Broken code signature verification

Options
eenblam
eenblam
Community Member
in Mac

Hi, y'all! Looks like the code signature for 1Password7 on Mac has been broken beginning with the release of 7.3.2. This breaks automated packaging for those of us that are deploying 1Password in enterprise environments.

After unpacking, check the signature of the application:

$ codesign --verify --deep --strict --verbose=1 ./1Password\ 7.app/
./1Password 7.app/: a sealed resource is missing or invalid
file added: /<snipped>/1Password 7.app/Contents/Resources/Base.lproj/.BC.T_loG4J9

This usually occurs when an artifact of the build process is added after signing takes place, so it might require a change to your packaging process.

1Password Version: 7.3.2
Extension Version: Not Provided
OS Version: OS X
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni
    Options

    @eenblam - thanks for flagging this, but after checking on multiple machines, I suspect this is something in your environment; 1Password 7's code signature is valid here. 7.3.2 has been available since August 6, and this is the first report we've seen (at least that I'm aware of) for this issue, which I wouldn't expect to be the case if our code signature were actually broken. It also wouldn't connect to the browser extension, and multiple other issues. I'm not sure what might be wrong in your setup, but it doesn't appear to be a broken code signature for 1Password 7 for Mac. Did you perhaps run something like Monolingual or another "slimming" app on 1Password 7 after installation or as part of installation? Anything that modifies the bundle itself? Or perhaps add something to it? I ask because /1Password 7.app/Contents/Resources/Base.lproj/.BC.T_loG4J9 isn't part of the bundle from us.

  • eenblam
    eenblam
    Community Member
    Options

    Thanks Lars!

    You're right - what's currently being served doesn't have this added file. (It's just a binary plist of 1Password application data, e.g. a color profile.)

    We don't do anything to slim the bundle, but it is unpacked so that we can examine the application in addition the .pkg itself.

    What's strange is that we had previously pulled the same "nice" version of 7.3.2 on the day of release, but at some point after we had already packaged it, this one ended up in our cache. I'll have to review my logs to see what could have happened on our end. Thanks again for the super fast response!

  • Lars
    Lars
    1Password Alumni
    Options

    @eenblam - glad I was able to help!

This discussion has been closed.