CLI Binaries changed without notice? (signature still OK though)

Claudi
Claudi
Community Member

Dear 1Password CLI team,

I’m a co-maintainer for the 1password-cli package for 1Password CLI Beta on the Arch User Repository (AUR). Earlier today, a user of the AUR package has informed me that the 0.4.1 release packages for Linux on AgileBit’s site have changed since build #v41001 was released on 2018-05-10. I was able to confirm this.

The original checksums of the 0.4.1 Linux releases, as recorded by myself on 2018-05-15, were:

sha256sums_x86_64=('997676a84931b0206e9dcbb387bd58610d53272a961bc7f955c23debf8f7e474')                                 
sha256sums_i686=('334a5370f134bc904507d6142903d74c43fa240f70f28ad978bbc81cf6f36fd5')                                   
sha256sums_arm=('eded6146a8520dacee803c3b878a16694c5a95df6db4dea1ff2a017b4468d3f8')                                    

As of 2018-06-03, the current checksums for the 0.4.1 Linux releases are:

sha256sums_x86_64=('22113980776ed26a0805e6d941fd7bb0a0f394cd0154c23f0de841a1caf68de9')                                 
sha256sums_i686=('d136d890f97351c050c9af3322aeb2b41a19e4983d5721cb7738e24464ba43fb')                                   
sha256sums_arm=('c7a712a25e0c67319c7f6181b4da4feee0028af6cd2100c1cf6a00f75fac6d7e')                                    

Per good practice, the AUR package rely mainly on the GPG signature by AgileBits; only as an additional safety net does it check the SHA signatures of the downloaded binaries. The modified binaries are indeed signed by AgileBits, and the signatures are perfectly good. While I assume they are therefore probably 100 % safe to use, I was unable to find any accompanying release note, blog article, or bump of version number and date, which I personally feel is barely unusual enough to make me feel a little uneasy. It also has never happened before since I’ve started checking SHAs for all of AgileBits’s binary releases.

To that end, despite the perfectly good signature, allow me to ask just for good measure and reassurance:

  1. Have AgileBits deliberately changed the Linux 0.4.1 release packages without at the same time bumping the build number?
  2. Are such changes to be expected regularly from now on without accompanying bump of build numbers?

Important clarification for other readers: The 1password-cli package is a community effort; it has no connection to AgileBits or the 1Password organization, and is not supported nor endorsed by either.

Thanks in advance and kind regards,
Claudia


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Arch Linux
Sync Type: Not Provided

Comments

  • cohix
    cohix
    1Password Alumni

    @Claudi Thanks for pointing this out to us. This was not intentional, at least not by me (I generally perform the builds for the CLI), so I will check in with our ops team and see what could have caused this. I will reply back here when I've figured it out.

    Thanks!

  • cohix
    cohix
    1Password Alumni

    @Claudi Alright, I've checked in; turns out our build servers went through some upgrades and re-configuration last week, and as such all our binaries got rebuilt automatically. So this won't normally happen, but it is possible. The build server handles signing, so that's why the signatures still check out :)

    I'll try to post in the forum if this happens in the future.

  • Claudi
    Claudi
    Community Member

    @cohix Thanks for your response; that really helped! Also, that reassuring feeling ;)

  • cohix
    cohix
    1Password Alumni

    Any time :)

This discussion has been closed.