Comments (8)
andyacer
commented on July 30, 2024
3
PR has been submitted with a fix for the Chrome CT issue.
This fix changes the behavior of this script to copy instead of move the certificate. The certificate now resides both in the System store and the user store. By using Zygisk and the Enforce DenyList feature to hide Magisk from Chrome, this seems to fully address this problem.
Recommended way to use this module:
- Install the updated Move Certificates module.
- Install the desired certificate to user store.
- In Magisk, enable Zygisk, enable Enforce DenyList and then add Chrome to the DenyList.
- Reboot your phone.
- Chrome should work using the certificate in the user store, and all the other apps should work using the certificate in the system store.
- If you want to add any other apps later, just add them to the Magisk Hide list/DenyList, then force stop that app. Next time it launches it should use the certificate in the user store. Removal works the same way.
from movecert.
yossijo
commented on July 30, 2024
I'm experiencing the same with a different mitm proxy
from movecert.
wrongway213
commented on July 30, 2024
See here for more info on the issue. The only fix seems to be installing certificate in both user store and system store. AdguardTeam/AdguardForAndroid#4124 (comment)
from movecert.
andyacer
commented on July 30, 2024
Awesome thanks @wrongway213
The answer as I understand it: install the certificate in both locations, the System store and the User store. Then hide the System store version from Chrome using Magisk -> Settings -> Zygisk (Beta) + Enforce DenyList + Configure DenyList for Chrome (system app).
If I get this working I'll add more fidelity here with screenshots and steps.
from movecert.
wrongway213
commented on July 30, 2024
You're very welcome @andyacer but there's one major issue:
Hiding Chrome in Magisk is known to cause a wide array of issues. What is needed is a solution that allows the certificate to reside both in user and system store, without hiding Chrome from Magisk. It appears the certificate needs to actually be installed in both locations, with a mechanism to make browser(s) fall back to the user certificate.
from movecert.
floyd-fuh
commented on July 30, 2024
Btw. the issue is also discussed here https://forum.portswigger.net/thread/android-chrome-99-certificate-transparency-feature-blocks-burp-certificate-929ab74d
I would appreciate it if the script would change from "Move" (mv) to "Copy" (cp) as a minimum
from movecert.
at3s
commented on July 30, 2024
PR has been submitted with a fix for the Chrome CT issue.
This fix changes the behavior of this script to copy instead of move the certificate. The certificate now resides both in the System store and the user store. By using Zygisk and the Enforce DenyList feature to hide Magisk from Chrome, this seems to fully address this problem.
Recommended way to use this module:
- Install the updated Move Certificates module.
- Install the desired certificate to user store.
- In Magisk, enable Zygisk, enable Enforce DenyList and then add Chrome to the DenyList.
- Reboot your phone.
- Chrome should work using the certificate in the user store, and all the other apps should work using the certificate in the system store.
- If you want to add any other apps later, just add them to the Magisk Hide list/DenyList, then force stop that app. Next time it launches it should use the certificate in the user store. Removal works the same way.
good answer, thank you
from movecert.
JelmerDeHen
commented on July 30, 2024
Hi, I have created a module to solve this via Chrome flags.
https://github.com/JelmerDeHen/MagiskBypassCertificateTransparencyError
from movecert.
Related Issues (18)
- Magisk hide breaks module functionality in A10+ HOT 2
- Where is `/common/post-fs-data.sh`? HOT 1
- Installation failed HOT 41
- How to remove certificate from system?
- Fast HOT 1
- on android 12 removes it at a later time
- android 13 无效啊 HOT 2
- 请问KernelSU可以使用吗?
- callrecorder-skvalex this repo includes only a trial
- kernelsu android13 无效
- Free open source packet capture tool, supporting all platform systems of Windows, Mac, Android, IOS, and Linux
- how to delete the moved cert or move back to user certificate
- Module gets installed, Magisk appears to attempt to run at boot, but no evidence that the commands in post-fs-data.sh were actually run
- It seems that it isn't compatible with a specific game app. HOT 2
- Trigger cert movement HOT 1
- How to install? Does this actually move the certs? What about dm-verity? HOT 6
- Google system apps don't trust adguard certificate when installed using this module in devices running Android 10+ out of the box HOT 16
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from movecert.