Verify 1Password CLI signature on install#164
Open
JillRegan wants to merge 10 commits into
Open
Conversation
rishiy15
approved these changes
May 27, 2026
bertrmz
approved these changes
May 27, 2026
|
|
||
| // Confirm the signer is AgileBits, not some other publisher. | ||
| const subject = fieldValue("Subject=") ?? ""; | ||
| if (!subject.includes(`CN=${WINDOWS_SIGNER_SUBJECT_CN}`)) { |
Contributor
There was a problem hiding this comment.
This could use a closing delimiter; the current form would match CN=AgilebitsAttackerCorp as well.
Contributor
Author
|
I’m going to hold off on merging this for the moment while I dig into some flaky tests. For folks who want CLI signature verification now, the latest Will be following up with this next week to confirm and test further. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds signature verification for the 1Password CLI binary the action downloads, addressing concern that the action did not validate the authenticity of artifacts downloaded from
cache.agilebits.com.Each platform uses the verification mechanism from 1Password's docs (https://www.1password.dev/cli/verify).
How each platform verifies
pkgutil --check-signature- pinned to team ID2BUA8C4S2Cand a SHA-256 allowlist of accepted leaf certs.gpg --verifyagainst a bundled public key and pinned to fingerprint3FEF9748469ADBE15DA7CA80AC2D62742012EA22.Get-AuthenticodeSignature- requiresStatus=Validand a Subject containingCN=Agilebits.Breaking changes (this should be semver-major update)
gpgon PATH. GitHub-hosted Ubuntu runners include it by default. Custom or minimal container images may need updating.Why the Linux key is bundled
The Linux public key lives at
src/op-cli-installer/github-action/cli-installer/linux-signing-key.asc(ncc auto-bundles it intodist/next toindex.js). This eliminates a runtime dependency onkeyserver.ubuntu.comordownloads.1password.com.Failure path verification
To confirm verification actually runs against real binaries in CI I created a throwaway branch and replaced a single character in each pinned trust anchor to view verification failure.