Arch Linux User Repository

Due to a file conflict in the bash-completion package bash completion is not installed automatically; the upstream op completion has been deprecated in favor of the completion generated by op, but a new release has not been cut containing the fix. In the meantime, bash users seeking command completion should add the following to their .bashrc:

source <(op completion bash)

It is recommended to verify the authenticity of the binary by using Agilebits's PGP code signing key. Their public key ID is published in the install documentation.

gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22

Could you please include shell completion files in the package ? eg: op completion zsh > ${pkgdir}/usr/share/zsh/site-functions/_op

See https://developer.1password.com/docs/cli/reference/commands/completion

Hi slurpee,

Thanks for the quick fix and the description. The 2.0.0-4 update is working fine for me.

I had the 9xx onepassword-cli group from 2.0.0-3. I deleted it before updating as you suggested. During the Pacman update, it said: groupadd: group 'onepassword-cli' already exists. But I’m not worrying about that because everything seems to work now.

Now my system has both the 1password and 1password-cli groups with proper gids > 1000. Thanks again for the heads up.

Due to a file conflict in the bash-completion package bash completion is not installed automatically; the upstream op completion has been deprecated in favor of the completion generated by op, but a new release has not been cut containing the fix. In the meantime, bash users seeking command completion should add the following to their .bashrc:

source <(op completion bash)

It is recommended to verify the authenticity of the binary by using Agilebits's PGP code signing key. Their public key ID is published in the install documentation.

gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22

Hello all, apologies for the issues. I've narrowed down a fix and will be pushing momentarily. The 1password-cli group was being created via systemd-sysusers which probably automatically gave it a gid below 1000; the op binary was also given the setgid bit, as detailed in the Getting Started doc.

After some tests, I found that the binary was not executing as the 1password-cli group, but as my user's group. I then bumped the gid of 1password-cli over 1000 and I see the op binary running as the 1password-cli group and I'm now getting Polkit prompts as expected.

I'm not sure why this happened, but as a fix, I've swapped out 1password-cli.sysusers for a groupadd in the .install, which will create a group with a gid over 1000

Please see the new pinned comments which will detail upgrade instructions if you were affected.

Hi @slurpee, thank for your work here

I got this error whenever I tried to use cli v2 with desktop integration

connecting to desktop app: read: connection reset, make sure the CLI is correctly installed and CLI Biometric Unlock is enabled in the 1Password app

Do you happen to know how to fix this?

Hey @chrishoage - now handled via the PKGBUILD, thanks!

@slurpee it appears the new CLI requires a group if it is to talk to the 1Password desktop app.

Please see https://developer.1password.com/docs/cli/get-started#requirements under "Linux"

Specifically the op binary must be owned by the onepassword-cli group along with chmod g+s run on the binary.

I've manually done this in order to get the op cli to talk to 1Password desktop, however it would be nice if this was handled in the pkgbuild!

Thank you!

@chrishoage, updated - appreciate it!

1password has released version 2 of the CLI, now tracked here: https://app-updates.agilebits.com/product_history/CLI2

1.11.4 was released a few days ago (https://app-updates.agilebits.com/product_history/CLI#v1110401). Any chance of an update?

Thanks.

The GPG signing key is also referenced here: https://support.1password.com/command-line-getting-started/

Might be a better page to reference. Looks more official than a forum post.

This can be built for aarch64 as well using the same source for arm.

The 0.6.1 version has been release yesterday. Is there any chance to update the package ?

@kurtmc Done. Thanks for the heads up.

@Auerhuhn any chance of updating the version (to 0.5.6-003) and checksums?

Thanks @myveo for the heads up. I’ve reached out to Connor from AgileBits [1]. I will update the package once they confirm that the change is legit.

[1] https://discussions.agilebits.com/discussion/comment/503735/#Comment_503735

Looks like cheksums are outdated. At least the checksum for the amd64 archive (i.e. op_linux_amd64_v0.5.5.zip) should be 5ddc73a573f008758d1765169cc4f28371742231cb6aadad6ebd9620f229ccb4.

Thanks @ddnomad for your suggestion.

You can configure GnuPG to auto-import public keys if that’s what you want. To do that, add a line to ~/.gnupg/gpg.conf that says: keyserver-options auto-key-retrieve. I wouldn’t recommend this though.

As a more secure alternative, I’d encourage everyone to import 1Password’s public key. I have added a pinned comment to explain how. Thanks again for the pointer!

You may want to first import 1Password’s PGP code signing key:

gpg --recv-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22

To confirm the key is legit, see this comment by 1Password’s Jeffrey Goldberg:

https://discussions.agilebits.com/discussion/comment/420654/#Comment_420654

gpg: Can't check signature: No public key

Not sure I should import the key manually. IMO the pkgbuild should handle this.

