1Password 6.8 for Mac & iOS: The Picnic Edition

It’s been a strange summer here in Syracuse, NY; the beginning of the season was characterized by sub-optimal temperatures punctuated with frequent rainstorms. It’s only recently, a few weeks into July, that the weather has finally made the turn and the mercury is holding steady at a more comfortable level. As we were brainstorming themes for this wonderful release of 1Password 6.8 for both Mac and iOS my good friend Megs said, “Picnics!” and I knew instantly she’d nailed it.

So my friends, get your picnic blanket ready, because we have prepared a basket full of delicious new treats just for you in 1Password 6.8. We hope you’re having a delightful, secure, and scrumptious summer!

TL;DR (Internet speak for ‘Too Long; Didn’t Read’)

• One-time passwords now copy themselves to the clipboard automatically whenever you fill an item that has a one-time password.
• The ability to create vaults has arrived for 1Password.com accounts!
• Item creation and modification dates now appear in the item details on iOS.
• Korean has made a triumphant return!

HOW ABOUT SOME EXTRA SPRINKLES FOR THAT ICE CREAM CONE?


We can’t think of anything better to beat the heat than a nice cold ice-cream in the sunshine … with extra sprinkles, of course. We’d like to think of your one-time passwords as the sprinkles that complete your Login items. Now 1Password automatically copies those one-time passwords when you fill an item with the 1Password Extension, saving you a step and a giving you more time to enjoy that ice cream. Yummy!

We had this feature in beta for quite some time (too long if you ask Rudy, the developer who added this feature 😉) and we’re really excited to have it see the light of day. Given the responses we’ve seen on Twitter so far you all love this one as much as we do. Thank you for all the positive feedback!

YOU CAN NEVER HAVE TOO MANY BASKETS OF GOODIES!


Everyone needs a safe place to store the pie so that no one gets into it before dessert. Now you can create new vaults in your 1Password.com account on the fly and off the cuff right within 1Password itself. No more storing the cherry pie with the cheese, or the cupcakes with the croissants. No matter what your organizational structure – creating new vaults on the go has never been so easy!

The ability to create vaults without having to visit 1Password.com has been one of the most requested features we’ve had and we’re really happy to finally make this feature available. Separating your items out into different vaults gives you a ton of flexibility not only over how you organize your items, but also how you share them. In the Fey household my wife and I share a vault of common logins (bank logins, credit cards, family social security numbers) but we also have a separate vault set up explicitly for estate planning. This vault contains all the information our executor needs in case the worst happens to the both of us. The peace of mind that comes with this setup is absolutely invaluable.

YOU’LL ALWAYS KNOW HOW FRESH YOUR ITEMS ARE.

A great sandwich is a staple at every picnic, but a truly great sandwich is only as good as the ingredients.
The same can be said for your security and an aging password is not a fresh part of your ecosystem.
With this latest update to 1Password for iOS, you’ll always know how fresh your items are by checking the dates your items were created and edited are right there at the bottom of the item details.

KOREAN LANGUAGE IS BACK! KOREAN BBQ, ANYONE?


맛있는 고기구이를 준비하고 사랑하는 이들과 함께 즐겨보시는 것은 어떨까요? 드디어 1Password에서 한국어를 지원하게 되었으니까요! 우리 멋진 한국어 번역자들이 아니었다면 불가능했을 겁니다. 정말 감사드립니다!
소중한 한국어 구사 고객들을 위해 1Password를 완벽하게 준비해두었답니다. 저희는 완벽주의자니까요. 이렇게 언어가 아름답게 돌아오게 된 것을 정말 자랑스럽게 생각하고 있습니다.

FULL RELEASE NOTES

1Password for iOS
You can find the full release notes here.

1Password for Mac
Our Mac release notes can be seen here.

YOUR FAVORITES?

I’d love to hear your favorite feature in this release. Sound off in the comments!

Introducing native messaging for the 1Password extension

I’m really excited to announce a brand new way for 1Password to save and fill in browsers. It’s not a new feature, and chances are you won’t even notice it. It’s called native messaging, and it changes the way 1Password integrates with your browser. In fact, if you use 1Password with Google Chrome, you might already be using it.1

Native messaging makes the 1Password extension faster, more stable, and more compatible in more situations. It improves the performance and reliability of the 1Password extension, and it’s the end result of talking with thousands of 1Password users over the years.

Once upon a time…


When the 1Password extension made its debut for Chrome in 2012, the options for browser extensions to talk to apps were limited. We settled on an approach using WebSockets, which creates a network connection on your computer between 1Password and the browser. Although it’s technically a network connection, the data is only transmitted locally and never leaves your computer. This served us well in the vast majority of cases, but for a significant number people, this connection was unreliable. Proxies, antivirus, and other security software could interfere with the connection and prevent saving and filling. These conflicts caused a lot of pain, especially for Windows users. Over time, it became clear that we needed a better approach.

Enter native messaging

Thankfully, Google led the way and introduced that better approach. Native messaging is a more direct way for browser extensions to communicate with apps. Unlike WebSockets, it doesn’t rely on creating a network connection between your computer and itself.

With native messaging, no longer is Chrome’s connection to 1Password subject to the vagaries of your network and computing environment. No matter how you’ve configured your computer, if you can run 1Password and Chrome, then native messaging will work for you. Last year, we began the transition to replace WebSockets with native messaging. In order for 1Password to use native messaging, we needed to update the extension and the apps. So in April, we released a version of the 1Password extension for Chrome with support for native messaging. Since then, all current versions of 1Password for Mac and Windows have been updated to use the new technology.

What will change?

If you notice any changes, they should only be positive. Communication is nearly instant, and you’ll be able to use the extension as soon as you open your browser. Native messaging removes entire classes of problems that have affected 1Password users for a long time. Conflicts with network proxies and firewalls in corporate computing environments, ad blocking software, and even productivity tools that lock you out of distracting sites should be a thing of the past. Security software that gets spooked by local network connections should relax down from red alert. And many less common scenarios will work much better with native mesaging as well.

How do I get it?!


The first thing to do is check for updates in 1Password to make sure you’re using the latest version available. The latest releases of 1Password all include native messaging. We even updated 1Password 4 for Windows to make sure everyone can take advantage of this advancement on both Mac and Windows. 1Password has built-in support for Google Chrome and many other browsers based on Chrome, like Opera. If you’re using a supported browser, 1Password will switch to native messaging immediately.

Some Chrome-based browsers are supported but require additional configuration to work with native messaging. See our support article for more details.

Conclusion

Native messaging is the future for the 1Password extension. For now it’s supported in Chrome, but support will be coming soon to other browsers like Firefox and Edge. We’ll let you know when native messaging arrives on new browsers — and stay tuned for more posts about the 1Password extension. There’s a lot of exciting stuff going on that I can’t wait to share with you. For now, I’d love to hear your thoughts about native messaging in the comments, and you can always connect with me and the rest of the extension team in the forum.


  1. I will use Chrome as a shorthand for Chrome and browsers based on
    Chromium such as Opera and Vivaldi throughout this post unless there are
    specific differences to note. 

PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles

Welcome to Part 3 in a three-part series of posts that go in-depth on recent events that caused macOS to prevent 1Password for Mac from launching on our customer’s machines. In this thrilling conclusion we’ll go into what we’ve learned and what the rest of the developer community needs to do to prevent this same sort of pain in their own apps.

In case you need to catch up on your reading:

Part 1 : 1Password for Mac 6.5.5: Manual update required

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

We never take for granted that 1Password is an integral part of our customer’s workflows. It’s an app that has engendered a great deal of trust and any time we stumble and hurt our customers, we spend as much time as needed to fully understand what happened and make sure we cover our bases for the future. The events of this past week are no exception.

We’ve learned a fair amount over the last week, so let’s dive in.

Who This Affects

provisioning-bandaids@2xWe went over this a bit in part 2, but we’ve been able to confirm that the issue we ran into is one that affects any Developer ID signed application also containing a Provisioning Profile. If your app has declared any codesign entitlements there’s a good chance you’ve got a provisioning profile. Often developers think of codesign entitlements only in the context of sandboxing an application, but they’re used for other things as well. In our case it is used to declare a keychain access group.

The presence of the provisioning profile will depend on your use of app services, which you can see in the Capabilities pane in the project editor when viewing the target in Xcode. If any of these options are set, there’s a relatively good chance that your app is shipping with a provisioning profile.

terminal-icon@2xAs a user, you can see if an app contains a provisioning profile by right clicking on the app in Finder, and choosing “Show Package Contents”. Then navigating to Contents to see if there’s a “embedded.provisionprofile” file. Seeing its expiration date requires that you open Terminal and use the security cms -D -i command followed by the path to embedded.provisionprofile file. It will output the xml plist which will contain something that looks like this:

<key>ExpirationDate</key>

<date>2022-02-17T23:59:55Z</date>

Generally, this provisioning profile is set to expire at the same time as your Developer ID certificate. One of the hallmarks of 1Password is that it tends to adopt the latest and greatest technologies that Apple has to offer right on day one. For this reason our provisioning profile was generated relatively early on and therefore we are one of the first ones to experience this pain.

We urge all developers that distribute an app outside of the Mac App Store to check whether their app ships with a provisioning profile, and to verify its expiration date.

 

Short Term Fix

short-term-fix@2xWhen we generated our new provisioning profile last week we also created a new Developer ID certificate. Both this new certificate and the associated provisioning profile expire in 2022. In the short term this buys us a bit of time.

By the time you read this 1Password 6.6.1 will have been published on our website (with a major new version in the Mac App Store as well). This new version will help some users who have been having issues with the manual update process and also comes with a load of other goodies.

 

longterm-fix@2xLonger Term Fix

Apple has posted a thread on their Developer Forum indicating they’ve made changes to the developer center to help with this problem. Newly generated Developer ID Provisioning Profiles are now valid for 18 years instead of 5. That takes us up to 2035, just in time for us to start worrying about y2k38 bugs. If our customers are still using 1Password 6.6.1 in 2035 then they’ve certainly missed a few update notifications. ?

Apple recommends developers generate new provisioning profiles to obtain one that has the longer expiration date. We’ll be doing this on our side shortly.

In practical terms, this solves the issue for our customers.

 

Proper Long Term Fix

Ideally there would be no expiration that affects users. A few years ago I resurrected a system from 1988 and set up an operating system from 1994 on it. Expiration dates on software would have made this impossible. It pains me to think of someone being unable to run 1Password in the future out of curiosity because of arbitrary limits such as this.

The issue we’ve filed with Apple (rdar://30631939) regarding the inability to run apps with expired provisioning profiles remains open. We will continue to advocate for this to be changed and recommend that all developers of affected software do the same (please dupe the rdar). We’ll keep you updated if this changes.

 

out-of-the-storm@2x

Introducing 1Password 6.6 for Mac

I’m happy to announce we just finished assembling a new version of 1Password! It’s working its way through the update engines around the world now and hopefully it’s ready for you by the time you finish reading this. ?

The biggest change in this release is a whole new setup experience. We’ll dive into that in a moment, but first I’d like to share a cool new feature for those of you lucky enough to have one of those sexy new MacBook Pros.

We’ve been experimenting with the new Touch Bar since the beginning and added Touch Bar support along with Touch ID back in November as soon as the new Macs were available.

Today we’re taking the next step tap and giving you the ability to customize your Strong Password Generator settings directly from your Touch Bar!

I always enjoy the feel of tapping actions on the Touch Bar but sliding your finger across it is even better! Trust me, you’ll have a hard time customizing your password length just once. ?

There’s several other changes in this release as well, but let’s dive right into the big one now.

New Setup Flow

The biggest change is one that most of you probably won’t see until the next time you’re setting up a new Mac. Those new MacBook Pros with Touch ID really are pretty sweet so hopefully this isn’t too far in your future! ?

