WWDC18: Presents from Apple

Hello everyone! It’s WWDC week and a large portion of the 1Password development team is here in San Jose basking in the glow of this year’s Apple’s Worldwide Developer Conference. For me it’s my first time coming to WWDC since it was last held in San Francisco two years ago, and I absolutely love it. The conference center itself is gorgeous, and the surrounding area is wonderful. Somehow I’m finding it easier to run into folks I know, and I’ve already caught up with a bunch of old friends and made a number of new ones since I’ve arrived.

WWDC is much more than a place for me to stretch the wings of my social butterfly tendencies, however; it’s all about new tech, and boy oh boy did Apple hook us up this year. Many of us are already rocking iOS 12 and macOS Mojave on our main devices and computers and they are awesome. Not only that, but 1Password is running quite happily on iOS 12 and needs just a couple small tweaks on macOS Mojave.

iOS 12 and Password Autofill

On Monday afternoon, during Apple’s Platform State of the Union I sat down with my teammate Rudy and jumped into Apple’s newly announced Password Autofill API. By the time we were ready to grab some dinner we had a tweet-worthy demo all done:

This new capability is transformational in our ability to integrate with iOS. Starting in the next version of iOS, 1Password will be able to fill your credentials into every app that has opted into the Password Autofill functionality that Apple introduced with iOS 11 last year.

macOS Mojave and Dark Mode

After our incredibly successful launch of 1Password 7 a few weeks ago we’ve been waiting to see what Apple had in store for the Mac. On Monday we got our first glimpse of dark mode in macOS Mojave, which of course left our designer Dan itching to get back to his computer to start playing. Since then the mockups have been flowing like water:

Dan's Dark Mode Lock Screen Concept

Privacy and Security

Apple’s dedication to privacy and security are legendary and this year they introduced a whole host of new tools to help keep your computer safe. The biggest ones that we’re excited about are system integrity protection (SIP) for apps and notarized apps.

Apple’s documentation gives a concise definition of SIP at a high level:

System Integrity Protection is a security technology in OS X El Capitan and later that’s designed to help prevent potentially malicious software from modifying protected files and folders on your Mac.

SIP for apps allows us to opt in to these same protections for the 1Password app binary that resides on your computer. It gives you (and us!) peace of mind knowing that the app we built and shipped is the one running on your computer.

Notarized apps is the other thing that we’re really excited about. Apple is standing up a new service for developers where they can submit their app prior to release. The service will check the app, verify that it’s free of malware, and issue a certificate that will be “stapled” to the app. This certificate is then used by your Mac to verify that the version of 1Password you’re using has been screened and approved as being free of malware. Coupled with SIP, these two new technologies are going to be great for all apps, and 1Password in particular.

Wrapping it Up

While I can’t comment on rumor or speculation, you could use our previous track record to reasonably conclude that when iOS 12 and macOS Mojave ship later this year we’ll be there, on day one, with full support for both. In the meantime, make sure you sign up for the iOS beta, and opt-in to the betas of 1Password for Mac in Preferences:

1Password for Mac Beta Prefences

How about you? What was your favorite announcement from WWDC this year? Sound off in the comments below, I’d love to chat about it with you.

1Password 7 for Mac: The Best Ever

Today is a momentous day! It’s time to take the wraps off something incredible that changes the world as we know it: 1Password 7 for Mac is here! 🎉🙌

There’s a ton of amazing features packed into this release and I couldn’t stop myself from writing a lot about them. If you’d like to start rocking right away, feel free to jump ahead and download 1Password 7 now. For everyone else, it’s my distinct pleasure to share with you the awesome that is 1Password 7.

Marvellous mini

1Password mini is how most of us use 1Password on a daily basis and for version 7 we wanted to make that experience the best it could be.

1Password mini has been completely reimagined and comes with so many features that we needed to give it its own window. When you bring up mini you’ll find it waiting for you with an incredibly powerful and beautiful new look.

While in your browser, mini will automatically suggest the items you’re most likely to need. Select the login you want to sign in with and 1Password will do the rest.

