Linux/macOS/BSD chromium cookies could not be decrypted; failed to decrypt cookie (AES-CBC) because UTF-8 decoding failed #6564
Comments
Are these detected correctly? cc @mbway |
|
(also note that |
|
@pukkandan Yes about Cinnamon, not sure about GNOMEKEYRING how do i check? @coletdjnz How do i download form panopto than? |
You will need to manually export the cookies from your browser. Note that in my experience this has to be done every so often for panopto. https://github.com/yt-dlp/yt-dlp/wiki/FAQ#how-do-i-pass-cookies-to-yt-dlp |
|
As for why some cookies aren't decrypting properly, this looks like another case where the password is not obtained correctly, but the reason why isn't obvious. Like with previous cases, some cookies are reported successful decrypted. I think this just means decryption finished without error but the result could still be wrong. A basic (but not foolproof) check for whether chromium is using the gnome keyring would be to run seahorse and see if you see a Since you're concerned with Panopto you may not be interested in troubleshooting this issue further, but if you are: If you could install another chromium based browser that you haven't used before (eg brave), log into a service like youtube and attempt |
|
If you are on Linux, things like tmux may somehow affect how the decryption key is grabbed (in my case via KWallet 5). Most often I have to use yt-dlp without tmux. |
|
that is bizarre if that's the case. I can't reproduce the issue. I tried the following situations:
I had no issues. If you can find a situation that repeatably breaks I can take a look |
|
I was having the same issue with chromium browser (Gnome desktop) Using seahorse I saw that I had multiple |
|
@Despruk Thank you. This helped me to solve the same problem. In my case it was Discord and VSCode that created another |
|
After a system and likely Chrome update, getting this error again. Chrome Beta 130.0.6723.6 |
|
Any news ? |
|
Most likely it's the same issue as this |
That issue looks like it only applies to Windows. |
|
sorry, with the rookie issue being posted so recently I assumed it had to be related without looking carefully. Although the symptom is the same as the original post in this issue thread, this probably warrants a new issue being opened since the cause of these new decryption issues is clear (caused by chrome upgrade). I have been able to reproduce the error with chrome 130.0.6723.19 on Arch/KDE6. I read through the changelog for recent changes to cookie storage in chromium but didn't find anything obvious that could be causing the breakage. https://chromium.googlesource.com/chromium/src/+log/refs/heads/main/components/os_crypt I tried playing around with some data as well and have some notes:
|
|
This morning I was on an older Chrome beta (not updated machine, but not horribly out of date) and password decryption was still working. So it's definitely a very recent change. |
|
What was the version of the working chrome? If it comes to bisecting commits it might narrow it down |
|
The working version of beta was 128.0.6613.36 from about 2 months ago. Non-working likely 130.0.6723.6 and beyond (or perhaps 130.anything and beyond). I also would say probably most or all of the 129 versions work but I cannot confirm. This is just based on that ever since about my update to 130.0.6723.6 the decryption stopped working. https://github.com/gentoo/gentoo/commits/master/www-client/google-chrome-beta for versions I've been using. |
|
I'm running into this after updating my system Arch with Plasma 6.2.1 with kwallet disabled and ~/.config/kwalletrc contains For yt-dlp using where previously no issues. |
|
and to help bisect this was the last version of chromium I was using where it was working: chromium-129.0.6668.58-1 from ~ Sept 17 |
|
I fixed it by hacking around the problem. I tracked the "source" of this message: The decryption of cookies is decoding the decrypted "plaintext" using UTF-8. And for some reason, I didn't yet track why exactly, there are 32 extra bytes of garbage at the beginning of the string. As others noted, this started very recently. https://github.com/yt-dlp/yt-dlp/blob/2a24674/yt_dlp/cookies.py#L1013-L1021 The " I changed it to cut off these extra bytes " Hopefully this clue leads to someone solving the issue without hacking around it. |
|
Maybe check the sources of Chromium? |
|
the hack works here chromium/chromium@129.0.6668.58...130.0.6723.58 has a bazillion changes. might need to bisect unless knowing where to look just looking at the diff between those tags searching for keywords like AES CBC, may be some hints in various changes in -// Default signature length for signing with symmetric keys.
+// Default constants for symmetric keys.
+const int kDefaultSymKeySize = 32;
const int kDefaultSymSignatureLength = 32;that was just replacing a hard coded value, but maybe the 32 bytes is a key or signature idk |
|
happening same with gallery-dl too! |
This works great! I think a PR should be made with this change as it will keep BC: diff --git a/yt_dlp/cookies.py b/yt_dlp/cookies.py
index 4a69c576b..5a5dbe941 100644
--- a/yt_dlp/cookies.py
+++ b/yt_dlp/cookies.py
@@ -1016,7 +1016,10 @@ def _decrypt_aes_cbc_multi(ciphertext, keys, logger, initialization_vector=b' '
try:
return plaintext.decode()
except UnicodeDecodeError:
- pass
+ try:
+ return plaintext[32:].decode()
+ except UnicodeDecodeError:
+ pass
logger.warning('failed to decrypt cookie (AES-CBC) because UTF-8 decoding failed. Possibly the key is wrong?', only_once=True)
return None |
|
This change is working well for me also, thanks 🎉 |
|
Backwards compatibility might be an issue since it will break for older versions and browsers using an older chromium base |
|
@mbway If we try first with the full plaintext before slicing, that should be backwards compatible, yeah? diff --git a/yt_dlp/cookies.py b/yt_dlp/cookies.py
index 4a69c576b..6ecc354cc 100644
--- a/yt_dlp/cookies.py
+++ b/yt_dlp/cookies.py
@@ -1013,10 +1013,11 @@ def pbkdf2_sha1(password, salt, iterations, key_length):
def _decrypt_aes_cbc_multi(ciphertext, keys, logger, initialization_vector=b' ' * 16):
for key in keys:
plaintext = unpad_pkcs7(aes_cbc_decrypt_bytes(ciphertext, key, initialization_vector))
- try:
- return plaintext.decode()
- except UnicodeDecodeError:
- pass
+ for cookie in (plaintext, plaintext[32:]):
+ try:
+ return cookie.decode()
+ except UnicodeDecodeError:
+ pass
logger.warning('failed to decrypt cookie (AES-CBC) because UTF-8 decoding failed. Possibly the key is wrong?', only_once=True)
return None
|
|
The issue that was being discussed since 2024.10.01 was resolved by 4613096, and this issue has been closed. As mbway said upthread though, the original post in this thread was about a different issue with merely the same symptom. Since mbway could not reproduce the issue, and since Despruk found a workaround for an external issue that may have been the same thing as the OP was experiencing, I am keeping this issue closed for now. If the original author of this issue or anyone else experiences a problem similar to the original post using the latest version, then they can share a new complete verbose log and this issue can be reopened. |
bashonly
changed the title
coletdjnz
added
the
core:cookies
DO NOT REMOVE OR SKIP THE ISSUE TEMPLATE
Checklist
Provide a description that is worded well enough to be understood
Trying to download a video from panopto doesn't seem to work as it doesnt seem to decrypt the cookies.
Very similar to #1073 which seems to be resolved
However I have the the most updated version but still seems to be not working.
I am running this on linux mint
Provide verbose output that clearly demonstrates the problem
yt-dlp -vU <your command line>)'verbose': TruetoYoutubeDLparams instead[debug] Command-line config) and insert it belowComplete Verbose Output
The text was updated successfully, but these errors were encountered: