proton-bridge icon indicating copy to clipboard operation
proton-bridge copied to clipboard
verified publisher icon ProtonMail

bridge 3.0.20 on macOS is requiring administrative privs on launch, fails

Open sneak opened this issue 2 years ago • 7 comments

Expected Behavior

email client bridge runs as a normal user and does not modify my system

Current Behavior

bridge is demanding administrative privs on launch and fails with the error "Bridge application exited before providing a gRPC service configuration file." when they are not provided.

Screenshot 2023-03-14 at 04 46 36

Possible Solution

This didn't happen to me with previous older versions of Bridge. I'm not sure when this behavior was introduced.

Steps to Reproduce

  1. Launch Bridge
  2. Deny administrator privileges

Version Information

v3.0.20

Context (Environment)

macOS

sneak avatar Mar 13 '23 19:03 sneak

Hey @sneak, this is currently required so that the we can install the certificates for IMAP and SMTP. We are looking into ways on how to improve this for the future.

LBeernaertProton avatar Mar 14 '23 08:03 LBeernaertProton

Why not let it work without installing the certificates? The older versions worked fine (with a certificate trust prompt).

If I can't use the bridge any longer (there is zero percent chance I am giving it root) I have to migrate my domains off of PM. I suppose I can use the old bridge version until the API diverges far enough.

sneak avatar Mar 14 '23 08:03 sneak

To clarify. You need to give permission to Bridge to install the certificates, it's a security feature on macOS. Bridge does not run in admin mode.

LBeernaertProton avatar Mar 14 '23 08:03 LBeernaertProton

I think it is a bug then that bridge completely fails if it is denied root to install the certificates.

I will personally go back to using the last version that doesn't fail in this way. Seems to me that bridge should still, well, bridge even in the case where it isn't given arbitrary permission to modify my local certificate store without consent.

sneak avatar Mar 14 '23 09:03 sneak

Unfortunately, this is a currently requirement for Bridge. Apple has increased their security requirements/validations in latest versions of macOS.

If you could report which version of Mac OS you are using and which was the last version of Bridge that did not have this issue, we can potentially investigate what changed.

LBeernaertProton avatar Mar 14 '23 09:03 LBeernaertProton

Would adding them manually to the system be a way to resolve this problem then? FWIW, I have this issue too and would consider it nice to be able to confirm what certs are being trusted in advance on my system if that's the source of the issue.

GoodPants avatar Mar 21 '23 22:03 GoodPants

@GoodPants the certificate is required for the encryption of the IMAP/SSL connection.

We are currently working on improving this by using the user keychain rather than the system keychain.

We will release this improvement as soon as it is ready.

LBeernaertProton avatar Mar 27 '23 07:03 LBeernaertProton