And mini doesn’t limit itself to just browsers. With our new app integration we’ll automatically suggest logins for the current app you’re using. Along with support for drag and drop, this is a real game changer.

You can also make edits, move items between vaults, and even add documents – all without ever leaving mini. Soon you’ll wonder how you ever lived without it. 🙂

Beautiful, bold design

The beauty you’ll find in mini continues throughout the rest of 1Password as well. It all starts with the newly designed lock screen and it looks incredible, especially with Touch ID.

As great as those vault doors look, they pale in comparison to what lies secured behind them.

The first thing that grabs you is the stunning new sidebar. It draws you in with its bold dark theme and delights you with its simplicity.

The new sidebar looks great without being overpowering and the high contrast between it and your content allows your eyes to focus on what’s most important: your items.

Detailing your items

Your items are able to join in on the fun as well with a new design and some lovely new touches. Each of your items now prominently show which vault they belong to and have their most important information highlighted.

If you caught yourself yelling What Are Those?! when looking at the formatted notes field, you’re not alone. You can now give your notes richly formatted text using Markdown! 🎉

Along with the improved layout and typography, we’ve added a beautiful custom font created specifically for 1Password called Courier Prime Bits (based on the lovely Courier Prime).

Alan Dague-Greene is the creative genius behind this font and it makes large type passwords look absolutely incredible.

Speaking of incredible, when you combine our new custom font with Markdown support, Secure Notes are now at an entirely new level of awesome.

Once you start using Markdown in your notes you’ll find yourself wanting to create a lot of them. And when you do, you can keep your notes and items organized using tags. You can even use nested tags if you want to be fancy.

Oh and if you need to copy fields between items or into another app, you can detach the item details view into its own separate window by clicking the button in the toolbar. This is incredibly useful although to be honest I often find myself clicking it for no other reason than to see the lovely animation. 🙂

Watching out for you

1Password 7 is doubling down on how it keeps you safe online. We have bundled together a suite of security tools that notify you of breaches, warn you of bad habits, and highlight vulnerable passwords. We call it Watchtower and it’s amazing.

Watchtower integrates with Troy Hunt’s haveibeenpwned.com service to see if any of your logins are vulnerable. 1Password securely checks your items against a collection of breached passwords (over 500 million and counting) and notifies you to change them.

And thanks to twofactorauth.org, Watchtower also knows which websites support two factor authentication and will alert you when it finds logins without 2FA enabled.

Watchtower will also alert you to logins that are using an insecure (HTTP) website address, weak passwords, and horror of horrors, reused passwords (seriously, don’t do that!). And finally it’ll even warn you if your credit cards or passports are expiring soon so you don’t miss out on your vacation. 😎

Organize & securely share your items

Let’s get back to that sidebar because there’s more there than meets the eye. Sitting just beneath the surface is a powerful new way to organize and securely share your items.

Simply click on the sidebar header and your categories will slide away, revealing your collection of vaults. Vaults allow you to group your items depending on their purpose and who needs access to them.

You can drag and drop items between vaults and even between accounts. Or, drop your items on the New Vault button and a new vault will be created for you right then and there. It’s so simple it’s like magic.

Once you have your new vault created, sharing it with your team or family couldn’t be easier. Select who you want to have access to your vault and 1Password will do the rest.

Best of all, any updates to the items appear automatically for everyone. It’s easier to share securely with 1Password than being insecure without it. 💪

Strong foundations

Along with all these new features and improvements, a lot of heavy lifting took place to make 1Password 7 faster and secure-er than ever.

It all began by combining 1Password and 1Password mini into a single process. This made items faster to load, reduced memory usage, and decreased launch times. The overall performance boosts made us smile as soon as we saw them and we think they’ll make you smile, too.

Also new in 1Password 7, we’ve taken advantage of Apple’s Secure Enclave to protect your Master Password when Touch ID is enabled. This is incredibly cool because the keys used for encryption are protected by the hardware and not accessible to other programs or the operating system.

And if you’re moving over to our new 1Password memberships, syncing your data is more secure than ever. With the addition of a Secret Key, Secure Remote Password, and Galois/Counter Mode, your data has never been safer. And the speed and reliability is simply unparalleled.

