Important Update

Hi All

Please see the below snippet from Google that all Chromium and Chromium OS devs received recently.

This news has caused something of an uproar in the community (see https://groups.google.com/a/chromium.org/g/embedder-dev, https://bodhi.fedoraproject.org/updates/FEDORA-2021-48866282e5 and https://www.omgubuntu.co.uk/2021/01/chromium-sync-google-api-removed) as a couple of examples.

This will affect all Open Source builders of Chromium so will prevent sync from the browser that people build for Arch, Gentoo and  Debian (to name a few). It will of course also affect Chromium OS.

What does the below update really mean?

As of March 15th the API keys that are currently embedded within the image, will be severely rate limited. Since Google will also alter their Terms of Service, I will no longer be able to even embed the API keys into the ChromiumOS image.

This does not mean its all over however, but means once the keys are removed, new builds of the Chromium OS you all use, will no longer be able to log in.

From the 27th February I will be removing the embedded keys from Special and Daily builds. I cannot deviate from the Google ToS change so must adhere to the new ruling.

On March 15th, I will also be disabling the current API. This will negate login on builds older than the 27th February, as will Googles changes. You can still use old images but they may not permit login. Guest accounts will still function as designed however.

What can we all do?

In order to continue using Chromium OS with a login, you will need to deploy your own API keys at run time. I have to stress that these keys will still be rate limited but will suffice for development purposes.

The above dates still give you 2 weeks to get your own API keys and deploy at runtime as per the guidance from Google.

To get your API Keys:

  • Follow the guidance noted in https://www.chromium.org/developers/how-tos/api-keys to create yourself an API Key, Client_ID and Secret. Please note, as per the API Document, the keys you have now acquired are not for distribution purposes, and are only for development use.
  • Download the latest daily or special build from https://chromium.arnoldthebat.co.uk/
  • Install or boot the image from USB, and use Ctrl-Alt-F2 to get to command line. Login as chronos. Alternatively use shell from a guest account session.
  • Edit /etc/chrome_dev.conf and add the following:
GOOGLE_API_KEY=your_api_key
GOOGLE_DEFAULT_CLIENT_ID=your_client_id
GOOGLE_DEFAULT_CLIENT_SECRET=your_client_secret

Reboot and enjoy!



Development update from Google:

Hi Chromium Developer,

We are writing to let you know that starting March 15, 2021, end users of Chromium and Chromium OS derivatives using google_default_client_id and google_default_client_secret on their build configuration will no longer be able to sign into their Google Accounts.

What do I need to know?
During a recent audit, we discovered that some 3rd-party Chromium-based browsers had keys that were allowed to access Google APIs and services that are reserved for Google use only. Chrome Sync is the most notable of these APIs.

In practice, this means that a user would be able to access their personal Chrome Sync data (such as bookmarks) not just with Chrome, but also with a non-Google, Chromium-based browser. Please note that users would only be able to access their own Chrome Sync data, and only a small fraction of users of Chromium based browsers were impacted. We have no reason to believe that user data is being abused or accessed by anyone other than the users themselves.

As part of Google’s efforts to improve user data security, we are removing access from Chromium and Chromium OS derivatives that used google_default_client_id and google_default_client_secret on their build configuration to Google-exclusive APIs starting on March 15, 2021. Guidance for vendors of Chromium derivative products is available on the Chromium wiki.

What does this mean for my users?
Users of products that are incorrectly using these APIs will notice that they won’t be able to log into their Google Accounts in those products anymore.

For users who accessed Google features (like Chrome Sync) through a 3rd-party Chromium-based browser, their data will continue to be available in their Google Account, and data that they have stored locally will continue to be available locally.

As always, users can view and manage their data through Google Chrome, Chrome OS, and/or on the My Google Activity page, and they can also download their data from the Google Takeout page, and/or delete it from this page.

What do I need to do?
To avoid disruption, follow the instructions for configuring and building Chromium derivatives in the Chromium Wiki (link provided above)