1Password 7 fails code sign check

philas
philas
Community Member
edited July 2020 in Mac

When checking the code signature on 1Password 7.app:

codesign -dvvv -R="identifier ws.agile and anchor trusted" 1Password\ 7.app

the codesign utility returns:

1Password 7.app: host has no guest with the requested attributes

The executable binary at

5644736 5 May 23:21 1Password 7.app/Contents/MacOS/1Password 7

has the SHA256 of:

cc6943dc1587e7725fefa79b48a5195528c544020cba0545a5e7584b53a5564b

Can you verify that this is correct?

For reference: It appears to be a similar problem reported here many years ago, but the discussion ended without a solution or useful explanation:

https://discussions.agilebits.com/discussion/3493/please-post-checksum-for-downloads

1Password Version: 1Password 7
Version 7.5 (70500003)
1Password Store
Extension Version: Not Provided
OS Version: 10.15.5
Sync Type: Not Provided
Referrer: forum-search:1Password 7 fails code sign check

Comments

  • philas
    philas
    Community Member

    There is also a further warning from RBAppChecker Lite, which does seem to be able to recognise a valid code signature, but warns of mismatched profile.

  • ag_ana
    ag_ana
    1Password Alumni
    edited July 2020

    Hi @philas! Welcome to the forum!

    the codesign utility returns:
    1Password 7.app: host has no guest with the requested attributes

    Are you running this in the correct folder? Try replacing the command you used to codesign -dvvv -R="identifier ws.agile and anchor trusted" /Applications/1Password\ 7.app so it includes the Applications folder?

  • philas
    philas
    Community Member
    edited July 2020

    Huh. Indeed. My bad.

    And the profile mismatch?

  • ag_ana
    ag_ana
    1Password Alumni

    @philas:

    The terminal command in macOS does not have that line, so this seems to be something specific to the RBAppChecker Lite app that you are using. I can certainly ask our security team to take a look however :+1:

  • philas
    philas
    Community Member

    OK, thx. :)

  • ag_ana
    ag_ana
    1Password Alumni

    :+1:

    I will send you an update as soon as I hear back :)

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @philas,

    It is great to know that people are checking the code signatures. For the most part, the OS does this for you, but this way you can see that 1Password isn't just signed by any developer, but actually by us. I suspect that the problem is that your code signature check looked for an identifier for ws.agile (which was from a very very long time ago). The current app identifier is com.agilebits.1password7, but that really isn't what you need to be checking.

    One of the difficulties with the codesign command line tool is that it is hard (I haven't found a way) to both check that it "meets requirements on disk" and to have additional requirements in a single command. So we need to do two separate checks

    Who signed it?

    So first just do

    codesign -dvv /Applications/1Password\ 7.app

    and manually check in its out for the "Authority" fields, which should like like this.

    Authority=Developer ID Application: AgileBits Inc. (2BUA8C4S2C)
Authority=Developer ID Certification Authority
Authority=Apple Root CA

    That tells you who it was signed by (and who signed the signing certificates). But this doesn't actually check the actual signature against what you have on your disk.

    Is it a good signature?

    To check the signature is valid for what you have on disk, run

    codesign --verify --verbose /Applications/1Password\ 7.app

    And then just look for whether it both is "valid on disk" and that it "meets its designated requirements".

    This last step is fully automated by the operating system during installation and launch. So often you really only need to do the first step to see that we, AgileBits, are the ones who signed it.

This discussion has been closed.