Shouldn't the 1Password app download and updates come with a hash and signing keys for verification?

edited February 2017 in Lounge

Shouldn't the 1Password app download (dmg) and updates (pkg) come with a hash and signing keys for verification? Like other sensitive apps, for example: Bitcoincore, Tor and GPG Tools etc. It seems pretty standard among sensitive apps to provide numerous signatures for verification along with a verifiable hash of the installation file.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Shouldn't the 1Password app download and updates come with a hash and signing keys for verification?

Comments

  • brentybrenty

    Team Member

    @billaddison: Providing an external hash is something we've considered, but we'd need to have a secure way of providing that via a separate channel for it to be meaningful — sort of like exchanging PGP keys. After all, if someone is able to compromise our server to offer a modified version to users, they could just update the hash as well. But more importantly, this is less of a concern now that we're not distributing a .zip file (which, like a .dmg, cannot be signed) for 1Password for Mac. Instead, you'll get a .pkg file that is signed with the AgileBits certificate, and you can check the chain yourself by clicking the "padlock" in the upper right corner:

    This isn't feasible for many apps (especially open source software) since it means registering with Apple, but it's something that's important to us so we can get along with Gatekeeper, which helps us stay safe from software from unknown or untrusted sources. This is both transparent and easy to verify for users — unlike finding and comparing hashes, which is out of reach for most users. But while I think these are good measures, we're always open to suggestions. Cheers! :)

  • DanielPDanielP

    Team Member

    @billaddison On behalf of Brenty, you are very welcome :)

This discussion has been closed.