CLI binary signature check

Now that my git credential helper is working with 1P, I started thinking about the differences in the UI...and then I put on my evil hat for a moment. After the work integrating with git, it only took about an 30min to whip up a little evil replacement for op as a proof of concept. I decided again linking to it here.

With the limited interface of a CL utility, I think some kind of code signing is even more critical than with GUI tools.

Now I know that if someone was to replace the op binary on a system you already have a major breach including potential keystroke loggers etc, but the lack of any UI other than terminal prompts makes it especially easy to fake and get a Master Key, without any easy way to have secondary indicators during use.

Note: I did read the thread from 2017 that said it was on your plan, but didn't see anything since then.


1Password Version: 7
Extension Version: Not Provided
OS Version: macOS 10.14
Sync Type: Not Provided

Comments

  • cohixcohix

    Team Member

    @angusl Yes, we are planning to roll out codesigning for all platforms with the eventual 1.0 release, we're sticking with the GPG signatures while still in beta.

This discussion has been closed.