Suppress "localhost wants to access connected printers Untrusted Website" when accessing Printers - QZ-tray

Question

How to properly Suppress the

localhost wants to access connected printers Untrusted Website

modal when accessing printers?

I've tried to create a certificate through this OpenSSL command:

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout server.key -out server.crt

Then addeed the override like this:

authcert.override=server.crt

in the qz-tray.properties file.

However it is still the same the dialog box is not suppressed. What could be wrong?

This is the complete cert properties file:

authcert.override=C:\\Program Files\\QZ Tray\\auth\\server.crt
wss.alias=qz-tray
wss.keypass=keypass
wss.storepass=storepass
wss.host=0.0.0.0

Answer 1

The qz-tray.properties override will be introduced with version 2.0.2 and at the time of writing this, 2.0.1 is the latest stable release.

Possible options:

• Wait for 2.0.2 / compile from source and use the qz-tray.properties override value

  • -- OR --

• Wait for 2.0.2 / compile from source but provide the certificate at packaging time, which will allow the override.crt to be distributed directly with the installer.

  ant nsis -Dauthcert.use=override.crt
  

  • -- OR --

• Use 2.0.1 and start the software with the certificate override via command line. e.g:

  java -DtrustedRootCert=override.crt -jar qz-tray.jar
  

Since the latter option requires modification of the QZ Tray desktop launcher, this will ultimately lead to non-obvious issues when auto-start is enabled (e.g. auto-start on Windows is triggered by qz-tray.exe which will launch without the -DtrustedRootCert parameter).

This is why the 2.0.2 feature of providing the certificate permanently in qz-tray.properties is much preferred. Note, compiling the latest QZ Tray is a few quick steps.

But this is only half of the battle. To suppress the security warnings, each message must be digitally signed. This is where the server.key comes into play. We call this private-key.pem in our examples.

Signing is generally done server-side although can be done client-side with risk of key leakage. This process is explained best in the sign-messages wiki.

Signing Messages

• Signing uses the private key to create an SHA1 signature (which is appended to the JSON message to QZ Tray).
• In 1.9, the signature was based on the message contents, but 2.0 switched to hashing the message first for performance and compatibility reasons.
• If the signature provided validates against the certificate/chain and hasn't reached a timeout, and the certificate isn't revoked and isn't expired, the security warning goes away.

PHP Signing Example:

<? // sign-message.php

$KEY = 'private-key.pem'; // or 'server.key', etc
$req = $_GET['request'];  // i.e. 'toSign' from JS
$privateKey = openssl_get_privatekey(file_get_contents($KEY));
$signature = null;
openssl_sign($req, $signature, $privateKey);
if ($signature) {
    header("Content-type: text/plain");
    echo base64_encode($signature);
    exit(0);
}
echo '<h1>Error signing message</h1>';
exit(1);

?>

JavaScript:

qz.security.setSignaturePromise(function(toSign) {
    return function(resolve, reject) {
       $.ajax("/foo/bar/sign-message.php?request=" + toSign).then(resolve, reject);
    };
});

qz.security.setCertificatePromise(function(resolve, reject) {
    $.ajax("/foo/bar/digital-certificate.txt").then(resolve, reject); // or `server.crt`, etc
});

Note: To prevent key leakage, the private key should always be kept in a directory inaccessible by a web browser.

Answer 2

Just suppress warning

If you're using QZ Tray in an isolated machine (like in my case), local environment or for any reason you don't need to encrypt messages and just wanna get rid of the warning message you can disable the warning dialog itself.

Disclaimer: This method is not supposed to be used in production, messages won't be signed, any website can talk to your hardware, use under your own risk.

1. Clone the QZ Tray repository ( https://github.com/qzind/tray.git ).
2. Fulfill the compiling dependencies: Ant, Java, NSIS (Windows). If you're using windows I recommend you use Chocolatey, with Chocolatey it's straightforward to install those dependencies.
3. Get a code editor or IDE (I used IntelliJ Idea community edition).

4. Navigate and edit /src/qz/ws/PrintSocketClient.java change line 476

   From this:

   if (cert.isTrusted() && cert.isSaved()) {
   

   into

   if (cert.isSaved()) {
   

5. Navigate and edit /src/qz/ui/GatewayDialog.java change line 92

   From

   allowButton.setEnabled(!persistentCheckBox.isSelected() || cert.isTrusted());
   

   into

   allowButton.setEnabled(true);
   

6. Compile using:

   • ant nsis for windows
   • ant pkgbuild for MacOS
   • ant makeself for linux

   Actually this won't only compile but also creates the installer. QZ team did a great job automatizing everything.

7. Install QZ tray using the installer just created.

8. The first time you'll see the warning but now you can Remember the decision to Allow forever.

I suggest to use self-signed certificates or pay premium support if you need a truly secure setup.