And so much much much more!

I told you at the beginning that I was going to write a lot about 1Password 7 and I could keep going. But in the interest of getting you into 1Password 7 sooner, I’m curtailing the rest into this fancy bulleted list!

  • Collapse the sidebar entirely so your items get all the love
  • Quickly find items with our new Spotlight integration
  • Use Handoff to view iOS items right from your Dock
  • Easily see your currently selected vault and account
  • Marvel at the monogrammed icons for tags and logins
  • Edit your vaults directly from the sidebar
  • Enjoy the new password strength meter
  • Remove duplicate items on a per-vault basis
  • Jump to items and vaults with ease using Quick Open
  • Opt in to automatic updates so you can always enjoy the latest and greatest 1Password has to offer

How do I get it?

To start enjoying the best version of 1Password ever built, grab it here:

Download 1Password 7

1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go.

Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when 1Password 7 first opens. Licenses will cost $64.99 but are available during our launch special for only $49.99. Licenses are per-person, per-platform so you can use your single license on as many Macs as you have. 1Password 7 for Windows will be released next week as a separate purchase.

I hope you enjoy 1Password 7 as much as we enjoyed making it for you! We couldn’t have done it without your help. ❤

Please join us in our discussion forums or in the comments below to share your experiences with us and help craft the future of 1Password. We always love hearing from you. 😘

Dave Teare Founder of AgileBits

Getting 1Password 7 ready for the Mac App Store

1Password 7 has been in beta for 6 weeks now and the feedback has been fantastic. We are getting close to the official release date and have begun final preparations, including submitting 1Password 7 to the Mac App Store. 🎉

When 1Password 7 is released it will be available from the Mac App Store as well as our website, and will be available as both a subscription and a standalone license.

When adding 1Password 7 to the Mac App Store we needed to answer the following two questions:

  • Should it be a new app?
  • Should it support both subscriptions and licenses?

Ultimately we decided that 1Password 7 will be a new app in the Mac App Store, and available only as a subscription. I know that many of you will be curious about this, so I wanted to share with you why we decided on this approach.

Mac App Store and upgrades

The Mac App Store is one of the most convenient ways to purchase apps for your Mac. You can purchase with confidence, pay quickly in your local currency, and updates happen automatically. Overall it is a pretty sweet experience.

The App Store, for all it does well, struggles mightily when a paid upgrade is introduced because it does not allow developers to charge for an update to an existing app.

When considering a paid upgrade, developers have two choices: they can re-use their existing app or submit a new one. Both have their pros and cons.

Re-using an existing app

Developers are very creative and one approach that some have used to introduce paid upgrades is to re-use their existing app and offer an In-App Purchase to make the upgraded features available.

We actually went ahead and gave this an honest, if short-lived, try. Very quickly it became apparent that this would lead to a complete mess of spaghetti code as we tried to encapsulate new features. Worse yet, any significant UI updates (including the many we have in 1Password 7) were next to impossible to add as we’d have to keep the old UI around as well. Ultimately this proved infeasible and all my devs threatened to mutiny. 🙂

Submitting a new app

A new app avoids these issues, allowing us to keep our code base clean and my developers happy. It comes at a price though.

Introducing a new app means that everyone who wants the upgraded version needs to go back to the Mac App Store, find this new version, and download it.

We’ve done this before with 1Password 4 for iOS, and have the scars to prove it. Thousands of customers were confused when trying to update because their 1Password 3 app claimed to be up-to-date. To this day we have customers on 1Password 3 who do not realize a new version is out.

To be quite honest, one of the main reasons we haven’t had a paid upgrade on the Mac side for all these years is that we were dreading the pain this would cause us and our customers. However the time has come to bite the bullet and have a paid upgrade.

To avoid this pain in the future, this will be the last time we will be submitting a new app to the App Store. To make that possible, 1Password 7 will only be available as a subscription in the Mac App Store.

Mac App Store for subscriptions only

1Password subscriptions are eligible for free upgrades, meaning we can keep the same app in the App Store and seamlessly upgrade everyone to the new version as it comes out. This is just one of many the reasons why we love memberships.

