1Password for Mac 6.5.5: Manual update required

tl;dr

As a result of an expired provisioning profile and format change in the developer certificate, customers who downloaded 1Password for Mac directly from our site will need to manually update to the latest version. Those using 1Password from the Mac App Store are not affected.

For those who are interested, here are the events that conspired against us to make for an interesting Family Day weekend…

Fire at the office

I was out at the gym yesterday when I received a call from my wife. I thought she was calling about our belated Valentine’s dinner we had planned. Instead she rather alarmingly told me that “Sara called and said there is a fire at the office”.

Rushing home, I was expecting to hear that the hammocks and standing desks had gone up in flames. (Happily our servers are all virtual so I wasn’t too concerned). The “fire at the office” turned out to be a fire with 1Password for Mac. Customers were getting an error message when trying to start 1Password!

Unable to start 1Password

I urgently gathered our Mac team who were enjoying their holiday weekend to figure out what happened. We quickly recreated the issue and found this error in the logs: Binary is improperly signed. This seemed very strange to me as this version was released back in 2016.

We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version. Apparently that’s not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly.

New certificate, new format

We renewed our certificate and released 1Password 6.5.4 thinking all would be well. And that’s when the other shoe dropped. When we created the new certificate it had a new format for the Common Name.

While this sounds like an inconsequential change, our built-in installer goes to great lengths to validate that every 1Password update is actually 1Password. Since our installer did not recognize the new certificate format it refused to update.

No problem can’t be solved without yet another build, so we created 1Password 6.5.5 ?

Long story short, 1Password 6.5.5 is now available and solves all these problems. The only catch is it requires you to install it manually.

Moving forward

As you might imagine, we have a whole new level of understanding of the importance of expiring provisioning profiles and certificates. Our new certificate expires in 2022 but I can guarantee you we will be renewing it far before then.

I do apologize for the inconvenience and extra work that this will cause you. I am sure you had better things to do on your long weekend too. If you have any problems with this update please let us know.

I also want to take a quick moment to say “Thank You”. The understanding that I’ve seen from the 1Password community is overwhelming. You never cease to amaze me. It has truly been a humbling experience.

Having spent all Saturday fighting this fire, I still owe Brenda the dinner we were supposed to have had. After missing Valentine’s Day dinners two weeks in a row, I kind of wish the actual office had been on fire ?

Further Reading

This was the first post in a three part series. The story continues here:

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles

172 replies
« Older CommentsNewer Comments »
  1. Steven
    Steven says:

    Just wanted to add a thanks for the unbelievably quick response when I encountered this problem yesterday. I think it might have been within seconds from posting a support email that I received a reply back with what to do to correct the problem.

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thank you so much for saying this, Steven. We not only had to solve the technical problem (so that 1Password would launch correctly), but we needed to make our technical solution actually work for people. I’m so glad to hear that it did work for you.

  2. ylluminate
    ylluminate says:

    Still hitting some walls here. After updating with the link above, the helper keeps having problems firing off. For example, to further troubleshot, I tried to launch from shell:
    /Applications/1Password\ 6.app/Contents/Helpers/1Password\ Updater.app/Contents/MacOS/1Password\ Updater

    This then yields the ‘Update failed’ dialogue:
    https://cl.ly/2J3Y1L3n2j33

    The attributes are clean…

    Reply
    • Shiner
      Shiner says:

      Hi ylluminate,

      I am sorry to hear you are still having trouble.

      At this point I think it would be best to start with a fresh install of 1Password. You can follow these steps to do so:
      – Open your Applications folder and move the “1Password 6” app to the Trash.
      – Download the latest version of 1Password
      – Double-click on the downloaded 1Password-6.5.5.pkg file to install 1Password

      When moving the app to the trash please don’t use an uninstaller app like AppCleaner, AppZapper, CleanApp, and other similar apps in this case. Uninstaller apps prompt you to delete supporting files when moving an app to the Trash, and this can result in accidentally deleting all of your 1Password data.

      Hopefully this gets you going, but if you are still having trouble then please write in to our support email (support@1password.com) so we can help you further.

  3. Jim babcock
    Jim babcock says:

    Well….all this discussion is great! Your company is one that gives users a warm feeling that you Really care about us!

    I guess I’m not clear…did the 6.5.3 certificate bug ONLY affect standalone uses? Or, were the subcritption users unaffected?

    Just curious. I do intend to move to subscription sometime….don’t know when or what extra value I will get. I have 3 devices…one is iMac, other two are iOS.?

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thank you so much, Jim. Your kind words mean a lot.

