Is there a way to verify 1Password.pkg files downloaded from the site?
I would like to check the sha of the .pkg I downloaded vs one published by agilebits.
Short of that, I would trust a download coming form the mac app store, but –even though I have an account– there doesn't seem to be a way to download from the app store without paying ~$70.
1Password Version: 6.5.2
Extension Version: Not Provided
OS Version: osx 10.11.6
Sync Type: Not Provided
Referrer: forum-search:verify pkg
Comments
-
@westleyargentum: Thanks for reaching out. Great question! In fact, you can have the best of both worlds without having to pay for the Mac App Store version or wait for app review. One of the reasons we switched to a PKG installer with the introduction of Sierra is that there are more strict security measures in place, and Apple recommends that developers who distribute outside the App Store supply apps this way since Gatekeeper can then check the signature when opening them, to verify that they are legitimate. If you click the "padlock" icon in the installer, you'll find a few important details:
The 1Password installer is signed using our developer ID, which is signed by Apple, which is also built into the OS itself (the same process employed by the App Store). So the cool thing is you get the actual chain of trust, rather than having to compare a hash yourself (which you'd have to get from somewhere else). And the signature will be invalidated if the file was tampered with in any way, giving the same benefit with much less hassle. I hope this helps. Be sure to let me know if you have any other questions! :)
0
