itch.io

About the certificate - it’s the one for api.itch.io, here’s what Chrome tells me on Windows (gotten from visiting https://api.itch.io/profile and clicking the lock to the left of the address bar, choosing “Certificate (Valid)”, which opens the default Windows dialog for certificates):

/Applications and ~/Applications are both fine places to put an app bundle. I made itch-setup install to the latter so that it doesn’t need Administrator access (I strongly believe installing games should never require Administrator access), so that’s not the problem.

Except for you, I feel like itch really doesn’t give a crap that I can’t access games I’ve paid for.

We try to provide the app to make it easier to play games, but there’s always “downloading directly from the website” as a fallback - you can do some from the download pages for any games you’ve bought! So I wouldn’t say that statement is accurate.

When directly downloading, though, you are going to run into other issues - many games aren’t signed, let alone notarized, so you’ll have to right click -> Open, but those are decisions Apple made that affect a lot of developers, and not something we personally have control over

it’s one of the many reasons I bloody hate game website apps. Half the time, they don’t work. Plus, they take up a crapload of space to basically function as a folder and connection to the website (mining my gaming habits in the bargain). I have four different game website apps and they all suck.

I feel you. I’m the sole maintainer of the itch app, and believe me when I say I’m trying - hard - to make it lighter and faster. I’m also not fond of our competitors’ apps either.

The problem you’re encountering here is quite fundamental - it’s not some small feature that doesn’t work, it’s that the app can’t verify the certificate of the itch.io API server on your machine. According to the Go issue I linked earlier, this may be caused by “enabling cgo” - but that’s not something I can disable, because butler (which powers the core features of the app - fetching your library, installing/updating/configuring/launching games) is written in Go and uses a handful of C libraries, like sqlite, a brotli compressor, bindings to 7-zip, etc.

If I had access to a mac that had the same issue I might be able to find a workaround, but short of that, I’m really not sure what to do. Disabling certificate validation is not really an option, because that would allow anyone to snoop at traffic between you and itch.io.

I see that there is another issue opened on the Go repository more recently (27 days ago) with the same error message, with or without cgo enabled: https://github.com/golang/go/issues/35631 - unfortunately there hasn’t been much activity there :(

In any case, I can tell you that:

• This is not a problem with Install itch.app or itch.app - they both perform exactly as expected.
• This is an issue with the “butler” component that itch.app downloads and extracts (successfully on your machine)
• This is not a bug in “butler” itself, but a bug of the Go language standard library on specific configurations on macOS. I’m not sure what’s going on there, and neither are the Go developers apparently.

That last issue mentions that setting certificate trust settings to “Always Trust” fixes it for them, which makes me wonder, were all the certificates set to “Always Trust” ?

I just looked up the certificate chain again and it seems the root is “USERTrust RSA Certification Authority”, which for me on macOS Catalina is set to “Use System Defaults”:

The first Go issue I linked gives a command to inspect certificates, which I just used on my Catalina machine, and it gives:

$ security find-certificate -c "USERTrust RSA Certification Authority" -a ~/Library/Keychains/login.keychain /Library/Keychains/System.keychain /System/Library/Keychains/SystemRootCertificates.keychain

keychain: "/System/Library/Keychains/SystemRootCertificates.keychain"
version: 256
class: 0x80001000 
attributes:
    "alis"<blob>="USERTrust RSA Certification Authority"
    "cenc"<uint32>=0x00000003 
    "ctyp"<uint32>=0x00000001 
    "hpky"<blob>=0x5379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB  "Sy\277Z\252+J\317T\200\341\330\233\300\235\362\262\003f\313"
    "issu"<blob>=0x308188310B3009060355040613025553311330110603550408130A4E4557204A4552534559311430120603550407130B4A45525345592043495459311E301C060355040A131554484520555345525452555354204E4554574F524B312E302C06035504031325555345525452555354205253412043455254494649434154494F4E20415554484F52495459  "0\201\2101\0130\011\006\003U\004\006\023\002US1\0230\021\006\003U\004\010\023\012NEW JERSEY1\0240\022\006\003U\004\007\023\013JERSEY CITY1\0360\034\006\003U\004\012\023\025THE USERTRUST NETWORK1.0,\006\003U\004\003\023%USERTRUST RSA CERTIFICATION AUTHORITY"
    "labl"<blob>="USERTrust RSA Certification Authority"
    "skid"<blob>=0x5379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB  "Sy\277Z\252+J\317T\200\341\330\233\300\235\362\262\003f\313"
    "snbr"<blob>=0x01FD6D30FCA3CA51A81BBC640E35032D  "\001\375m0\374\243\312Q\250\033\274d\0165\003-"
    "subj"<blob>=0x308188310B3009060355040613025553311330110603550408130A4E4557204A4552534559311430120603550407130B4A45525345592043495459311E301C060355040A131554484520555345525452555354204E4554574F524B312E302C06035504031325555345525452555354205253412043455254494649434154494F4E20415554484F52495459  "0\201\2101\0130\011\006\003U\004\006\023\002US1\0230\021\006\003U\004\010\023\012NEW JERSEY1\0240\022\006\003U\004\007\023\013JERSEY CITY1\0360\034\006\003U\004\012\023\025THE USERTRUST NETWORK1.0,\006\003U\004\003\023%USERTRUST RSA CERTIFICATION AUTHORITY"

There’s other commands to run too, see that comment

I was asking about potential “cleaner” or “security” tools, because I suspect some might have changed trust settings on certificates, disabled some, or installed some others, and that would explain why the verification fails (for Go applications, but not for, say, Safari).

I hope you find some more information based on that!