Package Details: 1password-cli 0.5.4-1

Git Clone URL: https://aur.archlinux.org/1password-cli.git (read-only)
Package Base: 1password-cli
Description: 1Password command line tool
Upstream URL: https://app-updates.agilebits.com/product_history/CLI
Licenses: custom
Submitter: Sh4rk
Maintainer: Sh4rk (Auerhuhn)
Last Packager: Auerhuhn
Votes: 5
Popularity: 0.210213
First Submitted: 2017-09-07 18:54
Last Updated: 2018-10-09 05:57

Pinned Comments

Auerhuhn commented on 2018-07-01 15:53

You may want to first import 1Password’s PGP code signing key:

gpg --recv-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22

To confirm the key is legit, see this comment by 1Password’s Jeffrey Goldberg:

https://discussions.agilebits.com/discussion/comment/420654/#Comment_420654

Latest Comments

1 2 Next › Last »

Auerhuhn commented on 2018-07-01 15:54

Thanks @ddnomad for your suggestion.

You can configure GnuPG to auto-import public keys if that’s what you want. To do that, add a line to ~/.gnupg/gpg.conf that says: keyserver-options auto-key-retrieve. I wouldn’t recommend this though.

As a more secure alternative, I’d encourage everyone to import 1Password’s public key. I have added a pinned comment to explain how. Thanks again for the pointer!

Auerhuhn commented on 2018-07-01 15:53

You may want to first import 1Password’s PGP code signing key:

gpg --recv-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22

To confirm the key is legit, see this comment by 1Password’s Jeffrey Goldberg:

https://discussions.agilebits.com/discussion/comment/420654/#Comment_420654

ddnomad commented on 2018-07-01 13:59

gpg: Can't check signature: No public key

Not sure I should import the key manually. IMO the pkgbuild should handle this.

mprom commented on 2018-06-15 11:13

The check() step of the PKGBUILD gives an error if you haven't set GPG up. Removing it from PKGBUILD seems to have worked.

Auerhuhn commented on 2018-06-04 15:27

According to AgileBits [1] the modification is legit. I have now updated the signatures and bumped the package to v0.4.1, pkgrel 2. See commit message for full details.

Thanks again @chopps for reporting!

[1] https://discussions.agilebits.com/discussion/comment/438011/#Comment_438011

Auerhuhn commented on 2018-06-03 14:34

@chopps Thanks for giving notice. I can confirm the SHAs of all three editions have changed ( not only amd64), and this definitely was not the case two weeks ago. This means someone may have changed the binaries on AgileBit’s server without bumping either of version number, build number, and release date.

Generally, this can be indicative of a compromised download. I recommend to always keep that in mind before you install anything that shows a checksum error. In this particular case though, the changed binaries are still signed by AgileBits, and my GPG says the signature is 100 % OK. Therefore I feel the package to be probably safe to use.

With all that said, I have reached out [1] to AgileBits and will wait for their response before I update the signatures in the PKGBUILD.

[1] https://discussions.agilebits.com/discussion/91299/cli-binaries-changed-without-notice-signature-still-ok-though

chopps commented on 2018-06-03 13:50

I'm getting a validation failure on the amd64 zip. I downloaded and checked the signature (and did a bit more work to actually trust the signature by finding a picture of the business card of the signer showing the fingerprint), and my zip file appears valid. My sha256sum for it is different from this PKGBUILD.

Auerhuhn commented on 2018-05-15 15:51

Bumped to v0.4.1. Thanks @dmeijboom for the heads up!

Auerhuhn commented on 2018-04-11 18:59

Thanks @betsu and @mattikus! Updated.

betsu commented on 2018-04-11 13:44

@Sh4rk I just update the package to v0.4.

--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Felix Seidel <felix@seidel.me>

 pkgname=1password-cli
-pkgver=0.3
+pkgver=0.4
 pkgrel=1
 pkgdesc="1Password command line tool"
 arch=('x86_64' 'i686' 'arm')
@@ -13,11 +13,12 @@ source_x86_64=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_amd
 source_i686=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_386_v$pkgver.zip")
 source_arm=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_arm_v$pkgver.zip")

-sha256sums_x86_64=('0e2416b56b00fdd7f970365ed8a7e2b6e38f5c5d2c94c1fd68a980bcfee1529a')
-sha256sums_i686=('598f767b3e914f137cb0e8a0acac1ad72625ad011aa9d6a2d1bf45216a6e8c97')
-sha256sums_arm=('c0f2e59e536685bd5c8b8ca70a4fd8bd4becef7eee93b8d733276066e37b8cb2')
+sha256sums_x86_64=('421ca41fa376a6a6bc8e314c83959872e4658c5fbd3a20c0bf83a50922326b0b')
+sha256sums_i686=('e0ac90259ec0e49b517ca2afd3122523553c98f186af2f1fa0dfa18a989f3d43')
+sha256sums_arm=('0c32633587325e3874c19ba5e6e658eb1ba8b3354c15c3c9da3f9d9ef849d8ca')

 check() {
+  gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
   gpg --verify-files ${srcdir}/op.sig
 }