Issue with unsigned beta package

I'm trying to deploy 1Password 7 Beta (via Jamf) to a handful of different team members and the deployment fails. Both on macOS Catalina & Big Sur.

Upon review, it seems that unlike the regular package, the beta version is unsigned. Would it be possible to sign these moving forward, as it aligns with macOS (and our enterprise) security requirements?

Please and thank you! :)


1Password Version: 1Password 7 Version 7.7.1.BETA-7 (70701007)
Extension Version: Not Provided
OS Version: macOS 11
Sync Type: Not Provided

Comments

  • rudyrudy

    Team Member
    edited February 10

    @uu_sharkey,

    That's not what we're seeing here:

    pkgutil --check-signature ~/Downloads/1Password-7.7.1.BETA-7.pkg  
    Package "1Password-7.7.1.BETA-7.pkg":
       Status: signed by a developer certificate issued by Apple for distribution
       Signed with a trusted timestamp on: 2021-02-04 21:48:26 +0000
       Certificate Chain:
        1. Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)
           Expires: 2022-03-03 19:23:21 +0000
           SHA256 Fingerprint:
               75 74 B9 83 A6 43 7E FB 23 B9 4E B4 BE 19 F5 07 35 20 40 DB 2D 4F 
               99 3D 22 DA C7 6B 3B 1C 85 FF
           ------------------------------------------------------------------------
        2. Developer ID Certification Authority
           Expires: 2027-02-01 22:12:15 +0000
           SHA256 Fingerprint:
               7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 
               F2 9C 88 CF B0 B1 BA 63 58 7F
           ------------------------------------------------------------------------
        3. Apple Root CA
           Expires: 2035-02-09 21:40:36 +0000
           SHA256 Fingerprint:
               B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
               68 C5 BE 91 B5 A1 10 01 F0 24
    

    I'd be willing to investigate though, what app are you inspecting the package with?

    Seems like it might be https://mothersruin.com/software/SuspiciousPackage/get.html ?

    Just ran it on the same pkg file and the result was this…

    The only difference i see between our screenshots is yours says "No Scripts" where mine says "All Scripts", if your package didn't come directly from us or was modified by another step to remove the scripts then that would invalidate both the signature and notarization of the pkg.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file