hyper: Cannot Install Plugins/Themes with CLI

  • I am on the latest Hyper.app version
  • I have searched the issues of this repo and believe that this is not a duplicate
  • OS version and name: macOS Sierra 10.12.6
  • Hyper.app version: 2.0.0
  • Link of a Gist with the contents of your .hyper.js: .hyper.js
  • Relevant information from devtools (CMD+ALT+I on macOS, CTRL+SHIFT+I elsewhere): N/A
  • The issue is reproducible in vanilla Hyper.app: Yes, this is an issue with the CLI.

Issue

Whenever I try to install anything with $ hyper install I get the following error:

unable to verify the first certificate
Plugin check failed. Check your internet connection or retry later.

I am using a school computer behind a firewall, and in the past, I have had the same problems with npm and apm. With those two cases, I was able to fix the issue by running [cmd] config set strict-ssl false, but there is no way of doing this with hyper.

I created this same issue in hpm, back when that was relevant, but never got a response.

Update

I now use NODE_EXTRA_CA_CERTS (yay), but Hyper doesn’t honour this, as @jerquiaga points out.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 3
  • Comments: 24 (4 by maintainers)

Most upvoted comments

We’re using a rebuilt version of yarn to install plugins.

I don’t think there’s enough demand for such a setting that it would be worth adding and maintaining.

There is a workaround:

  1. Add plugin to ~/.hyper.js
  2. Open terminal and cd ~/.hyper_plugins/
  3. Install via your low security npm npm install
  4. Plugins should work

Hope that helps 👍

Also sounds like your school is intercepting your traffic via a custom SSL cert, I would try everything to get around that, they are decrypting your traffic and can get all your passwords and everything you send on the webs…

+12
albinekb on Apr 18, 2018

Sure disabling is not a good idea. Introducing the functionality to add a custom CA would be the preferred way. However, how does a VPN solves the problem? I assume most people using hyper are devs or other IT guys working in a Company with a certain policy which are most likely neither allowed to build a vpn outside the company network, nor wiling to do such an affort for a “plugin”

+6
ghost on Apr 24, 2018

While I disagree with the tone of @dannyyy’s comment, I understand the point they are trying to make.

@albinekb I agree that strict-ssl=false is a security risk. At the same time, advocating that users try to bypass their school/corporate firewall is a non-starter for most. There should be a way (preferences setting?) to set a cafile path that the yarn-standalone will use as a trusted ca so that users can CHOOSE to trust their corporate proxy ca. That way you can still maintain SSL, install plugins, and not lose your job/get expelled. This approach works very well (it’s how I use npm at work currently).

+5
jerquiaga on Feb 15, 2019

sadly not much we can do here, we also have a ton of other issues about the CLI so closing this one

+4
Stanzilla on Oct 10, 2019

I just realized that you can use the localPlugins config to get around this problem:

  // in development, you can create a directory under
  // `~/.hyper_plugins/local/` and include it here
  // to load it and avoid it being `npm install`ed
  localPlugins: [
    'hyper-material-theme',
    'hyper-tabs-enhanced'
  ],

Just clone the plugins to ~/.hyper_plugins/local/ and run npm install inside of each plugin. This is the best workaround I’ve found so far and it isn’t that much of an inconvenience for me. Might still be nice to have a more built-in config setup, but not a big deal with this workaround.

+2
zicklag on Mar 15, 2019

If I’m behind an institutional firewall that is reading my passwords and I’ve already installed the trusted CA, hyper is not going to protect me by refusing to install plugins. I’d have given up control of security well before getting to this point. I’m not sure what real harm this is trying to protect me from.

+1
hughes on Mar 5, 2019

I share the same problem than the others have. I’m behind a corporate web-proxy. Well SSL interception is also in place but the corporate root CAs where in the certificate store.

I have npm installed and set the necessary http_proxy/https_proxy/no_proxy config entries. As well as added the same entries to the environment variables and my windows default proxy settings are also set. npm, git and many others are performing very well with this settings. Only hyper is fully ignoring all kind of proxy settings. @albinekb respecting system proxy settings isn’t a security flaw, requesting to download and place suspicous things in the ~/.hyper_plugins/.

After reading this and other issues I believe hyper is not targeting serious IT professionals. I guess they promote a fancy terminal app to scriptkiddis. I see no other reason for that kind of ignorance over month/years. In addition I have to assume, that their cloud products also targets hobbyist an not serious professional customers.

For all the others cmder on Windows is a great terminal alternative.

+1
dannyyy on Feb 15, 2019

Curious if any progress has been made on this. It seems that Hyper doesn’t honor the NODE_EXTRA_CA_CERTS environment variable if it’s set. We use a proxy at work and I had to set that environment variable with the path to the cert used by the proxy. Then npm will trust that cert and allow downloads. I can npm install plugins in the plugin directory, but Hyper can’t update/install plugins itself.

+1
jerquiaga on Jan 5, 2019

Why wouldn’t you just honor strict-ssl=false in the .npmrc?

+1
sskoopa on Oct 23, 2018
Read more comments on GitHub
← hyper: Cannot install plugins using `hyper i {plugin}`
hyper: Cannot type Chinese characters →