Read first: Previous version support information

Issue with unsigned beta package

uu_sharkey
uu_sharkey
Community Member
edited April 2023 in 1Password 3 – 7 for Mac

I'm trying to deploy 1Password 7 Beta (via Jamf) to a handful of different team members and the deployment fails. Both on macOS Catalina & Big Sur.

Upon review, it seems that unlike the regular package, the beta version is unsigned. Would it be possible to sign these moving forward, as it aligns with macOS (and our enterprise) security requirements?

Please and thank you! :)

1Password Version: 1Password 7 Version 7.7.1.BETA-7 (70701007)
Extension Version: Not Provided
OS Version: macOS 11
Sync Type: Not Provided

Comments

  • rudy
    rudy
    edited February 2021

    @uu_sharkey,

    That's not what we're seeing here:

    pkgutil --check-signature ~/Downloads/1Password-7.7.1.BETA-7.pkg  
Package "1Password-7.7.1.BETA-7.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2021-02-04 21:48:26 +0000
   Certificate Chain:
    1. Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)
       Expires: 2022-03-03 19:23:21 +0000
       SHA256 Fingerprint:
           75 74 B9 83 A6 43 7E FB 23 B9 4E B4 BE 19 F5 07 35 20 40 DB 2D 4F 
           99 3D 22 DA C7 6B 3B 1C 85 FF
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24

    I'd be willing to investigate though, what app are you inspecting the package with?

    Seems like it might be https://mothersruin.com/software/SuspiciousPackage/get.html ?

    Just ran it on the same pkg file and the result was this…

    The only difference i see between our screenshots is yours says "No Scripts" where mine says "All Scripts", if your package didn't come directly from us or was modified by another step to remove the scripts then that would invalidate both the signature and notarization of the pkg.

This discussion has been closed.