Starting today we have a lovely new flow for the setup screens1. Like their little cousin on iOS did earlier, 1Password for Mac makes getting started much simpler.

Now when you launch 1Password on a new Mac you’ll be greeted with a lovely page asking you if you’ve used 1Password before:

opm6-6-setup-screen

Those of you who have already been rocking with 1Password can use your existing data, and everyone else who’s just getting started can begin their free trial.

Free Trials From Mac App Store

We’ve always wanted everyone to be able to try 1Password before needing to purchase. Our website version has supported free trials since the very beginning, but it wasn’t possible in the Mac App Store when we first published 1Password there way back in 2011.

Thankfully Apple gave us a wonderful present at their Worldwide Developers Conference last year that made this possible for Mac App Store users as well.

1Password now comes with a 30 day free trial in the Mac App Store. Those downloading 1Password for the first time will start their trial and be prompted to subscribe once their trial expires:

opm-6-6-subscribe

Your single subscription allows you to use 1Password on all your devices and always have access to the latest versions.

Those who previously purchased 1Password in the Mac App Store will continue to be able to use 1Password as before and are not required to subscribe to our 1Password membership. Although there are a lot of great reasons why you should…

Benefits of a 1Password Membership

introducingI’ve been a license holder since the beginning. In fact, I’m pretty sure I got the first license we ever made!

If you’re a longtime license holder of 1Password like I was, I’m sure you’re wondering what all the hullabaloo is over our new service. I’m glad you asked and I’m happy to unlock that mystery for you! ?

There are a lot of benefits to a 1Password Membership over a standalone license, but for me it boils down to convenience, security, and peace of mind.

convenience-updatesLet’s start with convenience. With a membership, all I do is log in on a new device and all my data is there. I can even organize my items in multiple vaults and they all appear instantly.

And the best part is my membership gives me access to the latest version of 1Password on all my devices so I don’t need to worry about managing any licenses. I’m really happy that I don’t need to say “1Password is sold on a per-person, per-platform basis, with paid upgrades for major new versions” anymore. ?

double-securityOn the security side of things, I absolutely love our new encryption design that leverages Galois/Counter Mode for efficient authenticated encryption and our ingenious Two Secret Key Derivation starring our unique Account Key.

I know I know, I’m a huge geek and love the details, but these and many other things all add up to better performance and a secure-er than ever way to protect your data. You can check out our security page for a nice high level review, along with a detailed White Paper for my fellow geeks reading this. ?

As for peace of mind, this one is priceless. I simply sleep better at night.

sleep-at-night

With my 1Password membership, I know that all my data is backed up automatically for me, and every change is remembered so I can go back in time and restore my precious items whenever I need to. And with our Family account I can securely share passwords with Sara so she has access to everything she needs.

In short, I’m absolutely loving my 1Password membership. It’s the best way to use 1Password.

love-1password

Becoming a 1Password Member

If these benefits excite you and you want to join me, becoming a 1Password member is super easy.

You can jump on board and migrate all of your data over in just a few short steps. We have a quick guide on how to setup a new account and move over your data, along with a nice video showing how easy it is to do.

I know you’re busy so I’m happy to say you can finish the entire process in just a few minutes. Start by creating your new account here:

Start Your Free Trial Today

Often it feels like I’ve been using all these great new features for a lifetime, but looking back we introduced 1Password Teams only 15 months ago, 1Password Families almost exactly one year ago, and 1Password Memberships just 6 months ago.

It’s amazing how quickly I came to rely on these benefits and how I was able to fall in love with 1Password all over again. I think you will, too.

Enjoy! ❤️ ??


  1. Those with eagle eyes might be saying “again?” since 1Password 6.5 had a new setup experience for those who downloaded from our website. But we’ve iterated on the design and now everyone gets to join in on the fun, including those who install using the Mac App Store. 

Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

As you may have read, this weekend was a little hectic for us and some of our app developer friends1. On Saturday we got word that users of 1Password for Mac were seeing the app fail to launch correctly. It took a few hours, but we diagnosed the problem and released an update that corrected the issue. This issue will only have affected users that downloaded 1Password for Mac directly from our website, so if you downloaded it from the Mac App Store you had a much more calm weekend than we did.

But alas, that story has already been told. Now it’s time for the nitty gritty technical details about all the forces that aligned against us that had us staring up a giant wall of crashing water like George Clooney and Mark Wahlberg.

Prologue: Not All Certificates Are Created Equal

There’s a lot of information to unpack in this post, but before I get started, I’d like to address an assumption I’m seeing far too many people making: that what happened to us was simply an issue of an expired certificate and that all we needed to do was create a new one, just like you do for SSL certificates.

That’s simply not true.

Developer certificates are much different than SSL certificates and serve a very different purpose. Unlike a simple SSL certificate, our developer certificate is used to sign 1Password and needs to be valid during build time. The expiry time of a certificate or provisioning profile should have no impact on whether or not macOS will allow an app to launch or not.
An analogy may be helpful here: if you think of the developer certificate as a carton of eggs, and 1Password as a cake, then it is important not to use expired eggs to make the cake. The fact that the eggs may expire a few days after making the cake should have no effect on the cake itself. After all, the cake is already made and delivered.

Jumping out of the galley and back into our developer world, an expired certificate typically doesn’t affect us until the next time we need to do a release, which would have been this week with our next betas. Certificates control our ability to sign new apps. They don’t affect existing released apps.

For example, we have some users still using 1Password 3 for Mac (hey there, if that’s you, you should really consider upgrading to a 1Password membership as soon as possible!). The first release of 1Password 3 was in 2009, around 8 years ago. Assuming a user is happy with 1Password 3, how long should they expect to be able to continue using the software they paid for? The only acceptable answer to that question is: as long as they feel like it.

Obviously there’s plenty of reasons for why a user would want to upgrade to newer versions, but the fact of the matter is that a user shouldn’t be reliant on us to keep providing updated builds of an unmaintained app just to keep it running. Unlike an SSL certificate, this isn’t something we can simply fix from our end. Fixing the issue we ran into this weekend is a matter of creating a new build of the app and having users update to the new version.

