1Password for Mac 6.5.5: Manual update required


As a result of an expired provisioning profile and format change in the developer certificate, customers who downloaded 1Password for Mac directly from our site will need to manually update to the latest version. Those using 1Password from the Mac App Store are not affected.

For those who are interested, here are the events that conspired against us to make for an interesting Family Day weekend…

Fire at the office

I was out at the gym yesterday when I received a call from my wife. I thought she was calling about our belated Valentine’s dinner we had planned. Instead she rather alarmingly told me that “Sara called and said there is a fire at the office”.

Rushing home, I was expecting to hear that the hammocks and standing desks had gone up in flames. (Happily our servers are all virtual so I wasn’t too concerned). The “fire at the office” turned out to be a fire with 1Password for Mac. Customers were getting an error message when trying to start 1Password!

Unable to start 1Password

I urgently gathered our Mac team who were enjoying their holiday weekend to figure out what happened. We quickly recreated the issue and found this error in the logs: Binary is improperly signed. This seemed very strange to me as this version was released back in 2016.

We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version. Apparently that’s not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly.

New certificate, new format

We renewed our certificate and released 1Password 6.5.4 thinking all would be well. And that’s when the other shoe dropped. When we created the new certificate it had a new format for the Common Name.

While this sounds like an inconsequential change, our built-in installer goes to great lengths to validate that every 1Password update is actually 1Password. Since our installer did not recognize the new certificate format it refused to update.

No problem can’t be solved without yet another build, so we created 1Password 6.5.5 ?

Long story short, 1Password 6.5.5 is now available and solves all these problems. The only catch is it requires you to install it manually.

Moving forward

As you might imagine, we have a whole new level of understanding of the importance of expiring provisioning profiles and certificates. Our new certificate expires in 2022 but I can guarantee you we will be renewing it far before then.

I do apologize for the inconvenience and extra work that this will cause you. I am sure you had better things to do on your long weekend too. If you have any problems with this update please let us know.

I also want to take a quick moment to say “Thank You”. The understanding that I’ve seen from the 1Password community is overwhelming. You never cease to amaze me. It has truly been a humbling experience.

Having spent all Saturday fighting this fire, I still owe Brenda the dinner we were supposed to have had. After missing Valentine’s Day dinners two weeks in a row, I kind of wish the actual office had been on fire ?

Further Reading

This was the first post in a three part series. The story continues here:

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles

172 replies
« Older CommentsNewer Comments »
  1. Kristine
    Kristine says:

    I still have 6.5.3 downloaded from your site and no issues yet. Is it just a matter of time before it gives me an error message?

    • Dave Teare
      Dave Teare says:

      Hi Kristine, ?

      Great question!

      Yes, I do believe it’s simply a matter of time until you encounter this issue. If you quit 1Password and 1Password mini, I think you’ll see the problem next time you launch 1Password. I don’t know the specifics but I think macOS only checks these provisioning profiles when an application launches.

      Even if you manage to never restart 1Password for years, you won’t be able to upgrade to any new versions due to the changes we needed to make to the updater.

      So it’s best to upgrade as soon as you get a chance. ?


  2. Andrew
    Andrew says:

    Wow……the steps you take to ensure updates are compatible for your existing MAC customers is commendable! Good job on that front. Hopefully you will keep it up.

    Too bad you haven’t done the same to ensure WINDOWS updates are compatible for existing OPVault customers.

    To anyone thinking of starting to use 1Password for windows……know that 1Password has intentionally chosen to make the latest release (1 Password 6) NOT compatibility for existing OPVault customers. 1Password 6 Windows ONLY WORKS FOR SUBSCRIPTION USERS NOW! Anyone using the OPVault format they recommended for years isn’t able to use the new version. Dave has said that they are working on something for existing customers, but he has been saying that for months and months and months, and won’t even commit to having something compatible within 10 years. So your only option now if you want the new version is to pay 1Password more for a new subscription service (or wait like I have been doing for months and months, only to see them never release anything compatible).

