Notice about macOS Catalina and op

cohixcohix

Team Member
edited November 7 in CLI Beta

With macOS Catalina (10.15), Apple introduced new Gatekeeper functionality to check all programs for notarization before allowing them to run. This means that all developers are required to submit their software to Apple before release such that it can be scanned for malware and verified as legitimate.

op is notarized as of version 0.8.0, any previous versions will not work on macOS Catalina unless run using the op Docker image. Please update to 0.8.0 and install via the .pkg installer to use op on macOS.

Happy scripting!

Comments

  • Any idea how long this will take so I can upgrade to macOS Catalina and still use my 1password membership? I clicked on the link above and have no clue what a Docker Container is or how to use this !!!

  • I forgot to mention that I use 1Password7 ....1Password 7 Version 7.3.2 (70302004) from the 1Password Store

  • cohixcohix

    Team Member

    @kmiracle I think there is a bit of confusion, this applies to the op command-line tool, not 1Password for Mac. Our Mac app works well in Catalina and is already notarized. The Mac distribution of the op tool is the only thing affected by this.

  • your correct it was confusing since I could find no information other than this one about the op and now I do not know what that is. I thought op just meant one password.

  • cohixcohix

    Team Member

    No, not in this case :)

  • brentybrenty

    Team Member
    edited October 24

    In case it helps you or anyone else, op is the actual command to run the 1Password command line app, which is the subject of this forum category. Cheers! :) :+1:

  • There are two other possible workarounds for those stuck without a working op command for the moment:

    spctl --add `which op`
    

    which does more or less the same thing that Finder does when you right-click a non-notarized / unsigned binary and click 'open' in the dialog that comes up, or this:

    xattr -d com.apple.quarantine `which op`
    

    which ... effectively tells macOS, "download? what download? I found this binary on my disk fully formed, maybe I compiled it myself, you don't need to protect me from it".

    I'll definitely feel better when the binary is just notarized though :-).

  • rudyrudy

    Team Member

    @glyph,

    while its possible to submit command line binaries to apple for notarization analysis, its not actually possible to staple the resulting notary information to the command line tool itself.

  • @rudy my understanding is that stapling is just to facilitate offline verification , and as long as the Mac in question is internet-connected at first run time, it’ll download and cache the notarization anyway.

    To that end, you can staple to a pkg file: https://scriptingosx.com/2019/09/notarize-a-command-line-tool/ which … I’m not sure of the mechanics here? Maybe it just sideloads the notarization blob into the system policy list? But it’s a supported workflow, somehow.

  • zahanmzahanm
    edited November 4

    @glyph thanks for the pointers! Removing the attribute (xattr) worked for me.
    I don't think the spctl command you listed works though. Before adding the rule to allow it, this is the --assess output:

    > spctl --assess (which op)
    /usr/local/bin/op: rejected
    

    After adding a rule, it still refuses to run. --assess output:

    > spctl --assess (which op)
    /usr/local/bin/op: rejected (the code is valid but does not seem to be an app)
    

    Removing the com.apple.quarantine attribute gets it working again though.

  • rudyrudy

    Team Member

    @zahanm,

    Those results for spctl make sense, as the op that you currently have isn't codesigned.

  • cohixcohix

    Team Member

    @kmiracle @glyph @zahanm As of version 0.8, which was released just moments ago, op is now notarized! Please try it out and let us know how it goes.

  • Thank you! (My minor update to the spctl debacle is that you have to do a thing in System Preferences manually to allow it after you've done --add, I'm not sure the command-line synonym for that. But this is no longer necessary now that it's notarized :))

    @cohix I have some personal interest in how such a thing is accomplished - would you be willing to explain how the process was done? Does the binary somehow include the stapled notarization ticket, do you have to be online the first time you run it?

  • cohixcohix

    Team Member

    @glyph Absolutely! We built a new CD job that builds the op binary with an embedded Info.plist file, then uses packagesbuild to bundle it into a .pkg file. We then sign it with our developer certificate, zip it up, and upload it to the notary service. Our wonderful Apple dev team (shout out @rudy for all his knowledge) created a great script that does the zipping and uploading, and then polls the notary service until the job is complete, downloads the ticket, and staples it to the .pkg (which recursively staples the binary itself, iirc). That gets uploaded to our app-updates server where it's delivered to you fine folk :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file