Taking a Tour of the Engine Room

iCloud Sync

To properly understand what happened, let’s take a step back and look at the different parts of this.

In Mac OS X 10.7 Apple introduced Gatekeeper. Gatekeeper is really quite awesome as it gives users control over what software is allowed to run on their system. The default is to allow software from verified and trusted developers: those apps that have been uploaded to the Mac App Store, or those signed with Developer ID certificates made available to the developer by Apple.

Gatekeeper ensures that apps that have been tampered with will refuse to run, and also provides Apple with a way to revoke certain certificates if a developer has been found to be doing harm (i.e. distributing Developer ID signed malware). These simple steps stop a wide variety of attack vectors and we think the world of Apple for having implemented this.

The next layer is the Provisioning Profile. Provisioning Profiles provide information about what the app can do, as well as who can run it. There are certain services on the Mac that require that the app include a Provisioning Profile. In our case, we needed to start using a Provisioning Profile when we added support for unlocking 1Password using Touch ID.

To be clear, Touch ID itself doesn’t necessitate the profile, but in order to unlock your vault we need to store a secret and we choose to store it the OS X keychain. The specific configuration we’re using for that requires declaring that we want access to a specific keychain access group, which needs to be declared in a provisioning profile. The provisioning profile is included in the app bundle and cannot be updated independently of the app.

Next up… XPC. We use XPC to communicate between the 1Password main app and 1Password mini – the little 1Password that runs in your menu bar – and it’s really quite awesome. 1Password mini acts as the brains of the whole operation, and the larger app is mostly just responsible for displaying information. The reason we love XPC so much is because it’s an inter process communication tool that actually provides us the building blocks we need to perform mutual authentication. What this means is that 1Password mini will refuse to communicate with the main app unless it can prove that it’s signed by us. The inverse is true as well.

Storm Clouds Gather

clouds-gathering@2xAt around 3pm EST on February 18th we started getting reports of failures in 1Password for Mac. Folks were seeing an error appear that 1Password was unable to connect to 1Password mini.

Unable to start 1Password

This initial failure occurred due to the fact that the provisioning profile embedded in 1Password mini had an expiration date. Expiration dates seem to be required, and due to the fact that the expiration date elapsed, Gatekeeper decided that 1Password mini was no longer safe to run. We’ve filed a bug with Apple as we feel that this shouldn’t be the case (rdar://30631939 for those of you reading along inside the Mothership).

Only 1Password mini contains the Provisioning Profile as all Touch ID operations happen within that process. This meant that Gatekeeper was deciding that our main 1Password app could launch. Upon launching, 1Password performs its start up sequence which includes asking the system to launch 1Password mini if it’s not already running. When doing so, the system would log the following to the console:

com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): Binary is improperly signed.
com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): removing service since it exited with consistent failure reason When validating /Applications/1Password 6.app/Contents/Library/LoginItems/2BUA8C4S2C.com.agilebits.onepassword4-helper.app/Contents/MacOS/2BUA8C4S2C.com.agilebits.onepassword4-helper:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
com.apple.xpc.launchd[1] (com.apple.ReportCrash[11041]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash

The 1Password main app detected the failure and provided an error panel telling the user that it couldn’t connect to mini.

Due to the expired Provisioning Profile, 1Password mini wouldn’t launch. And without mini running, 1Password itself was unable to startup successfully. Both mini and 1Password itself were signed with the same Developer ID certificate. Gatekeeper allowed 1Password to run, but due to the different rules for apps with provisioning profiles, it would not allow mini to run.

As far as we can tell, the only way to correct this problem is to provide a new build of the app with an updated provisioning profile with a new expiration date. Within a few hours we were able to publish a new version which did exactly this. As of 6.5.4, we had an app that users could download and run again.

The Eye Of The Storm

eye-of-the-storm@2xAfter this initial bout of terror, death defying feats, and mad scrambles we figured the technical portion of this exercise was finished and had begun transitioning into customer support mode; helping allay the fear, uncertainty, and doubt that this event had caused.

Little did we know at the time, we were only in the eye of the storm – the calm center before things would get rough again.

1Password for Mac includes an updater within the app so that users can easily upgrade to the latest versions as they become available. This updater validates downloads before performing the update to ensure that the updated app is in fact from AgileBits. One of the steps taken during validation is looking at the code signature of the downloaded app and ensuring that it satisfies the following security requirement:

anchor apple generic and identifier com.agilebits.onepassword4 and certificate leaf[subject.CN] = “Developer ID Application: Agilebits Inc.”

This check has worked really well for us. It’s simple and does the trick.

This check is also extremely specific about the common name2 it looks for. When we generated our updated provisioning profile we also needed to generate a new Developer ID certificate. We didn’t realize it at the time, but the common name of newly created certificates now include the team identifier in addition to the company name;  “Developer ID Application: AgileBits Inc. (2BUA8C4S2C)” vs. “Developer ID Application: AgileBits Inc.”. Close. Super close. But we weren’t looking for a “close” match.

The result of this new common name was that even though our app would now launch, the automatic updater would never run successfully because as far as it was concerned the update being provided wasn’t valid and therefore needed to be rejected. This is what users who could still run 6.5.3 and tried to update to 6.5.4 saw.

Once we discovered this problem we had no choice but to pull the 6.5.4 update and issue a 6.5.5 update that included a modified security requirement check. Sadly this didn’t address the fact that users running 6.5.3 and earlier are not able to automatically update to 6.5.5.

Moving Forward and Heading Home

heading-home@2xThis was painful for everyone. We lost sleep over the weekend, but worse than that… our users temporarily lost access to some of their most important information. This is unacceptable to us and we want to make sure this doesn’t happen again.

We’ve reached out to Apple for help and guidance on what we can do to avoid this happening again in the future. Our new provisioning profile doesn’t expire until 2022, but we’ll make sure that this is resolved far before then so that you need not worry about that happening.