    Mac users……you should actually be concerned…..1Password may do the same thing to you one day! Updates may work for you now…….and it certainly appears that they care a lot about ensuring 1Password Mac updates are compatible with existing users………but one day Dave may start development of a new MAC version that only works for subscription users (just like he has done with the Windows app). I never thought I would have seen 1Password intentionally break compatibility for existing customers on Windows……but they did that, and after 8+ months since the first public beta of 1Passowrd6 for windows, there still isn’t a release that works for existing OPVault customers. The MAC version could be next……

    This is a company that has placed more value on ensuring the new release works for subscription users, and is totally willing to release new versions that do NOT work for existing OPVault customers.

    So if you care about future updates NOT breaking compatibility………..please let Dave / 1Password know. Otherwise, 1Password MAC may see future versions stop working for existing OPVault customers (like Dave intentionally chose to do when releasing 1 Password 6 for Windows).

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Andrew, you touched on a wide range of things and I do see how they are all connected, but I’m going to just focus on one that is most closely connected to Saturday’s mishap.

      When you purchase a license for 1Password on a platform, you are free to use it on that system for as long as you like. We have always operated that way with purchases of licenses and always will

      What happened Saturday with 1Password for Mac “expiring” took us by as much surprise as it did anyone else. Not only did we not deliberately build in such an expiry, we aren’t even sure exactly how it happened. It should go without saying that the emergency fix from 6.5.3 to 6.5.5 removed no features and it would be unthinkable for something like that to be anything other than a free upgrade.

      Perhaps you are worried that have stumbled (and “stumbled” is the right word) across a technology that would allow us to put a lifespan on some licensed download. Could a purchased copy of 1Password die with these words?

      I have seen things you people wouldn’t believe. GPUs on fire cracking hashes of orion.com. I’ve watched generators glitter while you purchased orchestra seats for Tannhäuser. All those passwords will be lost in time, like tears in the rain. Time to die.

      Well that simply isn’t how things work. We do (very slowly) migrate data formats (I really want to see Agile Keychain Format die and encourage people to move to a 1Password.com account.) But we never, ever, want to lock anyone out of their data. We are not going to hold your data hostage. (You might be surprised to know how much work we still go through to ensure that there is a way for people to read/import 1Password 3 for iOS data on modern systems.)

      You don’t have to take our word for all of this. There are many things that ensure that you can’t ever be locked out of your OPVault (or Agile Keychain) data. Export capabilities, your license for your purchased version (and some updates) are perpetual, and the openness of our data formats. The technology is such that the only way for you to become really locked out of your data is to forget your Master Password (or lose your Secret Account Key for accounts users). So you don’t have to take our word for it. So please, everyone make sure that you don’t forget your Master Passwords and those of you using 1Password Accounts, do print out a copy of your Emergency Kits and store those in a safe place.

    • Andrew
      Andrew says:

      Jeffrey……I think you misunderstood the point of my post. I was not worried that you would disable the old version, 1Password4.

      The latest version of 1Password for Windows, 1Password6, is no longer fully compatible with OPVault. It works for monthly subscription customers, but not OPVault users. This was a decision Dave intentionally made when looking at design goals for the new product, and he has discussed his reasoning at length in comments on other blog posts / forum posts. Ensuring 1Password6 worked for new monthly subscription customers was more important to AgileBits than ensuring it worked for existing OPVault customers.

      I wanted to warn others to be wary of your company, as you now have a track record of intentionally releasing new versions that are no longer fully compatible. This doesn’t mean the old version stops working….it means that you can’t use the new version. I was worried that MAC users would commit to 1Password thinking this could never happen to them. It could……as it has already happened in 1Password for Windows.

    • Dave Teare
      Dave Teare says:

      Hi Andrew,

      As always I appreciate your passion for 1Password. I really really do. But we’ve had this discussion so many times now I’ve lost count. I replied to you in the forums on multiple occasions, many times on our 1Password Teams for Windows announcement, and on several other posts not related to Windows at all. I defended you when you attacked our CEO (you used the term “VERY harsh” to describe your own words) and did my best to put myself in your shoes and defend your actions when another 1Password user told me to “cut you loose”. I even offered to call you (not once but twice) so we could talk things through and get to know each other better. I wish you took me up on the offer as I think we could have had a good time and cleared things up.

