How to fix issue where 1Password will not use AgileKeyChain in Dropbox SUB-folder

NOTE FROM AGILEBITS:
Thanks to Jon for writing this up! This is a pretty advanced trick and is not endorsed by AgileBits. Before proceeding, you should be sure that you are comfortable working in Terminal and with a text editor to edit configuration files. AgileBits cannot support this configuration, and it may break at any time. Proceed at your own risk.

Jon's original post:
I have figured out how to fix the Dropbox issues with MAS 1Password where it will not use a keychain file in a folder. Follow these steps:
  1. Launch 1Password and disable the helper by navigating to [font=courier new,courier,monospace]Preferences -> Extentions -> Keep helper running[/font] ... and unchecking the boxes
  2. Quit 1Password and verify that the helper has quit
  3. Navigate to [font=courier new,courier,monospace]~/Library/Containers/[/font] and add [font=courier new,courier,monospace].backup[/font] to the end of these two directories:
    1. [font=courier new,courier,monospace]com.agilebits.onepassword-osx-helper[/font]
    2. [font=courier new,courier,monospace]com.agilebits.onepassword-osx[/font]
  4. Launch 1Password again and it will ask you to start new or "... used 1Password before ..."
  5. Select the "... used 1Password before" option
  6. Navigate to your keychain database file in Dropbox and select it
  7. 1Password will import it's contents into a new keychain file. THIS IS OK
  8. Unlock the database
  9. Navigate to [font=courier new,courier,monospace]Preferences -> General[/font] and you should see that the keychain is stored in [font=courier new,courier,monospace]~/Library/Containers/com.agilebits.onepassword-osx-helper/Data/Documents.1Password.agilekeychain [/font]or something very similar. This is OK, we are going to override this next.
  10. Quit 1Password
  11. Using a property list file editor, or Xcode and edit this file:
    1. [font=courier new,courier,monospace]~/Library/Containers/com.agilebits.onepassword-osx-helper/Data/Library/Preferences/com.agilebits.onepassword-osx-helper.plist[/font]
  12. Manually edit the [font=courier new,courier,monospace]DatabasePath[/font] parameter and point it to the exact full path to your [font=courier new,courier,monospace].agilekeychain[/font] file in Dropbox.
    1. e.g.[font=courier new,courier,monospace] /Users/username/Library/Containers/com.agilebits.onepassword-osx/Data/Library/Preferences/com.agilebits.onepassword-osx.plist[/font]
  13. Launch 1Password and repeat step 9 to confirm that the data is now being stored in Dropbox
    1. The button below the location should now say "Stop Using Dropbox..."


If you skip step 3, which I did the first time, you get funky issues where not all of the items will appear when you open 1Password. I am guessing it has something to do with the encryption keys, but not 100% sure. I looked in the 1Password log file and didn't see any failure to decrypt errors.




One other thing that may have helped is the tickler that tells 1Password where the agilekeychain file is located in Dropbox was wrong. Check out [font=courier new,courier,monospace]~/Dropbox/.ws.agile.1Password.settings[/font] and make sure that it points to the correct file. On the laptop with issues, the file indicated inside was incorrect. It showed [font=courier new,courier,monospace]1Password.agilekeychain [/font]when it should be [font=courier new,courier,monospace]1Password/1Password.agilekeychain[/font] since I keep my agilekeychain file in a directory to make it easier to share.

I hope that helps

Comments

  • bswins
    edited September 2011
    Hello Jon,

    Thank you for the very detailed instructions! Most impressive. :)

    I am confident that many users will benefit from your post, and I only wish to add that I am sorry so many manual steps were required.

    I passed along your procedures to our developers for review, and they were impressed too. Great job! ;)

    Thank you again for taking the time to list each detailed step. Passionate users are a fantastic source of information, and you just proved that in Spades!

    Cheers!

    Brandt
  • smithbp
    edited September 2011
    this is exactly the problem i am having now. thanks for the help.

    could you explain step 11 a little for me. what is a property list editor and how do i edit that file.

    too i don't understand how to edit the database path in step 12.

    thanks for the help! really appreciate it!
  • i used textedit to attempt step 11. is that correct?

    too could you post a pic of what step 12 looks like on your screen.

    one more thing, in step 3 i add .backup to the directories, which i assume are the folders (i am guessing i do not need to open the folder and navigate within it)

    when i navigate back to the container in step 3 i see the containers i modified with .backup and the original containers again too.

    thanks again.
  • smithbp wrote:

    i used textedit to attempt step 11. is that correct?


    Text Edit doesn't always work for editing Property List files as some are binary, rather than XML. I use Xcode to edit Property List files and it can edit any Property List file. If you don't want to go the whole Xcode route you could use a free app like Pref Setter to make the changes.

    smithbp wrote:

    too could you post a pic of what step 12 looks like on your screen.


    See attached for an example of Property List Editor as part of Xcode.
    smithbp wrote:

    one more thing, in step 3 i add .backup to the directories, which i assume are the folders (i am guessing i do not need to open the folder and navigate within it)

    when i navigate back to the container in step 3 i see the containers i modified with .backup and the original containers again too.

    thanks again.


    This is correct. I left out a step of removing the .backup directories on purpose. I thought it better to leave them there than risk removing something important. Give it a week or two, and if everything is working well, go ahead and remove the .backup directories.

    You're welcome!
  • This is quite the hack. :)

    I would just forewarn any users who wish to attempt this that it is a very advanced step and only intended for users who are comfortable working in the file system and with a text editor. Many of our users are, so more power to ya.
  • bwoodruff wrote:

    This is quite the hack. :)

    I would just forewarn any users who wish to attempt this that it is a very advanced step and only intended for users who are comfortable working in the file system and with a text editor. Many of our users are, so more power to ya.


    Thanks Ben! This is a very advanced workaround and is something I would not recommend to someone who is not super tech savvy. If you have a good Time Machine backup though any mistakes should be recoverable. I love puzzles and had to figure this one out. Being an iOS & App Store developer myself helped though :)
  • dhiebert
    dhiebert
    Community Member
    I got stuck on step 8. Unlock the database. When I enter my master password, I get the error "Unable to unlock 1Password. 1Password could not be unlocked with the password you provided. Please verify the password and try again."
  • Jon Marler wrote:



    Text Edit doesn't always work for editing Property List files as some are binary, rather than XML. I use Xcode to edit Property List files and it can edit any Property List file. If you don't want to go the whole Xcode route you could use a free app like Pref Setter to make the changes.



    See attached for an example of Property List Editor as part of Xcode.



    thank you for taking the time to help answer my questions. I do not really have any experience, but wanted to attempt anyway ( I made a backup of everything)

    is the 1password team working on this and will it be fixed soon and available via the app store.

    if I can't get this solution to work then i am really stuck in the water.

    any suggestions.

    thanks again!
  • dhiebert wrote:

    I got stuck on step 8. Unlock the database. When I enter my master password, I get the error "Unable to unlock 1Password. 1Password could not be unlocked with the password you provided. Please verify the password and try again."


    Unfortunately, I won't be able to help you with that. If that's happening, you may not have a good keychain database in Dropbox. You may want to sort that issue out first before going any further.


    smithbp wrote:

    is the 1password team working on this and will it be fixed soon and available via the app store.


    From what I understand of the issue, the problem revolves around the sandbox method that Agile Bits chose to use for 1Password when developing 3.9 without updating the way 1Password uses Dropbox. While sandboxing is not required for applications to be distributed in the Mac App Store, it is recommended by Apple:


    Before you request a sandbox for your application, you must decide whether doing so is appropriate for your needs. Although Apple recommends that all applications adopt the sandbox model, such a model may limit the behavior available to your application


    Sandboxing is the new hotness in app security, but it's not a panacea. As we have seen countless times before, escaping the sandbox is not impossible. Apple wants developers to stop using cloud services such as Dropbox and use iCloud for object storage. 1Password uses Dropbox by directly reading/writing to the Dropbox folder, which doesn't work well in the MAS sandbox model. Dropbox doesn't have a strong desktop API, but it is possible to use the web API with OAuth authentication in desktop applications. In fact, Dropbox recommends that desktop application developers move to this model and even warn that the method of directly manipulating files in the Dropbox folder is likely to be deprecated in the future:


    It is possible to bypass the API entirely and take advantage of the syncing aspects of the Dropbox desktop client by reading and writing directly to the Dropbox folder. Before you select this method, keep in mind that as the desktop client evolves, this method will likely be deprecated.


    Hopefully, Agile Bits is working on developing an API based integration for Dropbox into the desktop 1Password MAS app, similar to the iOS 1Password apps. Considering the fact that the iOS apps have been out for a while and work so well, it's probably not that large of a hill to climb to get it done. That said, I can't speak for Agile Bits as I am just another user and am just pontificating.
  • RRRob
    edited September 2011
    Jon Marler wrote:
    Hopefully, Agile Bits is working on developing an API based integration for Dropbox into the desktop 1Password MAS app, similar to the iOS 1Password apps. Considering the fact that the iOS apps have been out for a while and work so well, it's probably not that large of a hill to climb to get it done. That said, I can't speak for Agile Bits as I am just another user and am just pontificating.

    Unfortunately, using the Dropbox web API is not a sure panacea, either. My employer has blocked all access to the Dropbox.com domain at the proxy server, so neither the file-level nor the web API Dropbox sync approaches will work. So as long as Dropbox is the only solution for remote (not local WiFi) iOS 1Password synchronization, I and anyone else in a similar situation (not uncommon in corporate America) will have to resort to various workarounds.
  • RRRob wrote:

    Unfortunately, using the Dropbox web API is not a sure panacea, either. My employer has blocked all access to the Dropbox.com domain at the proxy server, so neither the file-level nor the web API Dropbox sync approaches will work. So as long as Dropbox is the only solution for remote (not local WiFi) iOS 1Password synchronization, I and anyone else in a similar situation (not uncommon in corporate America) will have to resort to various workarounds.


    A fair point and I absolutely agree. I wonder if it would be possible to sync through iTunes ... hmm ...
  • Carl
    Carl
    Community Member
    Jon Marler wrote:



    From what I understand of the issue, the problem revolves around the sandbox method that Agile Bits chose to use for 1Password when developing 3.9 without updating the way 1Password uses Dropbox. While sandboxing is not required for applications to be distributed in the Mac App Store, it is recommended by Apple:



    Sandboxing is the new hotness in app security, but it's not a panacea. As we have seen countless times before, escaping the sandbox is not impossible. Apple wants developers to stop using cloud services such as Dropbox and use iCloud for object storage. 1Password uses Dropbox by directly reading/writing to the Dropbox folder, which doesn't work well in the MAS sandbox model. Dropbox doesn't have a strong desktop API, but it is possible to use the web API with OAuth authentication in desktop applications. In fact, Dropbox recommends that desktop application developers move to this model and even warn that the method of directly manipulating files in the Dropbox folder is likely to be deprecated in the future:



    So basically you are saying that sandboxing 1P was not required if I am reading this correctly.
  • RRRob
    edited September 2011
    Jon Marler wrote:

    A fair point and I absolutely agree. I wonder if it would be possible to sync through iTunes ... hmm ...

    I'm not sure that would help in my workplace; iTunes for Windows requires administrative rights to install, which only the IT staff members have. It might work if 1Password did it through some kind of web API, however, since the Apple domains aren't blocked. Which pretty much leads us back to the idea of syncing through iCloud.
  • hrosenman
    hrosenman
    Community Member
    I am stuck on Step 6, "Navigate to your keychain database file in Dropbox and select it" - I have a folder in Dropbox named "1Password.agilekeychain_folder" (I can see the .agilekeychain_folder" because I turned on visible Finder extensions to try to solve this problem). The program opens this as a folder, showing me the contents with an "open" button -- it does not recognize it as the Dropbox database. This is the problem that brought me to this thread. What file am I supposed to select as the old 1Password data?
  • Carl wrote:


    So basically you are saying that sandboxing 1P was not required if I am reading this correctly.


    It is entirely true that sandboxing is not a requirement yet. It will be in 2 months (November). In November, in order to submit an update to your app, it must include sandboxing. We felt it was much better to simply launch as a sandboxed app, rather than be forced to try and build it on later (and likely causing even more problems for even more people).

    http://www.bkeeneybriefs.com/2011/07/long-live-cocoa-or-is-sandboxing-killing-carbon/
  • hrosenman wrote:

    I am stuck on Step 6, "Navigate to your keychain database file in Dropbox and select it" - I have a folder in Dropbox named "1Password.agilekeychain_folder" (I can see the .agilekeychain_folder" because I turned on visible Finder extensions to try to solve this problem). The program opens this as a folder, showing me the contents with an "open" button -- it does not recognize it as the Dropbox database. This is the problem that brought me to this thread. What file am I supposed to select as the old 1Password data?


    While we can't really support this "hack" it would seem that the problem is that your keychain is named incorrectly. Please rename it to "1Password.agilekeychain" instead of "1Password.agilekeychain_folder." The _folder portion is likely a hold-over from the days of .Mac ("DotMac") syncing.
  • hrosenman
    hrosenman
    Community Member
    I only turned to the "hack" because the app wouldn't recognize my Dropbox data folder. Renaming it as you suggested fixed the problem, and no hack was necessary. Thanks much. This might be a good FAQ question/answer. Also, I feel I should mention that the text for the "I've used 1Password before" button is not consistent with the text right above it.

    Thanks for the quick help.
  • Thank you for the feedback! I will see what we can do about adding something about this issue to the knowledge base.
  • bwoodruff wrote:

    Thank you for the feedback! I will see what we can do about adding something about this issue to the knowledge base.


    will this issue be addressed in an update w/ 1password in the mac app store. right now i can not use 1password on any of my machines because it will not open the 1password file in my dropbox. when i point it to it from the splash screen it just creates a local copy on my computer. when i go to preferences in 1password, use dropbox is grayed out. i attempted the hack, but i could not get it to work and i would prefer to not have to resort to this if an update is coming to correct this issue.

    thanks for the help
  • dhiebert wrote:

    I got stuck on step 8. Unlock the database. When I enter my master password, I get the error "Unable to unlock 1Password. 1Password could not be unlocked with the password you provided. Please verify the password and try again."

    That's probably because your Dropbox folder is not located in your home folder!
  • Jon Marler wrote:

    NOTE FROM AGILEBITS:
    Thanks to Jon for writing this up! This is a pretty advanced trick and is not endorsed by AgileBits. Before proceeding, you should be sure that you are comfortable working in Terminal and with a text editor to edit configuration files. AgileBits cannot support this configuration, and it may break at any time. Proceed at your own risk.


    I absolutely agree! In fact, this hack violates the principles and idea behind the sandbox. I wouldn't be surprised if Apple prevented a hack like this from working in the future. And you're welcome! I believe in Agile Bits and 1Password and want to see you guys thrive and be successful. Months from now, we will all laugh about how crazy this transition was, and how AWESOME 4.0 is.
  • Carl wrote:

    So basically you are saying that sandboxing 1P was not required if I am reading this correctly.


    I forget how much of this is under NDA so I won't say specifics, but I can say this: yes, as of *today* sandboxing is optional. This won't be true for much longer, however. We only wanted to be in the MAS if we could stay in the MAS so we decided to embrace sandboxing immediately.
  • Carl
    Carl
    Community Member
    dteare wrote:


    I forget how much of this is under NDA so I won't say specifics, but I can say this: yes, as of *today* sandboxing is optional. This won't be true for much longer, however. We only wanted to be in the MAS if we could stay in the MAS so we decided to embrace sandboxing immediately.


    Fair enough.
This discussion has been closed.