If you’re a developer of a Developer ID signed app, we recommend that you check to see if your app includes a provisioning profile. Since that’s mostly handled automatically by Xcode, it’s likely that there are apps out there whose developers aren’t even aware of the inclusion of the provisioning profile. Check the expiration date, and ensure that you release an updated build with an updated provisioning profile well before the expiration date is hit so your users have time to update.

We’ve also filed an enhancement request with Apple asking that developers be notified via email of impending distribution certificate or provisioning profile expirations with explanations of repercussions. This was filed as rdar://30631968.

If you have questions about any of this, please don’t hesitate to ask us in the comments below.

Love,
The 1Password Mac Team
❤️

P.S. Happy 5th Birthday to Gatekeeper! ? We were one of the first apps to sign with Developer ID certificates, use XPC, and leverage the entitlements required for Touch ID. It’s always exciting being on the cutting edge of technology but we wouldn’t have it any other way. ?

Further Reading

This was the second post in a three part series. See the exciting prequel and sequel here:

Part 1 : 1Password for Mac 6.5.5: Manual update required

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles


  1. The exact same perfect storm appears to caused our friends at Smile to hit the same rough seas that we had. You can see Adam Engst’s story in TidBITS for details on how this affected PDFPen. 
  2. The Common Name is the subject.CN part of the security requirement. As our Chief Defender of the Dark Arts often says of Common Names: they are often very uncommon. The name is inherited from older identify management systems. I don’t need to say much more as Jeff loves explaining things, so let’s all sit back and watch what he says in his comment that I’m sure he’ll be adding soon. 

1Password for Mac 6.5.5: Manual update required

tl;dr

As a result of an expired provisioning profile and format change in the developer certificate, customers who downloaded 1Password for Mac directly from our site will need to manually update to the latest version. Those using 1Password from the Mac App Store are not affected.

For those who are interested, here are the events that conspired against us to make for an interesting Family Day weekend…

Fire at the office

I was out at the gym yesterday when I received a call from my wife. I thought she was calling about our belated Valentine’s dinner we had planned. Instead she rather alarmingly told me that “Sara called and said there is a fire at the office”.

Rushing home, I was expecting to hear that the hammocks and standing desks had gone up in flames. (Happily our servers are all virtual so I wasn’t too concerned). The “fire at the office” turned out to be a fire with 1Password for Mac. Customers were getting an error message when trying to start 1Password!

Unable to start 1Password

I urgently gathered our Mac team who were enjoying their holiday weekend to figure out what happened. We quickly recreated the issue and found this error in the logs: Binary is improperly signed. This seemed very strange to me as this version was released back in 2016.

We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version. Apparently that’s not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly.

New certificate, new format

We renewed our certificate and released 1Password 6.5.4 thinking all would be well. And that’s when the other shoe dropped. When we created the new certificate it had a new format for the Common Name.

While this sounds like an inconsequential change, our built-in installer goes to great lengths to validate that every 1Password update is actually 1Password. Since our installer did not recognize the new certificate format it refused to update.

No problem can’t be solved without yet another build, so we created 1Password 6.5.5 ?

Long story short, 1Password 6.5.5 is now available and solves all these problems. The only catch is it requires you to install it manually.

Moving forward

As you might imagine, we have a whole new level of understanding of the importance of expiring provisioning profiles and certificates. Our new certificate expires in 2022 but I can guarantee you we will be renewing it far before then.

I do apologize for the inconvenience and extra work that this will cause you. I am sure you had better things to do on your long weekend too. If you have any problems with this update please let us know.

I also want to take a quick moment to say “Thank You”. The understanding that I’ve seen from the 1Password community is overwhelming. You never cease to amaze me. It has truly been a humbling experience.

Having spent all Saturday fighting this fire, I still owe Brenda the dinner we were supposed to have had. After missing Valentine’s Day dinners two weeks in a row, I kind of wish the actual office had been on fire ?

Further Reading

This was the first post in a three part series. The story continues here:

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles

1Password 6.5 for Mac: Fantastic Secrets and Where to Find Them

These past few months we’ve been toiling like house elves on an incredibly new and awesome version of 1Password for Mac and I am happy to report it is available now.

As development on 1Password 6.5 was winding down Apple made an announcement that presented us with an incredible opportunity: The arrival of a magical new MacBook Pro with Touch Bar and Touch ID. We were there on day one with Touch ID support on iOS and maintaining that tradition on macOS was a no brainer.

We have a lot of ground to cover in this marvellous story so open your textbooks to page 394 and let’s read on, shall we?

Unlocking with your fingerprint is as easy as swish and flick

So how about that new Touch ID support? There’s no need to utter any incantations to magically unlock 1Password with your fingerprint. Just enable the Touch ID setting in Security Preferences and you’ll be good to go.

Those of us with the new MacBook Pro here at AgileBits have been known to quietly whisper “Alohamora” under our breath as we perform this charm, and quite frankly, we recommend you do the same.

wizard-card

But Touch ID support is just the collectible wizard card that comes with the chocolate frog that is our massive 6.5 release.

Practice your wandless magic

Touch ID isn’t the only new piece of magic to which we’ve hitched our broomstick. The new Touch Bar is almost as awesome as picking up the latest offering at Weasley’s Wizard Wheezes (but without the fear factor).

We’ve only just begun to take advantage of all the cool capabilities the Touch Bar makes possible, and already it has improved the way we use 1Password every day. For me it’s a toss up between the beautiful menu of categories that appears when I create a new item or being able to switch vaults with a tap.

touch-bar

Other incantations you can conjure with the Touch Bar include:

  • Adding a new item
  • Choosing the category in which you want to create an item
  • Locking your vault easier than casting the “Colloportus” spell
  • Activating search (to find the game-winning golden snitch, of course)

All aboard on Platform 9 3/4!

Of all the work that went into this new version, I want to highlight a piece that many of you may never see. That piece is a brand new first-run experience that anyone setting up 1Password for the first time will encounter.

new-first-run
Setting up 1Password for the first time on a new Mac is now just like that first swig of Butterbeer: warm, inviting, and deliciously sweet! We’ve completely rewritten this experience from the ground up. You can now create a brand new 1Password account directly inside the app so it’s easier than ever to get up and running.

Accio your items from anywhere

Accio your items with Alfred and LaunchBar!
Speaking of 1Password.com, one of things we’ve all missed was the inability to access our 1Password.com items from our favorite productivity tools like Alfred and LaunchBar. For version 6.5 we worked closely with the fine folks at both Alfred and LaunchBar to correct this egregious shortcoming. As of this writing Alfred has released an update for this new integration and LaunchBar has an update coming soon!

More goodies than Bertie Bott’s has flavours!

1Password 6.5 truly is an enormous release, packed with over 100 new features, improvements, and fixes. Here’s the full list for your studies. Be sure to pay close attention to all these Bits and Botts as they may appear on your upcoming Ordinary Wizarding Level Examinations.

New

  • 1Password can now be unlocked with your fingerprint on the new Touch ID-capable MacBook Pro.
  • Touch Bar support has landed! While using 1Password you will see enhanced controls in the Touch Bar on your new MacBook Pro.
  • 1Password has a whole new first-run experience! Setting up 1Password has never been easier. {OPM-4200}
  • You can now scan 1Password Account codes using the FaceTime HD camera on your Mac!
  • 1Password can now fill additional text, email, and password fields for items created outside the browser extension. {BRAIN-111}
  • 1Password will now ask you to migrate items from your Primary vault to newly added Personal vaults when adding a 1Password.com Account. {OPM-4240}
  • 1Password will now offer to automatically add any 1Password.com account to 1Password for Mac after signing into that account in your web browser. {OPM-4236}
  • Added the ability to copy 1Password Documents across 1Password.com accounts. {OPM-3974}
  • Added a Download Local Copy item to the context menu for Document items. {OPM-3939}
  • Added the ability to manage your 1Password account subscription within the app (AgileBits Store Only). {OPM-4249}

Improved

  • Improved filling of credit card expiration dates. {BRAIN-138}
  • Updated our translations with the latest from our incredible translators on Crowdin.
  • Renamed the Start Over menu item to Reset All 1Password Data. {OPM-4069}
  • 1Password mini’s menu width is automatically resized to fit long browser extension names. {OPM-4112}
  • After migrating to a 1Password.com account, the new account vault becomes the default vault for saving. {OPM-4534}
  • Improved the wording in Add Account preferences. {OPM-4444}
  • Improved wording in Accounts Preferences regarding 1Password.com Accounts. {OPM-4306}
  • Improved handling of sync when Folder Syncing to a removable disk. {OPM-4414}\
  • Updated to the latest 1Password brain for improved Login saving and form filling.
  • 1Password is now better at avoiding “search” and “newsletter” forms when filling. {BRAIN-289}
  • 1Password is now better at saving Logins on pages with search fields. {BRAIN-274}
  • 1Password is now better at avoiding search fields on Russian and German websites. {BRAIN-293}
  • 1Password is now better at handling sneaky password fields on Swedish websites. {BRAIN-310}
  • Improved the wording of the macOS authentication prompt. {OPM-3768}
  • We now enter edit mode after converting a Password to a Login. {OPM-4284}
  • Updated the password generator minimum and maximum values. {OPM-4409}
  • Added mechanisms for strengthening communication with 1Password.com.
  • Improved the parsing for certain improperly formatted web addresses. {OPM-4281}
  • Improved network efficiency with 1Password.com accounts {OPM-4290}
  • Added a notification to update to the latest 1Password version when features aren’t compatible with the 1Password.com Account server. {OPM-4177}
  • Changed naming of Wi-Fi sync to WLAN sync. {OPM-3851}
  • Empty address fields are now hidden when viewing items. {OPM-3902}
  • Updated the way 1Password determines which URLs to match in the extension. {OPM-4078}
  • When merging vaults during sync setup the password hint is no longer truncated if it’s too long. {OPM-4053}
  • Removed some potentially offensive words that were present in the word list for our Word-based Strong Password Generator. {OPI-3129}
  • The error message for when 1Password mini is quarantined by the system is now less mysterious. {OPM-4102}
  • Added a hover button and Voice Over support to item attachments. {OPM-624}
  • Removed several instances where 1Password for Teams or 1Password for Families language was used and replaced with 1Password Account.
  • Made numerous improvements to the way text is handled throughout the app to make translation easier.
  • Improved WLAN sync error handling. {OPI-3314}
  • Personal and Shared vaults will now display the user or team avatars if they don’t have their own avatar. {OPM-4032}
  • Improved the first run experience when using onepassword://team-account links. {OPM-4019, OPM-3905}
  • Improved the custom icon display for 1Password.com account items in the main 1Password app. {OPM-4125}
  • Improved the experience when deleting the last 1Password.com account when no local vaults exist. {OPM-4033}
  • Decreased the delay in uploading custom icons for Teams and Families vaults. {OPM-4124}
  • The account details preference pane now shows when you’re in trial mode. {OPM-4562}

Fixed

  • Fixed the layout of the Start Over dialog so that it worked better with more verbose languages. {OPM-4167}
  • Fixed an issue where custom icons would not upload to 1Password.com accounts. {OPM-4049}
  • Fixed an issue where vault switching in mini was not instantly mirrored in the main app if it was in the background. {OPM-3523}
  • Fixed a bug that could cause instability in the Preferences window. {OPM-3983}
  • Fixed a bug when removing an attachment file before saving the item with the attachment. {OPM-4057}
  • Fixed an issue that caused Reset iCloud Data to be enabled even though there weren’t any local vaults. {OPM-4104}
  • Fixed an issue that caused problems with VoiceOver navigating password values. {OPM-3343}
  • Fixed an issue that caused category sorting in All Vaults to not sort properly when only non-1Password Account vaults were present. {OPM-4131}
  • Fixed an issue that would cause WLAN sync to not activate after unlocking 1Password for Mac. {OPM-4129}
  • The anchored Large Type window no longer crops off the top of characters in a long password. {OPM-4135}
  • The tab key now cycles through fields properly again when editing an item. {OPM-4083}
  • Fixed an issue where some unrecognized data in an item would be lost while saving. {OPM-4234}
  • Fixed autosubmit on fideliti.co.uk. {BRAIN-268}
  • Fixed a layout issue in macOS Sierra when choosing fields while exporting CSV or tab-delimited files. {OPM_4241}
  • Fixed a layout issue with the Password Generator on macOS Sierra. {OPM-4304}
  • Fixed the multi-line height calculation for notes and tags in macOS Sierra. {OPM-4297}
  • Obliterated a hang that could be caused by Documents with missing metadata.
  • Fixed a rare crash when scanning a QR code when creating a one-time password or adding a 1Password.com account. {OPM-4351}
  • Fixed instance where logging into 1Password.com may not offer to add that account to 1Password when using Bartender. {OPM-4435}
  • Resolved a logic flaw that would result in a failure to properly load localized category names on macOS 10.12 {OPM-4433}
  • Fixed a crash that could happen when using custom icons. {OPM-4423}
  • Fixed a minor button alignment issue in account sign in setup screen. {OPM-4481}
  • Fixed issues introduced in a previous beta causing setup screen animations to fail in macOS 10.10 and 10.11 {OPM-4476, OPM-4477}
  • Fixed a crash that could occur when right clicking on 1Password mini. {OPM-4552}
  • Fixed a crash that could occur when scanning a QR Code for a TOTP field. {OPM-4500}
  • Resolved a height issue with the dialog window that appeared when enabling local vaults in the Preferences window. {OPM-4390}
  • Fixed a rare crash when syncing with iCloud. {OPM-4328}
  • 1Password would fail to fill sites that had previously saved fields 1Password ignores during filling. {BRAIN-299}
  • Fixed an issue where certain Favorites could cause issues while syncing with 1Password.com accounts. {OPM-4402}
  • Fixed a bug in the item selection logic. {OPM-4417}
  • Fixed an issue that could cause 1Password mini to hang while copying large numbers of items across vaults. {OPM-4395}
  • Fixed a crash that could occur during sync via AgileKeychain. {OPI-3713}
  • Fixed an issue preventing two my.1password.com accounts from being added at one time. {OPM-4312}
  • Fixed an issue that would cause 1Password to authenticate twice with 1Password.com upon startup instead of just once. {OPM-4286}
  • Fixed an issue that caused broken custom icons. {OPM-4314}
  • Fixed an issue that could create a username conflict when manually saving a login on some sites. {OPM-4156}
  • Fixed an issue where item counts were being squished on macOS Sierra. {OPM-4228}
  • Fixed an issue that caused problems reading scanned QR Codes. {OPM-4322}
  • Fixed a crash that could happen when removing the Primary vault on OS X 10.10 Yosemite. {OPM-4309}
  • Fixed a crash that could occur when disabling vaults outside of 1Password accounts. {OPM-4273}
  • Fixed the Large Type window so that it stays on screen after being anchored by dragging it. {OPM-4152}
  • Fixed an issue where the verify code signature setting wasn’t being consulted when 1Password was locked. {OPM-4165, OPM-4178}
  • Login filling failed on tecmarket.it. {BRAIN-254}
  • Resolved an issue where 1Password would incorrectly identify the designated username and password field when saving a Login. {BRAIN-207}
  • Resolved an issue where 1Password would fill credit card month value into quantity fields when the field was of number type.
  • Resolved an issue where 1Password would attempt to fill into disabled or read-only fields. {BRAIN-263}
  • Radio buttons were being improperly saved and restored. (Existing Logins will need to be resaved.) {BRAIN-74}
  • 1Password would not fill the same password value into more than one field. {BRAIN-83, BRAIN-84}
  • Fixed an issue that caused a crash when using the Strong Password Generator. {OPM-3676, OPM-4218}
  • Fixed issues that could occur while using your browser during 1Password’s setup {OPM-4565, OPM4569}
  • Fixed an issue where animations could get stacked and cause unintended view layout in the Setup and QR scanner windows. {OPM-4571}
  • Fixed an issue that prevented tabbing among the buttons in the Setup window. {OPM-4566}
  • Fixed a spacing issue with the Preferences window when viewing the security preferences with a 1Password.com account vault selected. {OPM-4570}
  • Fixed a crash with the QR scanning window in the Mac App Store version. {OPM-4572}
  • Fixed a crash when trying to unlock from the browser extension when still in setup mode. {OPM-4333}

This was an incredible release and we hope you love it as much as we loved creating it. So long for now and good luck on your Owls!

Having fun with Touch ID and the Touch Bar in 1Password

Yesterday was the special Apple event and all activity at AgileBits stopped as our entire team watched the live stream to see what goodies would be coming our way. For me, the most exciting news by far was the announcement of the new MacBook Pro with its amazing Touch Bar and Touch ID.

I remember how excited I was at the Apple developers conference when they first added Touch ID to iOS 8. I rushed back to the hotel, Xcode beta in hand, and added Touch ID to 1Password that very night. The joy of seeing 1Password unlock with just a tap was overwhelming.

Well, here I am again with that exact same feeling ?

Now that the new MacBook Pro’s have Touch ID we can bring that same great feeling you are used to on iPhone to your Mac, and it looks pretty darn cool too. Take a look for yourself and see!

As stunning as it looks in the Xcode simulator on my soon-to-be-obsolete late 2013, 15” 2.3 GHz Retina MacBook Pro, I can’t wait until my new Mac arrives so I can use it for real.

Oh, and then there’s the new Touch Bar. Wow! I was really excited seeing Phil demo this. The Touch Bar introduces a brand new world to the Mac and with it comes some wonderful opportunities to make 1Password even better. Dan, our designer extraordinaire, has begun to explore what the Touch Bar can bring to 1Password and I’d like to share some early designs.

Touch Bar for 1Password

What Dan has come up with is really exciting and I can’t wait to play with it. I think that switching between my work and home vaults with just a tap is going to be the most awesome, albeit sliding my finger across the Touch Bar to generate a strong password comes in a close second.

The possibilities with the Touch Bar are limitless and I am excited to hear how you see yourself using the new Touch Bar with 1Password.

Please share your thoughts in the comments below ❤️

Chatting the Snaps at WWDC

What an exciting time it is in the world of Apple! My name is Connor; I’m what my colleagues like to call the “Millennial in Residence” on the AgileBits team, and I spend most of my time doing development and support for 1Password for iOS. Some of my team members and I were lucky enough to make the trip out to San Francisco recently to attend Apple’s annual Worldwide Developers Conference, otherwise known as WWDC. We spent the week watching presentations, participating in labs, and planning all the exciting things that are on the horizon for our iOS and Mac apps.

My trip started in the early hours of Sunday morning in Toronto’s Pearson airport, where I took the five-hour flight to San Francisco. From there, I was whisked by BART into downtown where I quickly checked in to my hotel and made my way to the Moscone Convention Center to begin the week. I was lucky this year to win Apple’s WWDC Scholarship, which got me a ticket to the conference and a chance to participate in some student-specific activities throughout the week. The first thing on the agenda was student orientation, where Apple presenters gave us their thoughts on what makes an app “great” and some amazing stories of how their lives led them to a coveted position at Apple. We then gathered for a giant group picture—there were 350 of us! The illustrious Tim Cook even joined us to take selfies and sign our badges (talk about an amazing souvenir).

Monday morning brought with it the ever-exciting keynote presentation, where Tim and his team of executives took the stage to introduce all of the hard work they’ve been doing during the past year. We saw some great updates to all of Apple’s operating systems, including watchOS, tvOS, iOS, and the newly renamed macOS Sierra. We saw how Apple is continuing to make its platforms work hand-in-hand with features like shared clipboard, Siri on the Mac, proximity unlock for Apple Watch, and many other awesome improvements. They also gave us some great improvements to 3D Touch which I am personally very excited about. The team and I were inside the Bill Graham public auditorium with several thousand other developers and members of the press as these announcements were made, and I can tell you that the energy in that room was incredible, especially since it was my first time experiencing an Apple keynote.

The ‪1Password‬ crew has our seats for today’s WWDC keynote!

A post shared by Michael Fey (@mrrooni) on

I spent the rest of the week in what Apple calls the labs: expansive areas covering most of Moscone’s first floor, dedicated to Apple engineers helping developers like me in one-on-one (and often fairly lengthy – thanks Alex!) sessions. I got the chance to improve my code, familiarize myself with new frameworks and language updates, and of course give feedback to the very engineers that built the tools we use every day. We also got an in-depth look at those new development tools; an extra helpful Xcode engineer even helped me with a build configuration problem that would have had me running in circles for the entire afternoon.

Many of us engaged in various “skunkworks” projects, where we took some of Apple’s new frameworks and attempted to bend them to our will in 1Password. While I can’t make any promises that they’ll ever see the light of day, I will say that we were very intrigued by the possibilities created by iMessage apps, Home screen widgets, and watchOS 3. It was also great for us to run the current version of 1Password on the developer preview builds of iOS 10 and macOS Sierra. I’m happy to report that it runs well! I also attended awesome talks by Apple engineers about advancements they’ve made in watchOS, the UIKit framework, and the Swift language. I learned more during the conference than I could even process at the time, so I’m glad I took notes throughout the week :)

It was also great for us to run the current version of 1Password on the developer preview builds of iOS 10 and macOS Sierra. I’m happy to report that it runs well!

The other hugely important, exciting, and just plain fun aspect of “Dub Dub” was the chance to meet dozens of people who use the software we write. I had so many people walk up to me and ask about the various 1Password shirts I wore through the week.

Chatting the Snaps at WWDC 2016

Everyone I met was super friendly and had things to say about 1Password that really warmed my heart, like, “I’ve been using 1Password since my very first Mac,” or, “This is the first app I download every time I get a new phone.” Things like that are why my team and I work so hard to make 1Password great. We know that you really rely on it every day, and it was a truly humbling experience to talk to so many of you in person.

All in all, it was an amazing week. From teaching my cough more age-abundant co-workers how to use Snapchat (or in their words, how to “chat the snaps”), to the wonderful people we met, to the great new tools and products that Apple unveiled, it was an incredible experience for the entire 1Password team.

1Password 6.3 for Mac: The Passion Project

Spring has sprung and passion is in the air. The birds are feeling it, the bees are feeling it, we’re feeling it and so are you! We have heard your passionate pleas for some key improvements and we are overjoyed to share the results with you in our latest update to 1Password for Mac, version 6.3.

New browser support

Like many of you, we love trying out new browsers, but we are lost without our 1Password browser extensions. That’s why we added support for three more browsers in version 6.3: Vivaldi, Brave and Opera developer. Vivaldi aims to be the most customizable of browsers (and is it ever!), Brave is focused on security and privacy and Opera developer is for those who love to live on the edge. These browsers are now verified by 1Password, enabling you to log in to any website safely and securely.

Large Type

Did you know that you can embiggen your passwords? We introduced Large Type in 1Password 5.4 and it immediately became one of your favorite features. Among your love notes and thank-yous were some enthusiastic pleas to let the Large Type window be anchored so that you can click elsewhere without it disappearing. Now you can! Simply drag the window and it will become an anchored window that won’t disappear until you close it or lock your vault.

1Password 6.3 for Mac: Anchor the Large Type window

VoiceOver

Accessibility is important to us and VoiceOver support is a key tool in making 1Password more accessible to more users. 1Password 6.3 is now easier to navigate when using VoiceOver, especially when moving between the sidebar, item list, and item details. We have also made similar improvements to 1Password mini.

These are just some of the features in our latest release, but there are so many more. If you’d like to see the whole list of improvements, check out our full release notes.

What do you think of today’s update? Please share your thoughts with us in the comments or start a conversation with us in our discussion forums. We also invite you to reach out to us on Twitter or Facebook.