Request for more technical release information

PaidUser0011
PaidUser0011
Community Member

Hi 1password team,

I was wondering if there is a changelog of all application releases with SHA256 signatures?

The claim is that a public list of known releases helps with tracking signed binaries in the wild.

I was a little worried when I downloaded the 1Password installer as the website is using let's encrypt.

I've also noticed the letsencrypt CAA record for 1password is not using the lets encrypt CAA accounturi flag which would further lock things down.

dig @ns-671.awsdns-19.net. 1password.com. CAA
Answer
1password.com. 300 CAA 0 iodef "mailto:alerts+caa@agilebits.com"
1password.com. 300 CAA 0 issue "amazon.com"
1password.com. 300 CAA 0 issue "globalsign.com"
1password.com. 300 CAA 0 issue "letsencrypt.org"
1password.com. 300 CAA 0 issue "sectigo.com"
Authority
1password.com. 300 NS ns-109.awsdns-13.com.
1password.com. 300 NS ns-1527.awsdns-62.org.
1password.com. 300 NS ns-1850.awsdns-39.co.uk.
1password.com. 300 NS ns-671.awsdns-19.net.

End of the day I did use codesign to verify the final installed application
codesign -dv --verbose=4 /Applications/1Password.app

CandidateCDHashFull sha256=7a8be5b90a8e74261ea741632b1d1d8972616b6016257b27b54002a631378a33
Authority=Developer ID Application: AgileBits Inc. (2BUA8C4S2C)

Reason for installing:
Touch ID stopped working on macos (somma 14.5 (23F79)) for some reason
Restart didn't help
But reinstall worked


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • Hello @PaidUser0011! 👋

    Thank you for reaching out. You can download 1Password for Mac from our website here: https://1password.com/downloads

    The installer will automatically download and install the appropriate build for your system of the latest version of 1Password. I don't recommend that you install 1Password from any other source. You can verify the authenticity of 1Password using this guide: How to verify the authenticity of the 1Password app

    The 1Password 8 installer is digitally signed and the macOS Gatekeeper security feature will only allow you to install 1Password 8 once it verifies that the app's digital signature is genuine and intact: App code signing process in macOS - Apple Support (CA)

    The claim is that a public list of known releases helps with tracking signed binaries in the wild.

    Can you tell me a little more about your specific concern regarding the 1Password website and what you mean by "signed binaries in the wild"?

    I look forward to hearing from you.

    -Dave

  • PaidUser0011
    PaidUser0011
    Community Member
    edited August 19

    Hi Dave,

    Thanks for the reply.

    Regarding
    "signed binaries in the wild"?

    Having a list of signed binaries (specifically their sha256 checksums or equivalent) helps with zero trust auditing, especially for when things go wrong.

    The security community can independently verify all production binaries of 1Password that has ever been released and detect "special builds" that aren't supposed to be released.

    It is a statement an entity says to everyone - this is the only checksum for this version / architecture of 1Password, if you see any other checksum - send it to us so we can trackdown where it came from.

  • @PaidUser0011

    Are you able to provide an example of another service that does this? If you can link to their webpage then I could share that example with the team.

    It is a statement an entity says to everyone - this is the only checksum for this version / architecture of 1Password, if you see any other checksum - send it to us so we can trackdown where it came from.

    As mentioned, 1Password for Mac is already code-signed and notarized. As long as a user hasn't disabled the Gatekeeper feature then they won't be able to run an unauthorized build of 1Password without dismissing the warning from Gatekeeper.

    -Dave

  • PaidUser0011
    PaidUser0011
    Community Member

    @Dave_1P

    Absolutely! I'm glad you got back to me.

    Here is the requested example from KeePass; an experienced industry leader in password management (2003) 21 years and still going strong!

    In this case KeePass declares to the community tracable versions for each architecture-version pariring.

    This is because while signatures help verify source (such as Mac Gatekeeper), hash declarations such as SHA-256 enables zerotrust tracability.

    https://keepass.info/integrity.html

    KeePass-2.57-Setup.exe:
    MD5: 4C1CAFC2 B3A38020 8548620A 3D53DBBA
    SHA-1: A4C6AE22 0ECC6B90 7E562008 09EDAB3B CDC38B30
    SHA-256: EA53F7F9 44FADA95 0CD7BB15 4DEB0781 23A357B7 BC5E2484 851762B3 552EB48B
    Size: 4399360 B
    Sig.: [OpenPGP ASC]

    KeePass-2.56-Setup.exe:
    MD5: 86A0D58D 2AE89C63 9D940DBD A48308DF
    SHA-1: 1280F427 D149A8C5 CA797A9E A29E711A 3FA2B5EF
    SHA-256: 92529DC0 E6449ECA 21688601 02045550 54628192 17B8E8D5 1F6E7B1D D05A69EF
    Size: 4398304 B
    Sig.: [OpenPGP ASC]

  • PaidUser0011
    PaidUser0011
    Community Member

    @Dave_1P Can you also please raise a gentle warning from me as a member of the development community?

    https://www.reddit.com/r/apple/comments/1enep0a/comment/lh5q0jz

    We as developers expect upmost trust in accountability and transparency regarding security products. It is disgraceful to hear the team for possibly accidental reasons, released patchnotes with missing CVE information. Do not hide anything regarding the security of your product.

    To this regard, I would suggest adding SHA256 sums to all signed binaries more transparency.