Arch Linux User Repository

As of the 2.24.0-2 release, Zsh shell completion is no longer provided by the package to mirror the official packages. Users that wish to use shell completion can add a line to their shell's dotfile.

See the official docs for instructions specific to your shell: https://developer.1password.com/docs/cli/reference/commands/completion/

It is recommended to verify the authenticity of the binary by using Agilebits's PGP code signing key. Their public key ID is published in the install documentation. Agilebits recently renewed their PGP key; if GPG reports the key has expired, simply run the receive command again and trust as you see fit.

gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22

@chrko - strange that you're running into that. Albeit a historical feature, gpg may assume the first argument to --verify is a detatched signature, then it will try to assume the signed data by stripping some suffixes from the first argument to --verify (--verify-files is just shorthand for --multifile --verify).

example, gpg assuming signed data:

$ gpg --verify-files src/op.sig

gpg: assuming signed data in 'src/op'
gpg: Signature made Tue 19 Aug 2025 11:22:08 AM PDT
...

Going through the gpg man page: it heavily discourages relying on that historical feature and to explicitly specify the signed data, it mentions --multifile may not be used to verify detached signatures, and plainly, there isn't a reason to use --multifile when there's only one signature to verify.

I'm in agreement that it probably should be changed to gpg --verify ${srcdir}/op.sig ${srcdir}/op. 2.32.0-2 will be released shortly with this change; please let me know if there are further issues.

Since quite a while I have trouble with verify the GPG signature as done in the PKGBUILD:

gpg --verify-files src/op.sig

gpg: no signed data
gpg: can't hash datafile: No data

instead I have to do the following

gpg --verify src/op.sig src/op

gpg: Signature made 2025-08-19T20:22:08 CEST
gpg:                using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7  CA80 AC2D 6274 2012 EA22

Can we change the approach in the PKGBUILD?

@slurpee Great, thanks for explaining.

@jacek2v - that's the expected output and the warning is benign.

"Good signature from" indicates the signature on the file matches the public key you're verifying against and you can trust the archive as being from Agilebits.

The warning is because you haven't signed ("certified") Agilebits's public key with your own private key (or a key you trust in your web of trust - "a trusted signature"). If you don't intend to use PGP other than validating the signature on files, you can safely ignore the warning and continue with installation.

gpg: assuming signed data in '/home/jacek/.cache/yay/1password-cli/src/op'
gpg: Signature made śro, 28 maj 2025, 12:15:49 CEST
gpg:                using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7  CA80 AC2D 6274 2012 EA22

any tips on what to do with this?

Appreciate the report. I've opted to stop installing completion, letting the user add it to their shell's dotfile, if they wish. The 2.24.0-2 release removes the previously provided file, /usr/share/zsh/site-functions/_op.

The 1P documentation has users set up their dotfile and the official packages do not ship completion either. IMO, it's good to have parity with the official package when possible.

Detailed instructions on setting up completion can be found in the 1P docs: https://developer.1password.com/docs/cli/reference/commands/completion/

Building the pkg is stuck with the following message: Would you like to turn on the 1Password app integration? This allows you to sign in to 1Password CLI using the 1Password app. [Y/n]. No matter what is answered, the process wont finish.

Looking at the fopens during the process it turned out to be a check if ~/.config/op/config exists (with a minimal config) during the execution of "${pkgdir}"/usr/bin/op completion zsh > "${pkgdir}"/usr/share/zsh/site-functions/_op. If the file exists build passes without any user interaction.

Providing a dummy config via --config helps to avoid the user interaction on build.

Minimal config:

{
    "latest_signin": "",
    "device": "",
    "accounts": null,
    "dismissed_system_auth_prompt": true
}

@0BAD-C0DE Add Agilebits's PGP key reference

curl -sS https://downloads.1password.com/linux/keys/1password.asc | gpg --import

Latest version fails to check signature. Any hint?

gpg: Signature made mar 24 ott 2023, 19:13:13 CEST
gpg:                using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Can't check signature: No public key
==> ERROR: A failure occurred in check().
    Aborting...
error: failed to build '1password-cli-2.22.0-1': 
error: packages failed to build: 1password-cli-2.22.0-1

Line 35, should be install -dm755 not install -d 755