Suppress "localhost wants to access connected printers Untrusted Website" when accessing Printers - QZ-tray

Question

How to properly Suppress the

localhost wants to access connected printers Untrusted Website

modal when accessing printers?

I've tried to create a certificate through this OpenSSL command:

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout server.key -out server.crt

Then addeed the override like this:

authcert.override=server.crt

in the qz-tray.properties file.

However it is still the same the dialog box is not suppressed. What could be wrong?

This is the complete cert properties file:

authcert.override=C:\\Program Files\\QZ Tray\\auth\\server.crt
wss.alias=qz-tray
wss.keypass=keypass
wss.storepass=storepass
wss.host=0.0.0.0

Answer 1

The qz-tray.properties override will be introduced with version 2.0.2 and at the time of writing this, 2.0.1 is the latest stable release.

Possible options:

• Wait for 2.0.2 / compile from source and use the qz-tray.properties override value

  • -- OR --

• Wait for 2.0.2 / compile from source but provide the certificate at packaging time, which will allow the override.crt to be distributed directly with the installer.

  ant nsis -Dauthcert.use=override.crt
  

  • -- OR --

• Use 2.0.1 and start the software with the certificate override via command line. e.g:

  java -DtrustedRootCert=override.crt -jar qz-tray.jar
  

Since the latter option requires modification of the QZ Tray desktop launcher, this will ultimately lead to non-obvious issues when auto-start is enabled (e.g. auto-start on Windows is triggered by qz-tray.exe which will launch without the -DtrustedRootCert parameter).

This is why the 2.0.2 feature of providing the certificate permanently in qz-tray.properties is much preferred. Note, compiling the latest QZ Tray is a few quick steps.

But this is only half of the battle. To suppress the security warnings, each message must be digitally signed. This is where the server.key comes into play. We call this private-key.pem in our examples.

Signing is generally done server-side although can be done client-side with risk of key leakage. This process is explained best in the sign-messages wiki.

Signing Messages

• Signing uses the private key to create an SHA1 signature (which is appended to the JSON message to QZ Tray).
• In 1.9, the signature was based on the message contents, but 2.0 switched to hashing the message first for performance and compatibility reasons.
• If the signature provided validates against the certificate/chain and hasn't reached a timeout, and the certificate isn't revoked and isn't expired, the security warning goes away.

PHP Signing Example:

<? // sign-message.php

$KEY = 'private-key.pem'; // or 'server.key', etc
$req = $_GET['request'];  // i.e. 'toSign' from JS
$privateKey = openssl_get_privatekey(file_get_contents($KEY));
$signature = null;
openssl_sign($req, $signature, $privateKey);
if ($signature) {
    header("Content-type: text/plain");
    echo base64_encode($signature);
    exit(0);
}
echo '<h1>Error signing message</h1>';
exit(1);

?>

JavaScript:

qz.security.setSignaturePromise(function(toSign) {
    return function(resolve, reject) {
       $.ajax("/foo/bar/sign-message.php?request=" + toSign).then(resolve, reject);
    };
});

qz.security.setCertificatePromise(function(resolve, reject) {
    $.ajax("/foo/bar/digital-certificate.txt").then(resolve, reject); // or `server.crt`, etc
});

Note: To prevent key leakage, the private key should always be kept in a directory inaccessible by a web browser.