      I had thought we had some good constructive conversations earlier but seeing you once again making the case that we don’t care about Windows or that we would ever break 1Password to force people to switch to a 1Password membership shows you felt otherwise. I love talking with customers and never want to discourage that, yet in this instance I feel the more we talk the further we get from a common understanding.

      At this point I simply don’t feel our conversations are constructive any more so I think it’s time for you to find a new password manager. I will no longer be approving your comments on this blog as I feel we’re well past the point of making progress and this downward spiral doesn’t help anyone.

      Life is too short for this – it’s time for us both to move on. Best of luck to you. I really do wish you nothing but the best. ❤️ ✌️

      For everyone else who is reading this I’d like to share with you our Windows plans so you know where we are headed. Before jumping in I need to set the stage and explain where we’ve been. Then we can cover where we’re at and finish off with where we’re headed.

      1Password 4 is our current official version for standalone license holders. Version 4 is based on the same technologies the first version used when it was released in 2011. Designed since the beginning for standalone licenses, it does this quite well and has support for syncing with Dropbox and even allows you to sync completely offline using WLAN Sync. The implementation was done using Delphi, and while this is a very good and capable programming language, Microsoft has introduced several newer technologies that we wanted to take advantage of.

      1Password 6 is our leap into the future that uses these new technologies exclusively and we are in the middle of rewriting everything from version 4 into this brave new world. It’s both very exciting and terrifying. The excitement comes from being able to use all the latest and greatest technologies, and the terror comes from needing to rewrite over 5 years worth of code.

      We knew from the start that 1Password 6 was going to be a monumental undertaking and so we tried to keep the feature set as small as possible. At the time we had zero support for 1Password Teams on Windows (our families and personal memberships didn’t exist yet) and we had full support for standalone licenses in version 4. Since we had a working solution for standalone vaults and given the effort version 6 would require, we made the decision early on to focus exclusively on Teams. To this end, 1Password 6 is currently focused exclusively on our new hosted services and so there is indeed no support for standalone licenses or other sync methods.

      I know a lot of people are using Dropbox and WLAN Sync and want to use this new version, and I certainly don’t want to do anything to upset any of our longtime supporters. At the same time, we have a lot of plates in the air we need to juggle so we needed to choose what to work on. The choice we made for version 6 was a whole new app focused exclusively on 1Password memberships.

      One could question our decision to start from scratch and completely rebuild everything. There are certainly many “post mortem” blog posts from other companies that have taken the same route in the past. Indeed it represents a mammoth undertaking as it takes time to build quality software. In our case, it took over 5 years to make 1Password 4 what it was at the time we decided to start over. We knew this going in and we were indeed a little scared, but our excitement outweighed that. We were excited because we wanted to use the latest and greatest technologies so we could create the best 1Password experience possible on Windows.

      Fast forward a year or so and we announced our beta and after toiling away and working our way through the beta process, I was really excited to announce 1Password 6 for Windows a few months later (back in October of last year). It was a good release, but like any “dot oh” release, there are a lot of things to polish and work through to make it really shine. And with this “dot oh” version being a complete rewrite, it’s no surprise that we’re still working through this process.

      It would have made everyone lives a lot easier if this release had complete support for all the standalone features but it simply wasn’t possible. I think it’s easy to underestimate the amount of effort involved to roll out support for Dropbox. I know I fall into this trap often myself so I think it would be helpful to elaborate on what’s required.

      We can start with the ability to sync your data as it gives a pretty good glimpse of what’s involved to go from a 1Password membership solution to one that also supporting standalone vaults.

      Syncing would require us to add two additional synchronization systems: WLAN Sync and Dropbox. Both of these do things completely differently from one another, and both are completely different than how our 1Password accounts sync (accounts sync much faster and have push notifications for live data reload because we have complete control over both the clients and server so we’re able to optimize the protocol and minimize how much data needs to be exchanged). Syncing is one of the most difficult problems in software today and is very difficult to get right once, let alone three times.

      And once we add these additional sync solutions, there’s also a lot of tricky things we need to do for conflict resolution along with new windows for adding multiple vaults and guarding against all the other crazy scenarios people can find themselves in. For example, what should 1Password do if you remove your data from Dropbox and add a new data file there? Or what happens if the files on Dropbox simply disappear? Did the user mean to delete the files or was it an accident? Should we import a missing file and thereby delete the local copy? And what do we do when a user restores an old backup or imports their files multiple times? All of these scenarios need to be accounted for and tested rigorously to ensure your data remains safe.

