1Password for Mac 6.5.5: Manual update required

tl;dr

As a result of an expired provisioning profile and format change in the developer certificate, customers who downloaded 1Password for Mac directly from our site will need to manually update to the latest version. Those using 1Password from the Mac App Store are not affected.

For those who are interested, here are the events that conspired against us to make for an interesting Family Day weekend…

Fire at the office

I was out at the gym yesterday when I received a call from my wife. I thought she was calling about our belated Valentine’s dinner we had planned. Instead she rather alarmingly told me that “Sara called and said there is a fire at the office”.

Rushing home, I was expecting to hear that the hammocks and standing desks had gone up in flames. (Happily our servers are all virtual so I wasn’t too concerned). The “fire at the office” turned out to be a fire with 1Password for Mac. Customers were getting an error message when trying to start 1Password!

Unable to start 1Password

I urgently gathered our Mac team who were enjoying their holiday weekend to figure out what happened. We quickly recreated the issue and found this error in the logs: Binary is improperly signed. This seemed very strange to me as this version was released back in 2016.

We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version. Apparently that’s not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly.

New certificate, new format

We renewed our certificate and released 1Password 6.5.4 thinking all would be well. And that’s when the other shoe dropped. When we created the new certificate it had a new format for the Common Name.

While this sounds like an inconsequential change, our built-in installer goes to great lengths to validate that every 1Password update is actually 1Password. Since our installer did not recognize the new certificate format it refused to update.

No problem can’t be solved without yet another build, so we created 1Password 6.5.5 ?

Long story short, 1Password 6.5.5 is now available and solves all these problems. The only catch is it requires you to install it manually.

Moving forward

As you might imagine, we have a whole new level of understanding of the importance of expiring provisioning profiles and certificates. Our new certificate expires in 2022 but I can guarantee you we will be renewing it far before then.

I do apologize for the inconvenience and extra work that this will cause you. I am sure you had better things to do on your long weekend too. If you have any problems with this update please let us know.

I also want to take a quick moment to say “Thank You”. The understanding that I’ve seen from the 1Password community is overwhelming. You never cease to amaze me. It has truly been a humbling experience.

Having spent all Saturday fighting this fire, I still owe Brenda the dinner we were supposed to have had. After missing Valentine’s Day dinners two weeks in a row, I kind of wish the actual office had been on fire ?

Further Reading

This was the first post in a three part series. The story continues here:

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles

172 replies
Newer Comments »
  1. Alec E
    Alec E says:

    Ah! Wondered why mine wasn’t working earlier. Just assumed my Mac was being a pain and reinstalled. Thanks for the blog post. Hope it didn’t ruin the weekend too much!

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Alec! ?

      Thanks for letting us know! I’m glad to hear everything turned out for you.

      As for our weekend, it wasn’t what we had planned for but we managed to keep calm and enjoy the process as much as possible. Remembering to breath is a good first step, and if that doesn’t work, I always try to remind myself that the only people without problems are dead. ?

      Take care and enjoy the rest of your weekend.

      ++dave;

    • Shiner
      Shiner says:

      Hey Alec,

      You are very welcome for the post and thank you for your concern about my weekend.

      Normally I like to say that the difference between fun and frustrating is the amount of time that you have to solve a problem… but to be honest it was really nice to see our team come together, figure out what was wrong, and create a solution in such a short amount of time. Combine that with the understanding everyone has shown, and overall the weekend has been pretty good. ?

  2. Jeffrey Goldberg
    Jeffrey Goldberg says:

    Just a digression on Common Names and our updater:

    These are often very uncommon. The terminology is inherited from older identify management systems. This is why one of our common names (as far as TLS is concerned) is “*.1password.com”. For S/MIME certificates, the Common Name is typically the email address.

    Anyway, as Jeff Shiner said in the post, our update takes great care to make sure that when it fetches an update to 1Password you are getting a bona fide version of 1Password. And so it checks many aspects of the signature of what it downloads. In this case it was checking the Common Name of the signer as being “Developer ID Application: Agilebits Inc.” But our new Common Name is “Developer ID Application: Agilebits Inc. (2BUA8C4S2C)”

    Anyway, that is why y’all need to update manually (if you are using 1Password for Mac that is not from the Mac App Store),.

    Reply
    • Thomas
      Thomas says:

      Jeff!
      This most likely is a coincidence: today (European time) I did have many crashes of 1PW on my iPad whenever I try to search for an entry. After entering one or two keystrokes it just turns off. It still is doing this. Right now it is unusable. This most likely does not go with your certificate problem but I wanted you to be aware of this.
      Enjoy the rest of your Sunday!

      Thomas

    • Dave Teare
      Dave Teare says:

      Thanks for elaborating on this, Jeff. You will have plenty of time to expand on this even further in our followup post that will expound on the technical details. We want to be able to talk with Apple first so this post may be a few weeks off, but stay tuned for a fun post! ?