If we were to sell standalone licenses in the Mac App Store we would have these same problems all over again when 1Password 8 is released. Ultimately this is why we decided not to sell licenses through the Mac App Store.

While still tough, this decision was easier to make as people looking for licenses will be able to download 1Password 7 directly from our website. I know this isn’t ideal for those who love the Mac App Store and prefer to purchase standalone licenses and I apologize for that. But overall I believe this was the correct decision to make.

I’ll be out at WWDC in a few weeks and would be more than happy to talk further if you have questions or are facing similar decisions with your own apps.

The 1Password 7 Beta for Mac Is Lit and You Can Be, Too

Guess what, Mac fam? 1Password 7 for Mac is on its way! 🎉👏

This first beta is just a taste of what’s to come and it’s already packed full of new features and improvements. Here’s what we have so far.

Beta bling

The awesome starts with the lock screen but the real magic happens when those doors open.

Enhanced sidebar

1Password 7 comes at you fast with its bold, beautiful sidebar. The sidebar shows more information than ever, but the dark theme and monochrome icons allow you to focus your attention on what matters most: your items.

Drag and drop

You can now see all your vaults in the sidebar. This makes it easy to drag and drop items between vaults to organize them. You can even drag them between two different accounts. And if you drag items onto New Vault, a vault will be created for you right there and then. It’s never been easier to share and organize your information.

Easily edit vaults

With the new sidebar it seemed fitting to allow you to manage your vaults directly from there. So that’s what we did. Edit vault names, change their descriptions, choose an avatar or upload your own. All without ever leaving 1Password.

Rich formatting in notes

Are you feeling bold? How about emphatic? You can now express your emotions in secure notes. Use Markdown in any of your notes to add clickable links, ordered and unordered lists, and eye catching styles.

Nested tags

Tag fanatics rejoice! Not only can you organize your items with tags but you can also organize your tags. There’s an Inception joke here somewhere; while you wait for me to find it, add a forward slash to your tag names and 1Password will do the rest.

Pop-out items

If you use lots of different apps on your Mac or enjoy viewing multiple items at once, you’re going to love this: click the icon on the toolbar and your item details are whisked away into a new sticky window that will stick around until you dismiss it.

Our own font: Courier Prime Bits

No design is ever complete without finding the perfect font. We’ve added a beautiful custom font created specifically for 1Password called Courier Prime Bits (based on the lovely Courier Prime). Alan Dague-Greene is the creative genius behind this font and it makes your passwords look alive.

Finding pwned passwords 🕵🏼‍♀️

Troy Hunt has collected more than 500 million passwords from various breaches in his Have I Been Pwned? database. Easily check if your password is among them.

Secure Enclave for Touch ID

Secure Enclave protects your Master Password when Touch ID is enabled. This greatly improves your security when using Touch ID because the encryption keys are protected by the hardware in your Mac and are not accessible to any other programs or the operating system.

Safari App Extension

Our Safari extension now comes built in to 1Password 7. There’s no need to manage it separately, it updates whenever 1Password updates, and it’s more secure to boot!

Single process architecture

We completely rearchitected 1Password 7 to run within a single process. This eliminates connection issues between the main app and mini, greatly speeds up loading, and improves performance everywhere.

Grab bag of lit-ness

The changelog for beta 1 is huge. Coming in at nearly 100 additional features and improvements, it’s literally too much to read. Here are the CliffsNotes (or Coles Notes if you’re reppin’ Canada):

  • Collapse the sidebar entirely so your items get all the love
  • Share vaults directly from the sidebar
  • Easily see your currently selected vault and account
  • Login details now highlight one-time passwords
  • Tags are monogrammed with their initials
  • Select which vaults to focus on right from the sidebar
  • Quickly find items with our new Spotlight integration
  • Use Handoff to view iOS items right from your Dock
  • Login icons have never looked better

Get it now

Getting lit with beta 1 is easy!

Download 1Password 7 Beta For Mac

1Password 7 is included free for everyone with a 1Password membership. Simply unlock 1Password after downloading and you’re good to go.

Those of you with a standalone license for version 6 will be prompted to subscribe or purchase a license when the beta first opens. Licenses will be available for $64.99 when we launch later this year, but are available now for only $39.99. You can also try a membership and start enjoying 1Password 7 today with your first month free.

We’re looking forward to sharing more surprises with you on our journey towards 1Password 7. In the meantime, please join us in our beta forums and help craft the future of 1Password. We always love hearing from you. 😘

P.S. This post was heavily inspired by asking the question that we should all ask ourselves from time to time: what would Drake say? I think I got close but if you know Drake, please ask and let me know. 🙂

1Password 6.8 for Mac & iOS: The Picnic Edition

It’s been a strange summer here in Syracuse, NY; the beginning of the season was characterized by sub-optimal temperatures punctuated with frequent rainstorms. It’s only recently, a few weeks into July, that the weather has finally made the turn and the mercury is holding steady at a more comfortable level. As we were brainstorming themes for this wonderful release of 1Password 6.8 for both Mac and iOS my good friend Megs said, “Picnics!” and I knew instantly she’d nailed it.

So my friends, get your picnic blanket ready, because we have prepared a basket full of delicious new treats just for you in 1Password 6.8. We hope you’re having a delightful, secure, and scrumptious summer!

TL;DR (Internet speak for ‘Too Long; Didn’t Read’)

• One-time passwords now copy themselves to the clipboard automatically whenever you fill an item that has a one-time password.
• The ability to create vaults has arrived for 1Password.com accounts!
• Item creation and modification dates now appear in the item details on iOS.
• Korean has made a triumphant return!

HOW ABOUT SOME EXTRA SPRINKLES FOR THAT ICE CREAM CONE?


We can’t think of anything better to beat the heat than a nice cold ice-cream in the sunshine … with extra sprinkles, of course. We’d like to think of your one-time passwords as the sprinkles that complete your Login items. Now 1Password automatically copies those one-time passwords when you fill an item with the 1Password Extension, saving you a step and a giving you more time to enjoy that ice cream. Yummy!

We had this feature in beta for quite some time (too long if you ask Rudy, the developer who added this feature 😉) and we’re really excited to have it see the light of day. Given the responses we’ve seen on Twitter so far you all love this one as much as we do. Thank you for all the positive feedback!

YOU CAN NEVER HAVE TOO MANY BASKETS OF GOODIES!


Everyone needs a safe place to store the pie so that no one gets into it before dessert. Now you can create new vaults in your 1Password.com account on the fly and off the cuff right within 1Password itself. No more storing the cherry pie with the cheese, or the cupcakes with the croissants. No matter what your organizational structure – creating new vaults on the go has never been so easy!

The ability to create vaults without having to visit 1Password.com has been one of the most requested features we’ve had and we’re really happy to finally make this feature available. Separating your items out into different vaults gives you a ton of flexibility not only over how you organize your items, but also how you share them. In the Fey household my wife and I share a vault of common logins (bank logins, credit cards, family social security numbers) but we also have a separate vault set up explicitly for estate planning. This vault contains all the information our executor needs in case the worst happens to the both of us. The peace of mind that comes with this setup is absolutely invaluable.

YOU’LL ALWAYS KNOW HOW FRESH YOUR ITEMS ARE.

A great sandwich is a staple at every picnic, but a truly great sandwich is only as good as the ingredients.
The same can be said for your security and an aging password is not a fresh part of your ecosystem.
With this latest update to 1Password for iOS, you’ll always know how fresh your items are by checking the dates your items were created and edited are right there at the bottom of the item details.

KOREAN LANGUAGE IS BACK! KOREAN BBQ, ANYONE?


맛있는 고기구이를 준비하고 사랑하는 이들과 함께 즐겨보시는 것은 어떨까요? 드디어 1Password에서 한국어를 지원하게 되었으니까요! 우리 멋진 한국어 번역자들이 아니었다면 불가능했을 겁니다. 정말 감사드립니다!
소중한 한국어 구사 고객들을 위해 1Password를 완벽하게 준비해두었답니다. 저희는 완벽주의자니까요. 이렇게 언어가 아름답게 돌아오게 된 것을 정말 자랑스럽게 생각하고 있습니다.

FULL RELEASE NOTES

1Password for iOS
You can find the full release notes here.

1Password for Mac
Our Mac release notes can be seen here.

YOUR FAVORITES?

I’d love to hear your favorite feature in this release. Sound off in the comments!

Introducing native messaging for the 1Password extension

I’m really excited to announce a brand new way for 1Password to save and fill in browsers. It’s not a new feature, and chances are you won’t even notice it. It’s called native messaging, and it changes the way 1Password integrates with your browser. In fact, if you use 1Password with Google Chrome, you might already be using it.1

Native messaging makes the 1Password extension faster, more stable, and more compatible in more situations. It improves the performance and reliability of the 1Password extension, and it’s the end result of talking with thousands of 1Password users over the years.

Once upon a time…


When the 1Password extension made its debut for Chrome in 2012, the options for browser extensions to talk to apps were limited. We settled on an approach using WebSockets, which creates a network connection on your computer between 1Password and the browser. Although it’s technically a network connection, the data is only transmitted locally and never leaves your computer. This served us well in the vast majority of cases, but for a significant number people, this connection was unreliable. Proxies, antivirus, and other security software could interfere with the connection and prevent saving and filling. These conflicts caused a lot of pain, especially for Windows users. Over time, it became clear that we needed a better approach.

Enter native messaging

Thankfully, Google led the way and introduced that better approach. Native messaging is a more direct way for browser extensions to communicate with apps. Unlike WebSockets, it doesn’t rely on creating a network connection between your computer and itself.

With native messaging, no longer is Chrome’s connection to 1Password subject to the vagaries of your network and computing environment. No matter how you’ve configured your computer, if you can run 1Password and Chrome, then native messaging will work for you. Last year, we began the transition to replace WebSockets with native messaging. In order for 1Password to use native messaging, we needed to update the extension and the apps. So in April, we released a version of the 1Password extension for Chrome with support for native messaging. Since then, all current versions of 1Password for Mac and Windows have been updated to use the new technology.

What will change?

If you notice any changes, they should only be positive. Communication is nearly instant, and you’ll be able to use the extension as soon as you open your browser. Native messaging removes entire classes of problems that have affected 1Password users for a long time. Conflicts with network proxies and firewalls in corporate computing environments, ad blocking software, and even productivity tools that lock you out of distracting sites should be a thing of the past. Security software that gets spooked by local network connections should relax down from red alert. And many less common scenarios will work much better with native mesaging as well.

How do I get it?!


The first thing to do is check for updates in 1Password to make sure you’re using the latest version available. The latest releases of 1Password all include native messaging. We even updated 1Password 4 for Windows to make sure everyone can take advantage of this advancement on both Mac and Windows. 1Password has built-in support for Google Chrome and many other browsers based on Chrome, like Opera. If you’re using a supported browser, 1Password will switch to native messaging immediately.

Some Chrome-based browsers are supported but require additional configuration to work with native messaging. See our support article for more details.

Conclusion

Native messaging is the future for the 1Password extension. For now it’s supported in Chrome, but support will be coming soon to other browsers like Firefox and Edge. We’ll let you know when native messaging arrives on new browsers — and stay tuned for more posts about the 1Password extension. There’s a lot of exciting stuff going on that I can’t wait to share with you. For now, I’d love to hear your thoughts about native messaging in the comments, and you can always connect with me and the rest of the extension team in the forum.


  1. I will use Chrome as a shorthand for Chrome and browsers based on
    Chromium such as Opera and Vivaldi throughout this post unless there are
    specific differences to note. 

PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles

Welcome to Part 3 in a three-part series of posts that go in-depth on recent events that caused macOS to prevent 1Password for Mac from launching on our customer’s machines. In this thrilling conclusion we’ll go into what we’ve learned and what the rest of the developer community needs to do to prevent this same sort of pain in their own apps.

In case you need to catch up on your reading:

Part 1 : 1Password for Mac 6.5.5: Manual update required

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

We never take for granted that 1Password is an integral part of our customer’s workflows. It’s an app that has engendered a great deal of trust and any time we stumble and hurt our customers, we spend as much time as needed to fully understand what happened and make sure we cover our bases for the future. The events of this past week are no exception.

We’ve learned a fair amount over the last week, so let’s dive in.

Who This Affects

provisioning-bandaids@2xWe went over this a bit in part 2, but we’ve been able to confirm that the issue we ran into is one that affects any Developer ID signed application also containing a Provisioning Profile. If your app has declared any codesign entitlements there’s a good chance you’ve got a provisioning profile. Often developers think of codesign entitlements only in the context of sandboxing an application, but they’re used for other things as well. In our case it is used to declare a keychain access group.

The presence of the provisioning profile will depend on your use of app services, which you can see in the Capabilities pane in the project editor when viewing the target in Xcode. If any of these options are set, there’s a relatively good chance that your app is shipping with a provisioning profile.

terminal-icon@2xAs a user, you can see if an app contains a provisioning profile by right clicking on the app in Finder, and choosing “Show Package Contents”. Then navigating to Contents to see if there’s a “embedded.provisionprofile” file. Seeing its expiration date requires that you open Terminal and use the security cms -D -i command followed by the path to embedded.provisionprofile file. It will output the xml plist which will contain something that looks like this:

<key>ExpirationDate</key>

<date>2022-02-17T23:59:55Z</date>

Generally, this provisioning profile is set to expire at the same time as your Developer ID certificate. One of the hallmarks of 1Password is that it tends to adopt the latest and greatest technologies that Apple has to offer right on day one. For this reason our provisioning profile was generated relatively early on and therefore we are one of the first ones to experience this pain.

We urge all developers that distribute an app outside of the Mac App Store to check whether their app ships with a provisioning profile, and to verify its expiration date.

 

Short Term Fix

short-term-fix@2xWhen we generated our new provisioning profile last week we also created a new Developer ID certificate. Both this new certificate and the associated provisioning profile expire in 2022. In the short term this buys us a bit of time.

By the time you read this 1Password 6.6.1 will have been published on our website (with a major new version in the Mac App Store as well). This new version will help some users who have been having issues with the manual update process and also comes with a load of other goodies.

 

longterm-fix@2xLonger Term Fix

Apple has posted a thread on their Developer Forum indicating they’ve made changes to the developer center to help with this problem. Newly generated Developer ID Provisioning Profiles are now valid for 18 years instead of 5. That takes us up to 2035, just in time for us to start worrying about y2k38 bugs. If our customers are still using 1Password 6.6.1 in 2035 then they’ve certainly missed a few update notifications. ?

Apple recommends developers generate new provisioning profiles to obtain one that has the longer expiration date. We’ll be doing this on our side shortly.

In practical terms, this solves the issue for our customers.

 

Proper Long Term Fix

Ideally there would be no expiration that affects users. A few years ago I resurrected a system from 1988 and set up an operating system from 1994 on it. Expiration dates on software would have made this impossible. It pains me to think of someone being unable to run 1Password in the future out of curiosity because of arbitrary limits such as this.

The issue we’ve filed with Apple (rdar://30631939) regarding the inability to run apps with expired provisioning profiles remains open. We will continue to advocate for this to be changed and recommend that all developers of affected software do the same (please dupe the rdar). We’ll keep you updated if this changes.

 

out-of-the-storm@2x

Introducing 1Password 6.6 for Mac

I’m happy to announce we just finished assembling a new version of 1Password! It’s working its way through the update engines around the world now and hopefully it’s ready for you by the time you finish reading this. ?

The biggest change in this release is a whole new setup experience. We’ll dive into that in a moment, but first I’d like to share a cool new feature for those of you lucky enough to have one of those sexy new MacBook Pros.

We’ve been experimenting with the new Touch Bar since the beginning and added Touch Bar support along with Touch ID back in November as soon as the new Macs were available.

Today we’re taking the next step tap and giving you the ability to customize your Strong Password Generator settings directly from your Touch Bar!

I always enjoy the feel of tapping actions on the Touch Bar but sliding your finger across it is even better! Trust me, you’ll have a hard time customizing your password length just once. ?

There’s several other changes in this release as well, but let’s dive right into the big one now.

