settings exported successfully.

But...

iMac:~ NikkiNyx$ security trust-settings-export -d admin-trust.plist

...returned...

SecTrustSettingsCreateExternalRepresentation: No Trust Settings were found.

The .plist generated by the Trust Settings export is here. I have no idea whether any of this is helpful, but I figured I'd share it just in case. Again, thank you so much for resolving this issue. I hope you'll be able to figure out what happened. Happy Holidays and happy gaming!

View more in thread

Amos4 years ago

I’m back with some more information from the Go team, and some more questions:

Are you behind any kind of proxy?
Can you access https://api.itch.io/ with Google Chrome? With Firefox? With curl? (curl https://api.itch.io/ in the command-line). What certificate chain do you see in Google Chrome & Firefox?
Can you install the latest Go from https://golang.org/ and run GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509 ?

Please respond in as much detail as you can!

Nikki Nyx4 years ago

Ok...

Are you behind any kind of proxy?
No. Here's the screenshot from my System Prefs:

Can you access https://api.itch.io/ with Google Chrome?
No. There's just code on that page for me. Specifically...

{"errors":["invalid api endpoint"]}

What certificate chain do you see in Google Chrome?
>AddTrust External CA Root
>USERTrust RSA Certification Authority
>Sectigo RSA Domain Validation Secure Server CA
>*.itch.io
And it's valid.

Can you access https://api.itch.io/ with Firefox?
I don't have Firefox installed, but trying it in Safari results in the same code as Chrome.

Can you install the latest Go from https://golang.org and run

GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509

Yes. Here are the results...

=== RUN   TestSystemRoots
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: Ipswitch,Inc. returned 4
crypto/x509: Developer ID Certification Authority returned 2
crypto/x509: Equifax Secure Certificate Authority returned 4
crypto/x509: GTE CyberTrust Global Root returned 4
crypto/x509: Thawte Premium Server CA returned 4
crypto/x509: Thawte Server CA returned 4
crypto/x509: Class 3 Public Primary Certification Authority returned 4
crypto/x509: exec ["/usr/bin/security" "trust-settings-export" "-d" "/var/folders/q4/_9w_7lqd3n55t9p_4p0x545c0000gn/T/x509trustpolicy743388804/admin"]: exit status 1, SecTrustSettingsCreateExternalRepresentation: No Trust Settings were found.
crypto/x509: 2 certs have a trust policy
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=Ipswitch\,Inc.,OU=Ipswitch\,Inc.,O=Ipswitch\,Inc.,L=Lexington,ST=MA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: ran security verify-cert 3 times
--- PASS: TestSystemRoots (0.25s)
    root_darwin_test.go:35:     cgo sys roots: 77.212901ms
    root_darwin_test.go:36: non-cgo sys roots: 151.194094ms
    root_darwin_test.go:106: expired certificate only present in cgo pool (acceptable): CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
    root_darwin_test.go:114: 1024-bit certificate only present in cgo pool (acceptable): CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
    root_darwin_test.go:114: 1024-bit certificate only present in cgo pool (acceptable): OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    root_darwin_test.go:114: 1024-bit certificate only present in cgo pool (acceptable): CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
    root_darwin_test.go:106: expired certificate only present in cgo pool (acceptable): OU=Equifax Secure Certificate Authority,O=Equifax,C=US
PASS
ok      crypto/x509    0.263s

I hope this info is helpful!