      ++dave;

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Yup, Dave. I do want to go into this more deeply, and you will note that my expansion so far only talked about why manual updates were necessary. I did not dive into a discussion of the original problem that required the updates. I’m looking forward to getting a better understanding of why the operating felt that 1Password and 1Password mini shouldn’t be launched under those circumstances. It will hinge on some subtle differences between code signing certificates and provisioning profiles.

    • Dave Teare
      Dave Teare says:

      Hi Thomas,

      Jeff needed to travel downtown for a dinner meeting so I thought I’d jump in. ?

      This does indeed sound like a different issue. But it is an issue so we should get you fixed up!

      First and foremost, are you running the latest version of 1Password on your iPad? Try launching the App Store and checking your Updates tab to make sure.

      Assuming you’re on the latest version and it still crashes, can you send us a Diagnostics Report? Here’s how to send it:

      https://support.1password.com/diagnostics/

      With any luck the report will help our iOS team pin point the issue so they can fix it in a future update.

      Take care, and enjoy the rest of your Sunday, too! ❤️

      ++dave;

    • Dave Teare
      Dave Teare says:

      Thanks for letting us know, Phil.

      The fact this works for you is not unexpected, but it does show why troubleshooting this issue over the weekend was so difficult. ?

      There are a lot of moving parts and we don’t have access to the macOS internals to see exactly how things are stitched together, so this is conjecture on my part, but it seems that macOS will only verify the code signature when an app launches. This makes sense as it would be resource intensive to constantly verify things, and this explains why people won’t see this issue until they completely quit 1Password (including 1Password mini) and then restart.

      Now the part that confuses us is it appears as though macOS does not always perform this validation step. It seems to cache the results somewhere, and it’s unclear to us how to clear this cache.

      Long story short, your 6.5.2 version should indeed be affected by this issue at some point. I am just not entirely sure when that will be. I suspect if you reboot your Mac you probably will experience it sooner than you would otherwise.

      If you have a few minutes and would like to contribute to our understanding, please go ahead and reboot and see how things go. I’d be very curious to know the results. ?

      ++dave;

    • Dave Teare
      Dave Teare says:

      Hi Ron,

      Thanks for letting us know. I’m curious, what exactly did you try and what error message (if any) did you see? Any details you can share will help us narrow down the problem.

      We’ve heard back from hundreds of customers (probably thousands by now) that these steps fixed the issue for them so I’m guessing there’s something unique happening on your machine.

      One thing I would suggest is trying the steps again and then rebooting your Mac and seeing if that solves the issue. The reboot will make sure that the old version of 1Password is no longer running.

      Please give that a go and let us know how it turns out.

      ++dave;

  3. Thomas
    Thomas says:

    Hi Dave!
    I will call it a day soon so you have plenty of time ……
    I do run 6.5.2 on my iPad. (I do have automatic updates enabled). so that would be fine.
    It started with the crashes when I opened 1PW als second App on top of other apps, you know: sliding it in from the right side.
    I will see if I can get the Diagnosis Report to you.
    Take care

    Thomas

    Reply
  4. Dave Teare
    Dave Teare says:

    Interestingly enough, it looks like we weren’t alone fighting this fire this weekend. Some how that makes me feel a little bit better. ?

    Adam Angst had a write up of what happened to PDFpen:

    http://mjtsai.com/blog/2017/02/18/fixing-and-explaining-pdfpen-8-3-1s-crash-on-launch/

    And Michael Tsai had some good comments on that article here:

    http://mjtsai.com/blog/2017/02/18/fixing-and-explaining-pdfpen-8-3-1s-crash-on-launch/

    I need to send my friends at Smile a flower bouquet or something to let them know we know how they feel. ?

    ++dave;

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      I think during our discussion yesterday I said something like, “well if the operating system is treating certificates and profiles that way, we shouldn’t be the only ones encountering this.” (There may have been more profanities in our internal discussion of the issue than I am presenting in the way I’ve quoted it here.) That is, I was initially skeptical of our original (and correct) analysis because it looked like we were the first to have this happen.

      Well, we and Smile (and Apple) need to get the word out to other Mac software creators once we have a full analysis of this.

    • Gary
      Gary says:

      I know that Apple is trying to do the right thing here but the whole provisioning and certificates stuff is a mess. They auto-renewed my developer sub scription last year then immediately sent me a message saying that my certificate had been revoked. I haven’t actually sold any apps yet so no big deal, but it made me worry about the apps like yours that I have bought. So this doesn’t surprise me – well done with your fast response. Gary

  5. ron
    ron says:

    followed the instructions. (first time for everything) Looked like everything went as normal, but the app in the app folder still says 6.6.1.BETA-1

    Reply
    • Shiner
      Shiner says:

      Hi Ron,

      Ah, I see what is going on. As you are on the beta, installing the 6.5.5 stable version will not automatically overwrite your more recent 6.6.1 beta version.