      The issue with the expired provisioning profile affected the launching of 1Password for Mac mini. It wasn’t about connections to any external servers. It was just that macOS was refusing to allow 1Password mini to launch on some Macs. For the most part this made 1Password on Mac unusable for those people at that time.

      So if you were using a 1Password subscription account you would still have been able to use 1Password on the Mac by going to 1Password.com in a web browser. The problem was with launching the 1Password application (and helper) on the Mac, not with the reachability of any data hosted or local.

      I know that the error message looked like a some sort of network connection error, but it was because the 1Password browser extension running in your web browser was unable to connect to 1Password mini which should have also been running on your Mac.

      I think you will very much enjoy your switch to a subscription. Setting it up should be a great improvement over managing either Dropbox, iCloud, or wifi sync for your 1Password data; and you will find that you will be able to set up 1Password on any device you wish. If you set up a Family or Team you will find the flexible sharing features even better.

      Thanks again.

  4. Rudi Zengers
    Rudi Zengers says:

    Thanks guys for sharing a solution so fast. I upgraded to Sierra this weekend so was a bit confused where to start. Luckily the app on iPhone and iPad stayed operational, which really shows the importance of your multiplatform solution.
    Thanks again for helping.

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thank you Rudi, I hope your move to macOS Sierra goes well and we are sorry to have contributed to the confusion. And you are absolutely correct that it is important to be able to get at your data when you need it (and from multiple places).

      Cheers

    • Dave Teare
      Dave Teare says:

      Hi Jordon, ?

      Thanks for reaching out but I’m not sure I understand your message. I’m going to take a guess about the intention of your message but please let me know if I’m off base and I’ll try another answer ?

      I assume your “oops” is in regard to us letting our provisioning profile expire. To be clear, this is nothing like an expired SSL certificate or other certificates that are managed by a server we have full control over. This is a working, validly signed app that was released in the past and then had it’s signing certificate expire. For released software that users install, this is a totally expected thing and we knew it would happen. It happens to every developer everywhere.

      Like all developers who publish apps, our app provisioning profile and developer certificate need to be valid when we publish a new version of 1Password, and this was the case when we published version 6.5.3 back before Christmas. It worked for months, and it should have continued to work for decades.

      Said another way: we did nothing wrong. While we were quite apologetic in this post (we are indeed very sorry this happened), this is quite clearly a bug in macOS itself. Or, at the very least, this is an unintended consequence of the macOS code signing design.

      Here’s a thought experiment to help drive this point home. We have 1Password users still running version 2 and version 3 today. The last updates to these were published back in 2010 and 2013, respectively. Now the technology has changed since then, but let’s assume that these were signed by our Apple ID and managed by Gate Keeper in macOS.

      The requirement is that we sign our app using a valid certificate along with a valid provisioning profile. This is a very good thing and I’m very happy macOS enforces this.

      But the verification needs to be done at the time of signing. If we assume otherwise, things get very hairy. This is because every Apple developer certificate expires every 5 years, and so it would mean that every developer would need to resign their app every 5 years (at least) in order to keep their older versions running.

      This is simply not something developers are able to do. We certainly don’t want old versions to expire, but at this point in time it’s impossible for us to go back and rebuild and republish an app from 7 years ago as the technology has changed so much. Getting the source code itself from 7 years ago is relatively easy, but getting all the dependencies sorted out would be a nightmare. For example, XCode itself drops support for older versions of macOS regularly. To be able to go back in time and build something for Mac OS X 10.4 Tiger would be a monumental undertaking.

      Imagine if all software everywhere stopped working after a maximum of 5 years. As much as I believe a huge part of security is ensuring you’re using the latest version of an app, I don’t think this is what macOS Gate Keeper is expected to protect us from.

      Anyway, I am sure we can do something to make sure this doesn’t happened again. Either it will be asking people to upgrade to a new version of macOS that behaves differently, or perhaps there is some magic we can do with our provisioning profile or developer certificate that will allow us and other developers to avoid this in the future.

      I hope Apple will be able to shed more light on this for everyone so developers everywhere can ensure their properly signed apps continue to run forever.

      ++dave;

    • Jordan
      Jordan says:

      I LOVE agilebits!!! They gave an 11 paragraph response to my 1 word comment and still took the opportunity to troll me and misspell my name. Love you guys, thanks for the response and I love that you purposefully misspelled my name! This is a sincere comment btw!! Keep up the good work!

    • Dave Teare
      Dave Teare says:

      Oh my goodness! I did indeed misspell your name, Jordan! ?

      I’m very sorry about that. I absolutely was not trolling you. I just didn’t have any coffee or tea before typing my response. ?

      Anyway, I’m glad to hear you enjoyed my response. ❤️

      Take care,

      ++dave;

      P.S. If you haven’t seen it yet, we have a follow up post that was inspired by my reply to you above. The “Prologue: Not All Certificates Are Created Equal” section was very much written with you in mind ?

      https://blog.agilebits.com/2017/02/21/certificates-provisioning-profiles-and-expiration-dates-the-perfect-storm/

  5. Aleksandar Katanovic
    Aleksandar Katanovic says:

    Jeffrey Goldberg,

    Thank you for your reply and understaning of the seriousness of losing the access to passwords. (Alien abduction is a fine example of such hypothetical situations.)

    You mentioned that you made an ununencrypted 1PIF exports. How do you open such file if (hypothetically) 1Password app does not work in all platforms? I understand that 1PIF can be only open by 1Password app. (Can I open 1PIF files with some other app?) That’s why I made txt and csv exports as well, in case 1Passoword does not work at all.

    Best reagrds,
    Aleksandar

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Oooh. Well spotted. I hadn’t considered the fact that one might need 1Password to read a 1PIF. My oversight helps illustrate the point that what works for some people may not work for others. I personally would have no problem reading a 1PIF file without 1Password, but that isn’t exactly true of everyone.

      But a 1PIF is actually just a folder with text file (and other files for the attachments). It has a lot of structure, but the data within it can still be read (if not very conveniently) with Notepad or TextEdit. So it is readable (after a fashion) even without 1Password.

  6. Rahul Kumar
    Rahul Kumar says:

    Hi Dave, I’ve been a 1pw user for longer than I can remember. Apple owes you money because the reason I bought a touchbar equipped MBP is because of 1pw. Thank you for fixing this issue, 1pw is the most used app on my Mac/phone/ipad. Also, I hope it didn’t bring you too much grief. I have recommended your product to everyone I know and they all love it.

    Reply
    • Shiner
      Shiner says:

      Hi Rahul,

      Thanks for being such a long time customer and advocate!

      I’m so glad that you are enjoying the Touch Bar support, I’ll keep my eye out for a cheque from Apple.? I’d love to hear more about how you use the Touch Bar, what your favourite feature is and what you’d like to see added. Personally I found that the ability to easily switch between vaults was my favourite feature. I say “was” because I had to give my shiny new Mac to my son who needed it for school. I do miss it though.

      As for this issue and our weekend, well it certainly did add some unexpected excitement and work, but it was also a great reminder of just how awesome our customers truly are.

  7. Judith
    Judith says:

    Thanks so much for being so approachable. I think that you should consider putting the directions on the 1Password site for those of us who did not know your name or think to go to a blog. take care, Judith

    Reply
    • Shiner
      Shiner says:

      Hi Judith,

      You are quite welcome and I hope you always find us so approachable, after-all we are just regular people back here. Well, I like to claim we are regular but if you take a look at our AGConf post you might have a different opinion. ?

      Thanks for your suggestion about the directions. We have placed a notice at the top of our main 1Password support page to help people discover this quicker.

  8. Pat McDonald
    Pat McDonald says:

    Thanks for being so open about this issue. While it was no biggie for myself, It’s always nice to know why things like this happen, and how they are dealt with!

    All the best,
    Pat

    Reply
    • Dave Teare
      Dave Teare says:

      Good morning, Pat! ☀️

      I’m right there with you – it’s fantastic to know why things like this happened! The fun part is we still don’t truly know why this happened to us and other developers. So our adventure has just begun ?

      From what I can tell this seems to be a bug in macOS, or at the very least, and unintended consequence of the macOS code signing design. I hope Apple will be able to shed more light on this for everyone so developers everywhere can ensure their properly signed apps continue to run forever.

      Even though the workaround was fairly simple, we certainly don’t want 1Password users to ever have to deal with this. Once we know more we’ll try to get a post up that will delve into the technical side of how developers can avoid working on their holiday weekends ?

      ++dave;

    • Pat McDonald
      Pat McDonald says:

      Thanks for the details, Dave :-) I guess that such “surprises” must be frustrating for you all there. Kinda like a spanner in the works that crashed through the window!

    • Dave Teare
      Dave Teare says:

      You’re very welcome, Pat!

      As for “surprises” like these, I learned long ago to breath and remember that the only people without any problems are 6 feet under. It keeps me looking on the positive side of life ?

