Support open source creators by offering an alternative signing route
I am a user of the Librewolf browser, which, very fairly, doesn't want to pay Apple $99 to write software for the platform. As such they don't offer a signed binary. This means that you can't add it to 1password as a trusted browser (seemingly making the feature pretty useless but I understand the security concern).
Will you consider offering an alternative signing route, this would allow you to bring the same functionality for Linux users as well, who currently don't benefit from this additional security. Another approach might be offering to fund apple developer licenses for popular software, though this feels like it may be more work than creating a CA.
There is also the ethical consideration that the current state unfairly disadvantages open source developers, which are the foundation of the open web. As you state in your public library list "It's fair to say that 1Password wouldn't exist without the open source community, so we want to give back and help teams be more productive and secure. "
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided
Comments
-
Hello @bluedust5410! 👋
Thanks for reaching out. On macOS, the 1Password app verifies the browser’s code signature for authentication when it establishes the connection between the app and the browser extension. This authentication is designed to make it difficult for other applications and malware to intercept the account information and encryption keys that are passed through the connection. Without this authentication process, 1Password is unable to verify the app that is trying to communicate with it.
To support authentication, 1Password leverages the native security technologies that exist on the macOS platform. You can read more here:
- Notarizing macOS software before distribution | Apple Developer Documentation
- Code Signing Services | Apple Developer Documentation
I recommend reaching out to Apple regarding your feedback for how the code signing and notarization process works on macOS.
Will you consider offering an alternative signing route
Can you clarify this a little further? Are you suggesting that 1Password setup a certificate authority of some sort? Or is there an alternate signing solution that already exists that you would like to see 1Password implement in the desktop app?
-Dave
0 -
I am suggesting you create a route to get open source applications that can't afford $99 to spend on a apple developer license to work with 1password's connect to browser functionality. I am intentionally trying to leave have how you do that open.
1password in the browser is a pretty terrible experience without the connection to the app.
How most of these work is just PK encryption, and the authority maintains a CA in that case, however that was just an example. Another approach might be that people making open source browsers just submit a hash to you of the build and you check that the binary matches that has before running it, obviously as a technical approach that's a lot more of a pain than using PK encryption. There are lots of options here, and I as someone external to your company can't really recommend which would work for you. This is not a novel and interesting problem, it is well solved.
I want to point out that you do not have to use Apples notarization process to authenticate browsers, you could have chosen a method that does not disadvantage those who are less well off. They didn't make you do this, unless there is something going on here that I have missed.
0 -
Thank you for the feedback. While I can't make any promises, I've shared your comments and requests with the appropriate teams internally. I appreciate you taking the time to write in with your suggestions. 🙂
-Dave
ref: PB-40964322
0