      The complexity introduced by distributed data sources is huge. So much so that one of my favourite things about our hosted accounts is 1Password.com is the single source of truth. This allows us to greatly simplify things across the board, both for users, our developers, and support teams.

      Now of course that’s just for syncing. For a complete solution we would also need to wire in license validation, create a new trial expiry window and purchase experience, guard against fraud, update our model to support additional data formats, extend our website to support the new license, document things for new users, and the list goes on from there.

      All of these things may not seem like a very big deal on their own, but they add up quickly. As such I’ve asked our Windows team to make version 6 the best it can be with an exclusive focus on hosted accounts. Once this is completed, we can take a step back and decide where we go from there.

      As much as I would have loved to have had full support for everything, our time is finite so we needed to pick a few priorities and roll with them. There are a lot of additional things going on behind the scenes that we need to complete as well so at this point in time I simply can’t say when we would be able to begin work on this. I’m trying to be as open as possible by saying this is not something we’re working on at this moment, but I can’t pull back the curtain any further than that.

      The easiest way forward is to sign up for a 1Password membership. Doing so will not only get you the latest version of 1Password on Windows, but it will also get you a lot of additional benefits that weren’t available to Windows users in version 4. For example, it’s very easy to have multiple vaults on Windows now (before you had to manually add each additional vault) and you can switch between them without needing to unlock each one separately. You also get the benefits of our hosted service, including data loss protection, item history, web access, built-in sync across all your devices, access to 1Password on all platforms, and free upgrades to every new version.

      I hope everyone reading this will give our new 1Password membership a chance (we have a 30 day free trial and it’s easy to move over your existing data) but of course you’re free to continue using 1Password 4 for as long as you like.

      Anyway, our general plan is clear: we need 1Password to have a consistent feature set and UX across every platform and we’re working our way there. I hesitate to give out any specific ETAs as it’s always hard to make the future reality match today’s plans – but we’re getting closer everyday. I can see the light at the end of the tunnel and I look forward to sharing more with you in the future ?

      Take care,


  3. Karyn
    Karyn says:

    Thanks for the fast fix and the detailed explanation! I too encountered the bug earlier today and figured I’d get back to it later, so no problem.

    • Dave Teare
      Dave Teare says:

      Thank you, Karyn. ❤️

      Hearing from awesome customers like you make our surprise weekend heroics all worth while. ?


  4. Stuart
    Stuart says:

    This explains a great deal: in particular, why 1Password failed to unlock on my MBP this morning, when (a) I know damn well I haven’t changed anything, and (b) it was working just fine last week.

    Thanks for the detailed info – it’s very much appreciated. Seems like Apple is going out of its way to make the Mac increasingly less desirable as a platform. Damnit. Security versus usability… why do they always seem to be in direct opposition? (rhetorically asks the guy who used to program professionally for a living, and who now works as an IT consluttant…)

    • Dave Teare
      Dave Teare says:

      Good morning, Stuart! ?

      I’m sorry for the unexpected surprise you got this weekend. It wasn’t something on our radar, either. ?

      As for Apple and the Mac becoming “increasingly less desirable”, I don’t see it that way at all. Apple has learned a great deal from iOS and is doing their best to bring this new knowledge back to macOS. It’s not an easy thing to do as there are huge differences between the two, so we shouldn’t be surprised about a few bumps along the way.

      Now to be clear, it is a holiday weekend and we haven’t had a chance to talk with Apple yet. It could very well be that we missed something in the manual and are the ones at fault. I simply don’t know. I don’t think this is the case as others are experiencing the same issue, but I certainly don’t plan on blaming Apple here. We’re both on the same side trying to make the world a better place. ✌️


  5. Aleksandar Katanovic
    Aleksandar Katanovic says:

    I have downloaded the latest version (6.5.5) for Mac, and it works smoothly. What is the latest version for iOS from AppStore? I have noticed that they have different version numbers (5.5.3 in AppStore).

