Validate download signature?

Options
ryansch
ryansch
Community Member
in CLI

The CLI download comes with a .sig file. How would I use that to validate the download?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • cohix
    cohix
    1Password Alumni
    Options

    Hey @ryansch you can see those instructions in our getting started guide: https://support.1password.com/command-line-getting-started/#set-up-the-command-line-tool

  • ryansch
    ryansch
    Community Member
    Options

    Perfect! Thanks @cohix.

  • cohix
    cohix
    1Password Alumni
    Options

    Any time!

  • ryansch
    ryansch
    Community Member
    edited September 2017
    Options

    @cohix keybase pgp verify -d op.sig -i op -S 1password might be an even better verification command

  • cohix
    cohix
    1Password Alumni
    Options

    Cool, we'll look into it :)

  • Claudi
    Claudi
    Community Member
    Options

    @ryansch Great alternative! UX-wise, the keybase command line is a step forward. Its output has a much clearer wording, which makes it much less fear-inducing to users who are not crypto experts.

    That said, the gpg variant may still remain useful. Some users may prefer not to join Keybase, not to install their software, or not to trust yet another party in the chain.

  • cohix
    cohix
    1Password Alumni
    Options

    Yes, we considered the keybase tools, but we decided that asking users to join keybase just to validate our signatures was ridiculous. GPG should suffice for most people.

  • pervel
    pervel
    Community Member
    edited September 2017
    Options

    @cohix: keybase actually works without logging in. But the command needs to have the keybase GUI running which isn't ideal if you use the command infrequently.

  • cohix
    cohix
    1Password Alumni
    Options

    Ah okay I understand. Thanks for the heads up.

This discussion has been closed.