抑制“本地主机想要访问连接的打印机不受信任的网站"访问打印机时 - QZ-tray [英] Suppress "localhost wants to access connected printers Untrusted Website" when accessing Printers - QZ-tray

问题描述

如何正确抑制

本地主机想要访问连接的打印机不受信任的网站

localhost wants to access connected printers Untrusted Website

访问打印机时的模式?

我已尝试通过此 OpenSSL 命令创建证书:

I've tried to create a certificate through this OpenSSL command:

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout server.key -out server.crt

然后像这样添加覆盖:

authcert.override=server.crt

在 qz-tray.properties 文件中.

不过还是一样，对话框没有被抑制.可能有什么问题?

However it is still the same the dialog box is not suppressed. What could be wrong?

这是完整的证书属性文件:

This is the complete cert properties file:

authcert.override=C:\\Program Files\\QZ Tray\\auth\\server.crt
wss.alias=qz-tray
wss.keypass=keypass
wss.storepass=storepass
wss.host=0.0.0.0

推荐答案

qz-tray.properties 覆盖将在 2.0.2 版本中引入在撰写本文时，2.0.1 是最新的稳定版本.

The qz-tray.properties override will be introduced with version 2.0.2 and at the time of writing this, 2.0.1 is the latest stable release.

可能的选择:

• 等待 2.0.2/从源代码编译和使用 qz-tray.properties 覆盖值

• -- 或 --

等待 2.0.2/从源代码编译在打包时提供证书，这将允许 override.crt 直接与安装程序一起分发.

Wait for 2.0.2 / compile from source but provide the certificate at packaging time, which will allow the override.crt to be distributed directly with the installer.

ant nsis -Dauthcert.use=override.crt

• -- 或 --

使用 2.0.1 并通过命令行使用证书覆盖启动软件.例如:

Use 2.0.1 and start the software with the certificate override via command line. e.g:

java -DtrustedRootCert=override.crt -jar qz-tray.jar

由于后一个选项需要修改 QZ Tray 桌面启动器，因此当启用自动启动时，这最终会导致不明显的问题(例如，Windows 上的自动启动由 qz-tray.exe 触发，它将在不启动的情况下启动)-DtrustedRootCert 参数).

Since the latter option requires modification of the QZ Tray desktop launcher, this will ultimately lead to non-obvious issues when auto-start is enabled (e.g. auto-start on Windows is triggered by qz-tray.exe which will launch without the -DtrustedRootCert parameter).

这就是为什么在 qz-tray.properties 中永久提供证书的 2.0.2 功能是更受欢迎的原因.请注意，编译最新的 QZ Tray 是一个几个快速步骤.

This is why the 2.0.2 feature of providing the certificate permanently in qz-tray.properties is much preferred. Note, compiling the latest QZ Tray is a few quick steps.

但这只是战斗的一半.为了抑制安全警告，每条消息都必须经过数字签名.这就是 server.key 发挥作用的地方.我们在示例中将其称为 private-key.pem.

But this is only half of the battle. To suppress the security warnings, each message must be digitally signed. This is where the server.key comes into play. We call this private-key.pem in our examples.

签名通常在服务器端完成，尽管 可以在客户端完成，密钥泄露风险.sign-messages wiki 中对这个过程进行了最好的解释.

Signing is generally done server-side although can be done client-side with risk of key leakage. This process is explained best in the sign-messages wiki.

签署消息

• 签名使用私钥创建一个 SHA1 签名(其中附加到 QZ Tray 的 JSON 消息中).
• 在 1.9 中，签名基于消息内容，但 2.0 切换到 出于性能和兼容性原因，首先对消息进行哈希处理.
• 如果提供的签名验证证书/链并且没有 达到超时，并且证书未吊销且未过期，安全警告消失.
• Signing uses the private key to create an SHA1 signature (which is appended to the JSON message to QZ Tray).
• In 1.9, the signature was based on the message contents, but 2.0 switched to hashing the message first for performance and compatibility reasons.
• If the signature provided validates against the certificate/chain and hasn't reached a timeout, and the certificate isn't revoked and isn't expired, the security warning goes away.

PHP 签名示例:

<? // sign-message.php

$KEY = 'private-key.pem'; // or 'server.key', etc
$req = $_GET['request'];  // i.e. 'toSign' from JS
$privateKey = openssl_get_privatekey(file_get_contents($KEY));
$signature = null;
openssl_sign($req, $signature, $privateKey);
if ($signature) {
    header("Content-type: text/plain");
    echo base64_encode($signature);
    exit(0);
}
echo '<h1>Error signing message</h1>';
exit(1);

?>

JavaScript:

qz.security.setSignaturePromise(function(toSign) {
    return function(resolve, reject) {
       $.ajax("/foo/bar/sign-message.php?request=" + toSign).then(resolve, reject);
    };
});

qz.security.setCertificatePromise(function(resolve, reject) {
    $.ajax("/foo/bar/digital-certificate.txt").then(resolve, reject); // or `server.crt`, etc
});

注意:为防止密钥泄露，私钥应始终保存在网络浏览器无法访问的目录中.

Note: To prevent key leakage, the private key should always be kept in a directory inaccessible by a web browser.

这篇关于抑制“本地主机想要访问连接的打印机不受信任的网站"访问打印机时 - QZ-tray的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！