    • Dave Teare
      Dave Teare says:

      Good morning, Aleksandar! ☀️

      I’m glad 6.5.5 is working swimmingly for you. That’s great to hear. As for the App Store, it is indeed a different version number but it is basically the same. We simply took the original code that we used to ship 6.5.3, repackaged it, signed with our new developer certificate, and published as 6.5.5.

      We have a new 6.6 version coming out soon and once we publish that everyone will have the same version number again. That will be nice as I too like consistency. ?

      Take care,


    • Dave Teare
      Dave Teare says:

      Understood! ?

      The funny part is I originally read 5.5.3 as 6.5.3 in your message so it read fine to me. This is why I like computers to verify things for me I guess – they are much better readers than I am ?


  6. Neil
    Neil says:

    Thanks for the human story behind the bug. We had a couple of people in the office have this problem this morning, it was nice to be able to find not only a solution, but also a relatable explanation. I hope you and your wife finally get that Valentine’s dinner!

    • Dave Teare
      Dave Teare says:

      Awesome! Thanks for being so understanding. Like Jeff alluded to in his post, we really do have the best customers in the world. ❤️

      As for Brenda and her Valentine’s Day dinner, I am going to make sure this happens. I’m not sure how I’m going to accomplish that just yet, but I have some ideas. With any luck someone will come up with a better idea than mine as currently my thoughts are revolving around revoking Jeff’s access on each weekend until he does. ?

      Take care,


  7. Aleksandar Katanovic
    Aleksandar Katanovic says:

    Perhaps little bit unrealed to the problem at hand, but speaking hypothetically, if your server were down, and I could not open my 1Password app on my computer, would I not had access to my passwords due to the present problem (failure of connection)? What should I do to be prepared for such a hypothetical situation, i.e. to have access to my passwords? So far, I have exported my passwords to two files (txt and csv) and compressed them with encryption. Would this be the only available remedy?

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Excellent question, Aleksandar.

      The bug affected only the launching 1Password for Mac application (and its companion app 1Password mini). The connection failure in this case was between the 1Password browser extension (running in your browser) and 1Password mini (which should have been running on your computer but failed to launch).

      So if you are using a 1Password.com account then even with the failure of the applications on one platform you could get to your data with any of the other apps on other platforms or through the web. But when you sign up on a new platform you may need your secret Account Key as well as your Master Password, so if you haven’t yet saved and printed out a copy of your Emergency Kit please do so now.

      Now in your hypothetical, you also envisioned a scenario in which 1password.com is unavailable for an extended period of time. Data availability is an extremely important part of data security and so it is correct to wonder about these things. Now we make lots of backups and take steps to ensure that 1password.com will always be available, but you need to ask what happens if everyone working for AgileBits is abducted by aliens and taken away to Omicron Persei 8 to be eaten on an Omicronian live TV show. So let’s consider that.

      Most of the 1Password apps make a local copy of your encrypted data, so if you can open any of the apps that you have previously used you will be able to get to your data. (This is not the case for using 1password.com in the web browser.)

      Now if all of the apps (where you have a local cache of your data) and 1password.com suddenly become unlaunchable along with 1password.com becoming unavailable, things get tricky. We try to be open about our data formats so that in principle a third party would be able to create an app that could read your local data. Such a third party app would still need your Master Password and secret Account Key to decrypt the data. But waiting for a third party tool, may not be exactly pleasent.

      So for that kind of scenario, you may wish to have unencrypted backups of your data. Please take a look at some of the suggestions that Hugo made in his comments and my response to that for some ideas about making and storing external backups. It’s hard to recommend a particular backup plan because different people have different sorts of needs, requirements, and resources. I occasionally make unencrypted 1PIF exports to a CD that I put in a safe deposite box.

      As I’ve tried to say in many places, we never want anyone to be locked out of their data. But an incident like 1Password failing to launch raise questions about what if the worst should ever happen. It is an important question, and I hope that I’ve given some useful answers.

  8. Diana
    Diana says:

    Awesome!! This just happened to me, and I came straight here. You guys are so on the ball. Thank you–and your team–for sacrificing your free time to keep us all from flipping out. :)

« Older CommentsNewer Comments »

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.