      We have created an updated beta version (6.6.1.BETA-3) and you can download that version and overwrite your existing beta.

      You can download the updated beta version here.

      We will add a bit more to our instructions to make it more clear for folks on the beta.

    • Brent
      Brent says:

      Thanks. That was my problem too. I still show 6.6.1.BETA-1 even after the 6.5.5 manual update. Good thing I searched the comments for “Beta” to find this link to the beta update.

    • Dave Teare
      Dave Teare says:

      Awesome! Glad to hear you got everything sorted, Brent. ?

      We have updated the instructions to include a download link for beta users so hopefully others don’t trip over this same issue. Thanks for helping us make things easier for other beta users. ?

      Take care and thank you for being part of our beta family! ❤️

      ++dave;

  6. Thomas_U
    Thomas_U says:

    Hi Dave, thanks for explaining.

    I had already reinstalled 1P on my own. Got again puzzled by the 1P4 folder in Application Support, until I remembered… ;-)

    What still worries me: The error message is quite misleading. It should be something like

    “1 Password cannot be started. Please contact AgileBits support”.

    When everything worked after reinstall I thought I had repaired the 1P mini connection.

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Thomas,

      I’m glad to hear everything is working for you now.

      Regarding the error message, I see your point. Perhaps we should simplify it and just talk about 1Password as that’s the most important bit. The reason we talk about mini is on a technical level, most of the heavy lifting is performed by 1Password mini, and as such the main app can’t run without it.

      Still, I like the idea of making this prompt better. We could have a special support email address that would allow us to better help those experiencing this issue.

      Take care and enjoy the rest of your weekend!

      ++dave;

  7. Hugo Gonzalez
    Hugo Gonzalez says:

    For the end users do you recommend any of the following to mitigate similar platform related issues in the future?

    If possible add 1 Password to another platform such as iOS, Android, or Windows.
    Print out a basic “emergency kit” type form and then fill it out. Keep the filled out form in a secure location. *** If you fill out the form electronically, make sure to delete the fill out file after printing as the filled out file is probably not secured. ***
    (One example form is located here: https://productivityist.com/1password-emergency-kit-3/ )
    1Password does have printing capabilities. You can print out your complete vault(s) or a selection of passwords. Instructions are available in the (hard to find) 1Password for Mac printable manual at https://support.1password.com/ebooks/mac/onepassword-mac-user-guide.pdf

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Hugo,

      You make some great points. I agree completely, having your 1Password data available on all your devices is a great way to have a backup in case something like this ever happened again, or if anything ever happened to your computer.

      I’m not a big fan of the printing out your passwords, however. Sure it will work, but I’ve been watching a lot of documentaries on global warming and we’re gonna need every tree we can get, so best to print as little as possible.

      With that said, I would absolutely recommend you print out an emergency kit, either the one you linked to or the new one that we include with 1Password memberships which includes the very important Account Key.

      The other thing that I found great during this incident was the new web access available with our 1Password memberships. It allowed me to access all my data while on my laptop. I could have easily gotten what I needed from my phone or iPad, but they were all the way on the other side of the room, so I was quite happy to have the web access. ?

      Thanks again,

      ++dave;

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Those are all great ideas, Hugo.

      What works and is appropriate for one person may not be appropriate for others, but something of that nature is a good idea and people will need to consider what works for them.

      The data that you have in 1Password is data that you need. Losing access to it would be a bad thing. Data availability is part of data security. In addition to the options that you mention, is the possibility of exporting your data to 1PIF (an unencrypted export format) and storing that on a compact disk in a safety deposit box. I have one that I update occasionally (but not as often as I should).

      In this particular case, it wasn’t actually a loss of data, but a loss of the ability to launch the 1Password application (and 1Password mini) itself. One of the many reasons that we are open about our data format and design is so that you are never locked out of your data (as long as you know your Master Password) even if the 1Password app ceases to function.

      Take a look at You have secrets; we don’t: Why our data format is public for more on that point.

  8. Rick
    Rick says:

    Ah, @Shiner – thanks for that link. The 6.6.1BETA-3 link on the downloads page appears to download something from the 6.5.x series.

    Reply
  9. lukeyboyuk
    lukeyboyuk says:

    Well that was easy enough to sort out! It was moderately annoying having the problem but I came here and the thread was obvious enough. 30 seconds later I am back up and running!

    Thank you for making the instructions clear!

    Reply
    • Dave Teare
      Dave Teare says:

      Awesome! I’m glad you’re back up and running! ?

      Sorry to have wasted a few minutes of your weekend, but I’m very happy you found our instructions clear and easy to follow. ❤️

      Now get back to your weekend and have fun!

      ++dave;

Newer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *