Package Details: 1password-cli 0.9.2-1

Git Clone URL: https://aur.archlinux.org/1password-cli.git (read-only, click to copy)
Package Base: 1password-cli
Description: 1Password command line tool
Upstream URL: https://app-updates.agilebits.com/product_history/CLI
Licenses: custom
Submitter: Sh4rk
Maintainer: slurpee
Last Packager: slurpee
Votes: 12
Popularity: 0.23
First Submitted: 2017-09-07 18:54
Last Updated: 2020-02-06 15:30

Pinned Comments

Auerhuhn commented on 2018-07-01 15:53

You may want to first import 1Password’s PGP code signing key:

gpg --recv-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22

To confirm the key is legit, see this comment by 1Password’s Jeffrey Goldberg:

https://discussions.agilebits.com/discussion/comment/420654/#Comment_420654

Latest Comments

« First ‹ Previous 1 2 3

Auerhuhn commented on 2017-10-30 14:31

I suggest this patch in order to pin the signature validation to the known fingerprint:

```
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -8,6 +8,7 @@ arch=('x86_64' 'i686' 'arm')
url="https://app-updates.agilebits.com/product_history/CLI"
license=('custom')
options=('!strip' '!emptydirs')
+validpgpkeys=('3FEF9748469ADBE15DA7CA80AC2D62742012EA22') # 1Password <codesign@1password.com>

source_x86_64=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_amd64_v$pkgver.zip")
source_i686=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_386_v$pkgver.zip")
```

sfusco commented on 2017-10-22 19:22

for the security minded, you will probably want to verify the pgp signature of the binary.

# manually
keybase pgp verify -d op.sig -S 1password -i op

# using gpg integration
keybase follow 1password
keybase pgp pull 1password

# now pacaur should find the public key in your local gpg ring
pacaur -S 1password-cli

Auerhuhn commented on 2017-09-18 12:40

Thanks @micaelbergeron!

(I’m fairly new to AUR but it strikes me how super friendly people are around here! You people are a pleasure to work with!)

micaelbergeron commented on 2017-09-18 12:24

Feel free to use my PKGBUILD, this is an oversight on my end. Then you may ask for op-bin deletion.

Auerhuhn commented on 2017-09-17 11:44

Thanks @Sh4rk for integrating this!

I have found that the GPG verification breaks for me. This is what I get:

```
gpg: Signature made Do 07 Sep 2017 22:52:10 CEST
gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Can't check signature: No public key
==> ERROR: A failure occurred in check().
Aborting...
```

Maybe we can figure out a way to use `validpgpkeys` to get it work? Other packages seem to do just that. [1] [2]

I’ll look into the details as soon as I find the time.

[1]: https://aur.archlinux.org/packages/openssl-zlib

[2]: https://aur.archlinux.org/packages/openssl098

Sh4rk commented on 2017-09-17 07:49

@Auerhuhn: thanks for your feedback. I added support for both architectures and the gpg check.

Auerhuhn commented on 2017-09-16 21:24

A few days ago, a duplicate of this package has popped up: https://aur.archlinux.org/packages/op-bin

I think it should be deleted but it also features a few things that are missing in this one.

Do you feel it would be a good thing to integrate the good parts of op-bin into your package? (I’m thinking of the i686 and arm architectures, and maybe the GPG verification, too.)