      Take care,

      ++dave;

  9. Ron Arts
    Ron Arts says:

    My extensions complained about not being able to connect. 1Password itself ran just fine. I upgraded to 6.5.5, rebooted, and the extensions still complain. 1Password main program runs fine. Before upgrading I created a ticket (#BVD-92119-334).

    My problem may be a different one but showing the same symptoms.
    But I think you are inundated by tickets by now.

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Ron,

      You’re right, this is being caused by a separate issue. In your email you mentioned you were creating a loop back service to connect to your Mac from within your Docker container, and as you suspected I believe this is the cause of your troubles as it seems to be blocking 1Password from opening any ports. You can see this in the 1Password helper log:

      Wed Feb 15 21:55:11 2017| 653000 [EXT:(Main Thread):] E start | [ES4] Failed to start JSE server, no ports available

      When you avoid setting up that loopback service does the issue go away? Probably the easiest way to verify that is to simply reboot your Mac to ensure your tweaks are fully flushed from the system.

      I don’t know enough about Docker to offer any workarounds, but I would be happy to learn if you find one. I suspect you need to find another way of enabling communication between Docker and the host system.a

      Take care,

      ++dave;

  10. Carlo
    Carlo says:

    First I want to say I thank the company for making a very useful tool that I have used for 8 years now and it’s been great.

    Sorry for this comment below as it’s a bit on the downside. It’s frustrating when you cannot get someone on the phone to discuss any issues because one has to wait and read through things where misunderstandings can happen. That’s one of my biggest complaints over the years with working with your company. That being said over the weekend I had no need to log into 1Password 6 on my Mac until Monday night or last night at around 11pm. I really need it for my work and rely on it all the time. Well I got the error that was on your blog and I had no idea it was going on at all. I have been communicating with a manner of your team just by chance during the last week or so so I sent him an email letting him know. In the mean time I am desperately needing to get into my files and could not. This was costing me money because I could not do my job. I decided to go to the Mac App Store and re download the app as this can be a fix although I couldn’t wrap my head around this because I had done no updates to 1Password on the Mac so I couldn’t understand why on earth it wasn’t working. When I went to re download the app from the store it said buy which I have seen in the past but it always would say would you like to re download for free afterward but this didn’t. It charged me $64 plus tax. Now it getting upset. I was able to get back into the app but I was left thinking this was highway robbery. I was left to feel like wow my stuff was held ransome unless I paid for the app again. Then i realize hours later that your rep had emailed me back with a fix and a blog on your site where there was a huge problem. Well that’s just great, as I paid for this now what for me. I shouldn’t have had to pay for this to get it fixed. Please help me with this issue. You can call me at (redacted) or email me through your rep who I have already reached out to but as I said before I have to wait for his reply which is a huge frustration. I don’t expect him to be available 24/7 and no complaint about him as he has been nice to talk with. It’s just that this process makes me wait and it’s never convenient as I always make a step and wait and wait for next reply.

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Carlo,

      Thank you so much for sharing your praise and frustrations with us. I always say that open and honest communication is critical in any marriage, and it’s even more important for a password manager! ?

      First and foremost, you’re absolutely right, you shouldn’t have to pay to get this fixed. There was no need for you to purchase from the Mac App Store and you should contact Apple for a full refund. I would happily do that myself but this is not something developers are permitted to do so you will need to contact Apple and explain the situation.

      As for your issue, I hear you on the phone support, but after doing that for years we’ve found that the best way to help the most people is to have online documentation that people can read and follow at their own pace.

      I assume you’ve looked previously but we have updated instructions here that detail how to install the new version:

      https://support.1password.com/error-connect-to-mini/

      We have a movie there as well so you can see the process in action. If you have any issues, please follow the secondary instructions in the “If you’re still having trouble” section.

      Please give those a go and let me know how they turn out.

      ++dave;

    • Carol
      Carol says:

      To Dave Teare after he replied to me:

      Thanks for giving a reply to my comments. Could I please make a suggestion. Please make the families account option where it still allows a customer to save the data for a back up. That’s the only reason I do not choose this option as I am the type of person that wants to keep control of my backups.

      As for the fix, I was able to get mine back up and working. I am still waiting for Steven Joyner to reply to help me with what he and I were trying to work on before this whole mess. I am also still waiting for Apple to reimburse me my money.

      Thanks

    • Dave Teare
      Dave Teare says:

      Hi Carol!

      It’s awesome to hear that you are back up and running. That’s great! ?

