ProtonMail / proton-bridge

Proton Mail Bridge application
GNU General Public License v3.0
1.17k stars 157 forks source link

bridge 3.0.20 on macOS is requiring administrative privs on launch, fails #361

Open sneak opened 1 year ago

sneak commented 1 year ago

Expected Behavior

email client bridge runs as a normal user and does not modify my system

Current Behavior

bridge is demanding administrative privs on launch and fails with the error "Bridge application exited before providing a gRPC service configuration file." when they are not provided.

Screenshot 2023-03-14 at 04 46 36

Possible Solution

This didn't happen to me with previous older versions of Bridge. I'm not sure when this behavior was introduced.

Steps to Reproduce

  1. Launch Bridge
  2. Deny administrator privileges

Version Information

v3.0.20

Context (Environment)

macOS

LBeernaertProton commented 1 year ago

Hey @sneak, this is currently required so that the we can install the certificates for IMAP and SMTP. We are looking into ways on how to improve this for the future.

sneak commented 1 year ago

Why not let it work without installing the certificates? The older versions worked fine (with a certificate trust prompt).

If I can't use the bridge any longer (there is zero percent chance I am giving it root) I have to migrate my domains off of PM. I suppose I can use the old bridge version until the API diverges far enough.

LBeernaertProton commented 1 year ago

To clarify. You need to give permission to Bridge to install the certificates, it's a security feature on macOS. Bridge does not run in admin mode.

sneak commented 1 year ago

I think it is a bug then that bridge completely fails if it is denied root to install the certificates.

I will personally go back to using the last version that doesn't fail in this way. Seems to me that bridge should still, well, bridge even in the case where it isn't given arbitrary permission to modify my local certificate store without consent.

LBeernaertProton commented 1 year ago

Unfortunately, this is a currently requirement for Bridge. Apple has increased their security requirements/validations in latest versions of macOS.

If you could report which version of Mac OS you are using and which was the last version of Bridge that did not have this issue, we can potentially investigate what changed.

GoodPants commented 1 year ago

Would adding them manually to the system be a way to resolve this problem then? FWIW, I have this issue too and would consider it nice to be able to confirm what certs are being trusted in advance on my system if that's the source of the issue.

LBeernaertProton commented 1 year ago

@GoodPants the certificate is required for the encryption of the IMAP/SSL connection.

We are currently working on improving this by using the user keychain rather than the system keychain.

We will release this improvement as soon as it is ready.