The check() step of the PKGBUILD gives an error if you haven't set GPG up. Removing it from PKGBUILD seems to have worked.

According to AgileBits [1] the modification is legit. I have now updated the signatures and bumped the package to v0.4.1, pkgrel 2. See commit message for full details.

Thanks again @chopps for reporting!

[1] https://discussions.agilebits.com/discussion/comment/438011/#Comment_438011

@chopps Thanks for giving notice. I can confirm the SHAs of all three editions have changed ( not only amd64), and this definitely was not the case two weeks ago. This means someone may have changed the binaries on AgileBit’s server without bumping either of version number, build number, and release date.

Generally, this can be indicative of a compromised download. I recommend to always keep that in mind before you install anything that shows a checksum error. In this particular case though, the changed binaries are still signed by AgileBits, and my GPG says the signature is 100 % OK. Therefore I feel the package to be probably safe to use.

With all that said, I have reached out [1] to AgileBits and will wait for their response before I update the signatures in the PKGBUILD.

[1] https://discussions.agilebits.com/discussion/91299/cli-binaries-changed-without-notice-signature-still-ok-though

I'm getting a validation failure on the amd64 zip. I downloaded and checked the signature (and did a bit more work to actually trust the signature by finding a picture of the business card of the signer showing the fingerprint), and my zip file appears valid. My sha256sum for it is different from this PKGBUILD.

Bumped to v0.4.1. Thanks @dmeijboom for the heads up!

Thanks @betsu and @mattikus! Updated.

@Sh4rk I just update the package to v0.4.

--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Felix Seidel <felix@seidel.me>

 pkgname=1password-cli
-pkgver=0.3
+pkgver=0.4
 pkgrel=1
 pkgdesc="1Password command line tool"
 arch=('x86_64' 'i686' 'arm')
@@ -13,11 +13,12 @@ source_x86_64=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_amd
 source_i686=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_386_v$pkgver.zip")
 source_arm=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_arm_v$pkgver.zip")

-sha256sums_x86_64=('0e2416b56b00fdd7f970365ed8a7e2b6e38f5c5d2c94c1fd68a980bcfee1529a')
-sha256sums_i686=('598f767b3e914f137cb0e8a0acac1ad72625ad011aa9d6a2d1bf45216a6e8c97')
-sha256sums_arm=('c0f2e59e536685bd5c8b8ca70a4fd8bd4becef7eee93b8d733276066e37b8cb2')
+sha256sums_x86_64=('421ca41fa376a6a6bc8e314c83959872e4658c5fbd3a20c0bf83a50922326b0b')
+sha256sums_i686=('e0ac90259ec0e49b517ca2afd3122523553c98f186af2f1fa0dfa18a989f3d43')
+sha256sums_arm=('0c32633587325e3874c19ba5e6e658eb1ba8b3354c15c3c9da3f9d9ef849d8ca')

 check() {
+  gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
   gpg --verify-files ${srcdir}/op.sig
 }

@Sh4rk You’re welcome, and thanks for applying the patch!

@Auerhuhn thanks for the patch and sorry for the delay! You're a co-maintainer now. :)

@Sh4rk Would you mind updating the package, or perhaps adding me as a co-maintainer?

This package really needs updating; v0.1.1 doesn’t even work anymore against the current API. I’ve prepared a patch; feel free to use it:

--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Felix Seidel <felix@seidel.me>

 pkgname=1password-cli
-pkgver=0.1.1
+pkgver=0.2.1
 pkgrel=1
 pkgdesc="1Password command line tool"
 arch=('x86_64' 'i686' 'arm')
@@ -13,9 +13,9 @@ source_x86_64=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_amd
 source_i686=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_386_v$pkgver.zip")
 source_arm=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_arm_v$pkgver.zip")

-sha256sums_x86_64=('6dc01dce5138f5ec8c6d6853fb22d02cfe1c0b0178f02754278d4dcac11f038b')
-sha256sums_i686=('b0edd3b2125e9bab79c7371b00f3356b37a073c65a9ca72c7b7984700e20a881')
-sha256sums_arm=('83aee44c19db20404d18bf2f1ce466294865b1f7a4f0e48bc0f925dc3dd3499d')
+sha256sums_x86_64=('3ba640545e32c94775534dfc8bf036398ad573d0f001492e7f1818e77d183b73')
+sha256sums_i686=('71fd9885d28346384dd7833552d7e0f149da0cbe774ad927ffceea8985a7dff0')
+sha256sums_arm=('b7cd9c03638ac2369db3b8f95cb2959642b219ed7938f6583561a6c5fc697c3d')

 check() {
   gpg --verify-files ${srcdir}/op.sig