      Regarding adding a local back up option, this is something we’ve been discussing a lot internally. It’s not as simple as it may seem at first thought as we need to determine how restoring these backups would work, but I hope we can find an acceptable solution for everyone in a future update.

      Take care,

      ++dave;

  11. Neal
    Neal says:

    Frankly, you folks had the perfect response, most notably the clear and concise reference on the support landing page. I knew exactly what to do and was back in business in within 10 minutes, including the time I was fiddling, before going to the support page. Well done!

    ~ Neal, Massachusetts, USA

    Reply
    • Dave Teare
      Dave Teare says:

      Thank you, Neal! I appreciate you sharing your experiences with us. I’m glad you were able to get things sorted out quickly.

      Take care,

      ++dave;

  12. Jim babcock
    Jim babcock says:

    I don’t know that this bump was b/c of a bug in macOS. Apple has been tightening the noose little by little since El Capitan was launched.. You all know Apple better than I, but Gatekeeper is slowly taking more authority recently. Since El Cap, one no longer had an option to switch out of Gatekeeper to load an app that Apple hasn’t approved. This is criminal on their part and is the beginning of the end to macOS as we have known it. That is MHO….

    That is why I stayed at Yosemite level.

    The writing is on the wall…Apple is moving to a single OS that is some hybrid of iOS and macOS. It will take time….but the OS that many of us has loved for over 30+ years is on the walking plank. …..So sad.

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Jim,

      I can see where you’re coming from, but I can also see Apple’s perspective. Gatekeeper is a huge boon to security on macOS and so it makes sense to require the technologies that make it possible. Developer IDs are free and are not overly onerous to apply, so I don’t think it’s too much to ask for developers to sign their apps.

      With that said, it’s still possible to allow apps from untrusted sources. All you need to do is control-click on the app and select Open. If you have a ton of apps you can get your missing option back by executing a command in Terminal.

      As for macOS changing to be more like iOS, I think it’s wonderful that each OS is learning from one another. They’re both stronger as a result.

      Anyway, that’s an argument for another day I suppose ?

      Take care,

      ++dave;

  13. Todd
    Todd says:

    Thank you to all who explained the recent updates. I haven’t seen this type of customer care and reassurance in any other tech companies. As a non-techie who, for some reason, likes to read about cyber-security, I find these posts interesting. Good to know there are real humans involved in protecting my data.

    Reply
  14. Rob Reiter
    Rob Reiter says:

    I get a “Can’t find server” error when trying to reach the page for manually downloading 6.5.5 or any other page involving support.

    Reply
  15. Jennifer
    Jennifer says:

    URGENT ISSUE Agilebits!

    The link to manually download the update isn’t working. I tried it on 2 different computers. https://support.1password.com/cs/manually-update-1password-mac/

    Kinda frustrating when you find the discussion article which gives a link to fix the problem, but then the link doesn’t work. Just though you should know!

    The non-working link listed above is provided on 2 different pages:
    https://discussions.agilebits.com/discussion/75487/1password-failed-to-connect-to-1password-mini-fixed-in-version-6-5-5
    https://blog.agilebits.com/2017/02/19/1password-for-mac-6-5-5-manual-update-required/comment-page-2/#comments

    I was able to download it at another link thankfully.

    Reply
    • Dave Teare
      Dave Teare says:

      Hi Jennifer,

      Thank you so much for reporting this issue to us. You’re right, it absolutely was urgent!

      This was caused by a configuration change we made to our support pages and while it should have only lasted a minute, it took a while for the change to work for everyone. The link should be working fine now.

      Thanks again for having our backs and letting us know! ?

      ++dave;

    • Dave Teare
      Dave Teare says:

      Hi Jeff,

      I’m sorry for the troubles. There were some DNS changes made for our support site that needed time to propagate throughout the internet. It should have only taken a minute or so but ended up taking around 20 minutes.

      Everything should be good now so this link should work fine now:

      https://support.1password.com/error-connect-to-mini/

      Please give it a go and let us know how it turns out.

      ++dave;

  16. Linda Peterson
    Linda Peterson says:

    HALP… when I click on the link to the manual update, I get “Server not found” Same with clicking the “Support” and “Downloads” buttons on the Agilebits home page… I’m LOOOOOST!!! Help?

    Reply
    • Dave Teare
      Dave Teare says:

      Help is on its way, Linda! ?

      This was a temporary issue caused by a configuration change made to our website today. It should have only been offline for a minute but it ended up taking around 20 minutes to work its way around the internet.

      Everything should be fine now. Please let me know if you find any more links that aren’t working.

      Cheers! ?

      ++dave;

« Older CommentsNewer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *