Skip to main content

Browse GamesGame JamsUpload GameAutumn SaleDeveloper LogsCommunity
On Sale: GamesAssetsToolsTabletopComics
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
TagsGame Engines
Amos4 years ago

When you get some time, could you try rebooting, starting the itch app, and trying to log in again?

I’ve gotten some more confirmations that the update did indeed fix that particular problem (the “x509” message), so I’m more and more surprised it’s not fixed for you.

A last minute theory could be that even though the files were deleted on disk, the older version was still running, and the installer “brought it to front” instead of starting a fresh copy of the app. (*nix systems like macOS don’t have problems with executable files being removed while they’re running, unlike on Windows)

Reply
Dreemore4 years ago

Ok but I do own a windows laptop too

Reply
Amos4 years ago

I’m not sure you and Nikki Nyx are having the same problem.

I’ve read your messages too, but I can’t figure out exactly what problem you’re having. A screenshot would help!

Reply
Dreemore4 years ago

ok

Reply
Nikki Nyx4 years ago

Ok, here's what I did...

Using AppCleaner, I double checked to make sure everything having to do with itch was deleted, including hidden files.

I rebooted, then downloaded a fresh copy of the itch install app. The package contents:

(executable) Install itch.app
     (folder) Contents
          (folder) _CodeSignature
               (file) CodeResources
     (file) Info.plist
     (folder) MacOS
          (executable) itch-setup
     (folder) Resources
          (resource) itch.icns

I double clicked on "Install itch.app" and a popup window entitled "Itch Setup" appeared and started DL'ing and installing. The itch app's window appeared, asking me to login. I tried using my email then my user name, and got the same error message both times:

Post https://api.itch.io/login: x509: certificate signed by unknown authority

Like I said, the only thing I've done since accessing the itch app last is update Java.

Reply
Amos4 years ago

Thanks for the detailed update.

I’m officially out of ideas, seeing as: everything works for me on that same macOS version, and: someone who used to have the x509 error with previous butler versions no longer has it since the update.

My only idea would be to find the corresponding Root certificate and see if the trust settings are set to “Always trust” or “Custom”, see https://github.com/golang/go/issues/24652#issuecomment-378340252

Reply
Nikki Nyx4 years ago

I may have found the issue. But first...

I checked in Keychain and all certificates are set to "always trust". (I have no idea how to figure out which one of dozens of certificates is actually for itch.app, short of opening each one. Can you specify a certificate name?)

I then opened Terminal and typed in...

spctl -a -vvvv /Applications/itch.app

...which returned...

/Applications/itch.app: cannot find code object on disk

Upon searching for itch.app, I discovered that the itch installation program put it in ~/Applications, which has never happened before. It's always been put in /Applications. I tried again, typing the same command into Terminal with the correct directory, which returned...

/Users/NikkiNyx/Applications/itch.app: accepted
source=Developer ID
origin=Developer ID Application: Amos Wenger (B2N6FSRTPV)

...so it seems the certificate is valid. Yet I still get the same x509 error message on login.

I'm wondering if the installation is the problem. Why is itch.app suddenly being put into ~/Applications instead of /Applications? And is that affecting how the app accesses what it needs, like a valid certificate? (Note: Moving it didn't help, unsurprisingly. Still couldn't login.)

Except for you, I feel like itch really doesn't give a crap that I can't access games I've paid for. This issue has been going on for several months now, and it's one of the many reasons I bloody hate game website apps. Half the time, they don't work. Plus, they take up a crapload of space to basically function as a folder and connection to the website (mining my gaming habits in the bargain). I have four different game website apps and they all suck.

Sorry, but I'm seriously pissed that I can't play games I've paid for. I do appreciate all the work you've done. Please let me know what I should try next.

Reply
Amos4 years ago

About the certificate - it’s the one for api.itch.io, here’s what Chrome tells me on Windows (gotten from visiting https://api.itch.io/profile and clicking the lock to the left of the address bar, choosing “Certificate (Valid)”, which opens the default Windows dialog for certificates):

/Applications and ~/Applications are both fine places to put an app bundle. I made itch-setup install to the latter so that it doesn’t need Administrator access (I strongly believe installing games should never require Administrator access), so that’s not the problem.

Except for you, I feel like itch really doesn’t give a crap that I can’t access games I’ve paid for.

We try to provide the app to make it easier to play games, but there’s always “downloading directly from the website” as a fallback - you can do some from the download pages for any games you’ve bought! So I wouldn’t say that statement is accurate.

When directly downloading, though, you are going to run into other issues - many games aren’t signed, let alone notarized, so you’ll have to right click -> Open, but those are decisions Apple made that affect a lot of developers, and not something we personally have control over

it’s one of the many reasons I bloody hate game website apps. Half the time, they don’t work. Plus, they take up a crapload of space to basically function as a folder and connection to the website (mining my gaming habits in the bargain). I have four different game website apps and they all suck.

I feel you. I’m the sole maintainer of the itch app, and believe me when I say I’m trying - hard - to make it lighter and faster. I’m also not fond of our competitors’ apps either.

The problem you’re encountering here is quite fundamental - it’s not some small feature that doesn’t work, it’s that the app can’t verify the certificate of the itch.io API server on your machine. According to the Go issue I linked earlier, this may be caused by “enabling cgo” - but that’s not something I can disable, because butler (which powers the core features of the app - fetching your library, installing/updating/configuring/launching games) is written in Go and uses a handful of C libraries, like sqlite, a brotli compressor, bindings to 7-zip, etc.

If I had access to a mac that had the same issue I might be able to find a workaround, but short of that, I’m really not sure what to do. Disabling certificate validation is not really an option, because that would allow anyone to snoop at traffic between you and itch.io.

I see that there is another issue opened on the Go repository more recently (27 days ago) with the same error message, with or without cgo enabled: https://github.com/golang/go/issues/35631 - unfortunately there hasn’t been much activity there :(

In any case, I can tell you that:

  • This is not a problem with Install itch.app or itch.app - they both perform exactly as expected.
  • This is an issue with the “butler” component that itch.app downloads and extracts (successfully on your machine)
  • This is not a bug in “butler” itself, but a bug of the Go language standard library on specific configurations on macOS. I’m not sure what’s going on there, and neither are the Go developers apparently.

That last issue mentions that setting certificate trust settings to “Always Trust” fixes it for them, which makes me wonder, were all the certificates set to “Always Trust” ?

I just looked up the certificate chain again and it seems the root is “USERTrust RSA Certification Authority”, which for me on macOS Catalina is set to “Use System Defaults”:

The first Go issue I linked gives a command to inspect certificates, which I just used on my Catalina machine, and it gives:

$ security find-certificate -c "USERTrust RSA Certification Authority" -a ~/Library/Keychains/login.keychain /Library/Keychains/System.keychain /System/Library/Keychains/SystemRootCertificates.keychain

keychain: "/System/Library/Keychains/SystemRootCertificates.keychain"
version: 256
class: 0x80001000 
attributes:
    "alis"<blob>="USERTrust RSA Certification Authority"
    "cenc"<uint32>=0x00000003 
    "ctyp"<uint32>=0x00000001 
    "hpky"<blob>=0x5379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB  "Sy\277Z\252+J\317T\200\341\330\233\300\235\362\262\003f\313"
    "issu"<blob>=0x308188310B3009060355040613025553311330110603550408130A4E4557204A4552534559311430120603550407130B4A45525345592043495459311E301C060355040A131554484520555345525452555354204E4554574F524B312E302C06035504031325555345525452555354205253412043455254494649434154494F4E20415554484F52495459  "0\201\2101\0130\011\006\003U\004\006\023\002US1\0230\021\006\003U\004\010\023\012NEW JERSEY1\0240\022\006\003U\004\007\023\013JERSEY CITY1\0360\034\006\003U\004\012\023\025THE USERTRUST NETWORK1.0,\006\003U\004\003\023%USERTRUST RSA CERTIFICATION AUTHORITY"
    "labl"<blob>="USERTrust RSA Certification Authority"
    "skid"<blob>=0x5379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB  "Sy\277Z\252+J\317T\200\341\330\233\300\235\362\262\003f\313"
    "snbr"<blob>=0x01FD6D30FCA3CA51A81BBC640E35032D  "\001\375m0\374\243\312Q\250\033\274d\0165\003-"
    "subj"<blob>=0x308188310B3009060355040613025553311330110603550408130A4E4557204A4552534559311430120603550407130B4A45525345592043495459311E301C060355040A131554484520555345525452555354204E4554574F524B312E302C06035504031325555345525452555354205253412043455254494649434154494F4E20415554484F52495459  "0\201\2101\0130\011\006\003U\004\006\023\002US1\0230\021\006\003U\004\010\023\012NEW JERSEY1\0240\022\006\003U\004\007\023\013JERSEY CITY1\0360\034\006\003U\004\012\023\025THE USERTRUST NETWORK1.0,\006\003U\004\003\023%USERTRUST RSA CERTIFICATION AUTHORITY"

There’s other commands to run too, see that comment

I was asking about potential “cleaner” or “security” tools, because I suspect some might have changed trust settings on certificates, disabled some, or installed some others, and that would explain why the verification fails (for Go applications, but not for, say, Safari).

I hope you find some more information based on that!

Reply
Amos4 years ago

Update: I had another idea (just shipping a CA bundle with butler - only for macOS though), and I just shipped butler v15.7.3, can you try again?

It should upgrade butler when the itch app starts, you can always look at ~/Library/Application Support/itch/broth to make sure it grabbed v15.7.3

Reply
Nikki Nyx4 years ago

And it worked! You, my friend, are a rock star! Huge props.

So, I figured I'd post the results of the rest, just in case you need it for someone else. All of the following I did before DL'ing the version that worked.

ITCH PROFILE & CERTIFICATE
Following https://api.itch.io/profile and clicking the lock got me this..

Expanding the Certificate section got me this...

CHECKING ALL CERTIFICATES
The only certificate that wasn't set to "Always Trust" was "Developer ID Certification Authority". The "When using this certificate" section was set to "Use System Defaults", while the rest of the list was set to "no value specified". Once I changed the initial section to "Always Trust", the rest were automatically set to that as well. It still didn't return "This certificate is valid" though. Instead, it now reads "This certificate is marked as trusted for this account".

GO VERSION & TRUST SETTINGS EXPORT
On my list of certificates, there is no "USERTrust RSA Certification Authority". So I went through the github link and did this...

iMac:~ NikkiNyx$ go version

...which returned...

-bash: go: command not found

Maybe this was the problem? I continued to the commands in the comment...

iMac:~ NikkiNyx$ security trust-settings-export user-trust.plist

...which returned...

...Trust Settings exported successfully.

But...

iMac:~ NikkiNyx$ security trust-settings-export -d admin-trust.plist

...returned...

SecTrustSettingsCreateExternalRepresentation: No Trust Settings were found.

The .plist generated by the Trust Settings export is here. I have no idea whether any of this is helpful, but I figured I'd share it just in case. Again, thank you so much for resolving this issue. I hope you'll be able to figure out what happened. Happy Holidays and happy gaming!

Reply
Amos4 years ago

Hey there, glad it worked for you!

The Go folks are still curious as to exactly what caused the problem in the first place.

In particular, that command:

GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509

You’ll need to download the Go language and install it first, here’s a direct link for macOS: https://dl.google.com/go/go1.13.5.darwin-amd64.pkg

After that, you might need to open a new terminal or even log out / log in again, see https://golang.org/doc/install#macos

The fix I shipped is just a workaround, hopefully the root issue can be resolved!

Thanks again for getting back to me every time :)

Reply
Dreemore4 years ago

how to i take screenshots on mac

Reply
Nikki Nyx4 years ago(+1)

Leafo90, simultaneously press COMMAND and SHIFT and 3 to take a screenshot of your whole screen. If you want to take only part of your screen, simultaneously press COMMAND and SHIFT and 4, and you'll get a customizable bounding box you can resize and drag to where you want it.

Reply
Dreemore4 years ago

ok

Reply
Amos4 years ago

I’m back with some more information from the Go team, and some more questions:

  • Are you behind any kind of proxy?
  • Can you access https://api.itch.io/ with Google Chrome? With Firefox? With curl? (curl https://api.itch.io/ in the command-line). What certificate chain do you see in Google Chrome & Firefox?
  • Can you install the latest Go from https://golang.org/ and run GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509 ?

Please respond in as much detail as you can!

Reply
Nikki Nyx4 years ago

Ok...

Are you behind any kind of proxy?
No. Here's the screenshot from my System Prefs:

Can you access https://api.itch.io/ with Google Chrome?
No. There's just code on that page for me. Specifically...

{"errors":["invalid api endpoint"]}

What certificate chain do you see in Google Chrome?
>AddTrust External CA Root
     >USERTrust RSA Certification Authority
          >Sectigo RSA Domain Validation Secure Server CA
               >*.itch.io
And it's valid.

Can you access https://api.itch.io/ with Firefox?
I don't have Firefox installed, but trying it in Safari results in the same code as Chrome.

Can you install the latest Go from https://golang.org and run 

GODEBUG=x509roots=1 go test -v -run TestSystemRoots crypto/x509

Yes. Here are the results...

=== RUN   TestSystemRoots
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: Ipswitch,Inc. returned 4
crypto/x509: Developer ID Certification Authority returned 2
crypto/x509: Equifax Secure Certificate Authority returned 4
crypto/x509: GTE CyberTrust Global Root returned 4
crypto/x509: Thawte Premium Server CA returned 4
crypto/x509: Thawte Server CA returned 4
crypto/x509: Class 3 Public Primary Certification Authority returned 4
crypto/x509: exec ["/usr/bin/security" "trust-settings-export" "-d" "/var/folders/q4/_9w_7lqd3n55t9p_4p0x545c0000gn/T/x509trustpolicy743388804/admin"]: exit status 1, SecTrustSettingsCreateExternalRepresentation: No Trust Settings were found.
crypto/x509: 2 certs have a trust policy
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=Ipswitch\,Inc.,OU=Ipswitch\,Inc.,O=Ipswitch\,Inc.,L=Lexington,ST=MA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: ran security verify-cert 3 times
--- PASS: TestSystemRoots (0.25s)
    root_darwin_test.go:35:     cgo sys roots: 77.212901ms
    root_darwin_test.go:36: non-cgo sys roots: 151.194094ms
    root_darwin_test.go:106: expired certificate only present in cgo pool (acceptable): CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions\, Inc.,O=GTE Corporation,C=US
    root_darwin_test.go:114: 1024-bit certificate only present in cgo pool (acceptable): CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
    root_darwin_test.go:114: 1024-bit certificate only present in cgo pool (acceptable): OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
    root_darwin_test.go:114: 1024-bit certificate only present in cgo pool (acceptable): CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
    root_darwin_test.go:106: expired certificate only present in cgo pool (acceptable): OU=Equifax Secure Certificate Authority,O=Equifax,C=US
PASS
ok      crypto/x509    0.263s

I hope this info is helpful!

Reply
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies