Authenticating the 1Password CLI Installer Package on macOS Big Sur

nbuuck
nbuuck
Community Member
edited March 2021 in CLI

The docs for the 1Password CLI client op instruct users to verify package signature by clicking the padlock icon in the macOS package installation wizard. In macOS Big Sur, this icon isn't present when opening op_darwin_amd64_v1.8.0.pkg, but pkgutil indicates it is signed by a developer certificate issued by Apple:

me@host Downloads % pkgutil --check-signature op_darwin_amd64_v1.8.0.pkg
Package "op_darwin_amd64_v1.8.0.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2020-10-22 18:04:49 +0000
   Certificate Chain:
    1. Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)
       Expires: 2024-10-23 17:10:43 +0000
       SHA256 Fingerprint:
           14 1D D8 7B 2B 23 12 11 F1 44 08 49 79 80 07 DF 62 1D E6 EB 3D AB 
           98 5B C9 64 EE 97 04 C4 A1 C1
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24

And spctl confirms proper notarization.

me@host Downloads % spctl -a -vv -t install op_darwin_amd64_v1.8.0.pkg
op_darwin_amd64_v1.8.0.pkg: accepted
source=Notarized Developer ID
origin=Developer ID Installer: AgileBits Inc. (2BUA8C4S2C)

The two above commands were suggested by this article. Should the 1Password doc linked at the beginning of this post be updated to reflect the change in the macOS installer UI and the need to rely on command line tools to authenticate the installer package? Or are the new requirements for app and installer signing in Big Sur sufficient such that users need not perform manual authentication? If the latter, should the doc be revised to specify macOS versions prior to Big Sur?


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: 11.2.3
Sync Type: Not Provided

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @nbuuck ,
    Thanks for reporting this.

    We're aware of an issue with the package signature in Big Sur and are already working on a fix. Hopefully this will be fixed in the next CLI version update release.

This discussion has been closed.