Notice about macOS Catalina and op
With macOS Catalina (10.15), Apple introduced new Gatekeeper functionality to check all programs for notarization before allowing them to run. This means that all developers are required to submit their software to Apple before release such that it can be scanned for malware and verified as legitimate.
op is notarized as of version 0.8.0, any previous versions will not work on macOS Catalina unless run using the op Docker image. Please update to 0.8.0 and install via the .pkg installer to use op on macOS.
Happy scripting!
Comments
-
Any idea how long this will take so I can upgrade to macOS Catalina and still use my 1password membership? I clicked on the link above and have no clue what a Docker Container is or how to use this !!!
0 -
I forgot to mention that I use 1Password7 ....1Password 7 Version 7.3.2 (70302004) from the 1Password Store
0 -
your correct it was confusing since I could find no information other than this one about the op and now I do not know what that is. I thought op just meant one password.
0 -
No, not in this case :)
0 -
In case it helps you or anyone else,
opis the actual command to run the 1Password command line app, which is the subject of this forum category. Cheers! :) :+1:0 -
There are two other possible workarounds for those stuck without a working
opcommand for the moment:spctl --add `which op`
which does more or less the same thing that Finder does when you right-click a non-notarized / unsigned binary and click 'open' in the dialog that comes up, or this:
xattr -d com.apple.quarantine `which op`
which ... effectively tells macOS, "download? what download? I found this binary on my disk fully formed, maybe I compiled it myself, you don't need to protect me from it".
I'll definitely feel better when the binary is just notarized though :-).
0 -
@rudy my understanding is that stapling is just to facilitate offline verification , and as long as the Mac in question is internet-connected at first run time, it’ll download and cache the notarization anyway.
To that end, you can staple to a pkg file: https://scriptingosx.com/2019/09/notarize-a-command-line-tool/ which … I’m not sure of the mechanics here? Maybe it just sideloads the notarization blob into the system policy list? But it’s a supported workflow, somehow.
0 -
@glyph thanks for the pointers! Removing the attribute (
xattr) worked for me.
I don't think thespctlcommand you listed works though. Before adding the rule to allow it, this is the--assessoutput:After adding a rule, it still refuses to run.
--assessoutput:Removing the
com.apple.quarantineattribute gets it working again though.0 -
Thank you! (My minor update to the
spctldebacle is that you have to do a thing in System Preferences manually to allow it after you've done--add, I'm not sure the command-line synonym for that. But this is no longer necessary now that it's notarized :))@cohix I have some personal interest in how such a thing is accomplished - would you be willing to explain how the process was done? Does the binary somehow include the stapled notarization ticket, do you have to be online the first time you run it?
0 -
@glyph Absolutely! We built a new CD job that builds the op binary with an embedded Info.plist file, then uses packagesbuild to bundle it into a .pkg file. We then sign it with our developer certificate, zip it up, and upload it to the notary service. Our wonderful Apple dev team (shout out @rudy for all his knowledge) created a great script that does the zipping and uploading, and then polls the notary service until the job is complete, downloads the ticket, and staples it to the .pkg (which recursively staples the binary itself, iirc). That gets uploaded to our app-updates server where it's delivered to you fine folk :)
0