New Setup Flow

The biggest change is one that most of you probably won’t see until the next time you’re setting up a new Mac. Those new MacBook Pros with Touch ID really are pretty sweet so hopefully this isn’t too far in your future! ?

Starting today we have a lovely new flow for the setup screens1. Like their little cousin on iOS did earlier, 1Password for Mac makes getting started much simpler.

Now when you launch 1Password on a new Mac you’ll be greeted with a lovely page asking you if you’ve used 1Password before:

opm6-6-setup-screen

Those of you who have already been rocking with 1Password can use your existing data, and everyone else who’s just getting started can begin their free trial.

Free Trials From Mac App Store

We’ve always wanted everyone to be able to try 1Password before needing to purchase. Our website version has supported free trials since the very beginning, but it wasn’t possible in the Mac App Store when we first published 1Password there way back in 2011.

Thankfully Apple gave us a wonderful present at their Worldwide Developers Conference last year that made this possible for Mac App Store users as well.

1Password now comes with a 30 day free trial in the Mac App Store. Those downloading 1Password for the first time will start their trial and be prompted to subscribe once their trial expires:

opm-6-6-subscribe

Your single subscription allows you to use 1Password on all your devices and always have access to the latest versions.

Those who previously purchased 1Password in the Mac App Store will continue to be able to use 1Password as before and are not required to subscribe to our 1Password membership. Although there are a lot of great reasons why you should…

Benefits of a 1Password Membership

introducingI’ve been a license holder since the beginning. In fact, I’m pretty sure I got the first license we ever made!

If you’re a longtime license holder of 1Password like I was, I’m sure you’re wondering what all the hullabaloo is over our new service. I’m glad you asked and I’m happy to unlock that mystery for you! ?

There are a lot of benefits to a 1Password Membership over a standalone license, but for me it boils down to convenience, security, and peace of mind.

convenience-updatesLet’s start with convenience. With a membership, all I do is log in on a new device and all my data is there. I can even organize my items in multiple vaults and they all appear instantly.

And the best part is my membership gives me access to the latest version of 1Password on all my devices so I don’t need to worry about managing any licenses. I’m really happy that I don’t need to say “1Password is sold on a per-person, per-platform basis, with paid upgrades for major new versions” anymore. ?

double-securityOn the security side of things, I absolutely love our new encryption design that leverages Galois/Counter Mode for efficient authenticated encryption and our ingenious Two Secret Key Derivation starring our unique Account Key.

I know I know, I’m a huge geek and love the details, but these and many other things all add up to better performance and a secure-er than ever way to protect your data. You can check out our security page for a nice high level review, along with a detailed White Paper for my fellow geeks reading this. ?

As for peace of mind, this one is priceless. I simply sleep better at night.

sleep-at-night

With my 1Password membership, I know that all my data is backed up automatically for me, and every change is remembered so I can go back in time and restore my precious items whenever I need to. And with our Family account I can securely share passwords with Sara so she has access to everything she needs.

In short, I’m absolutely loving my 1Password membership. It’s the best way to use 1Password.

love-1password

Becoming a 1Password Member

If these benefits excite you and you want to join me, becoming a 1Password member is super easy.

You can jump on board and migrate all of your data over in just a few short steps. We have a quick guide on how to setup a new account and move over your data, along with a nice video showing how easy it is to do.

I know you’re busy so I’m happy to say you can finish the entire process in just a few minutes. Start by creating your new account here:

Start Your Free Trial Today

Often it feels like I’ve been using all these great new features for a lifetime, but looking back we introduced 1Password Teams only 15 months ago, 1Password Families almost exactly one year ago, and 1Password Memberships just 6 months ago.

It’s amazing how quickly I came to rely on these benefits and how I was able to fall in love with 1Password all over again. I think you will, too.

Enjoy! ❤️ ??


  1. Those with eagle eyes might be saying “again?” since 1Password 6.5 had a new setup experience for those who downloaded from our website. But we’ve iterated on the design and now everyone gets to join in on the fun, including those who install using the Mac App Store. 

Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

As you may have read, this weekend was a little hectic for us and some of our app developer friends1. On Saturday we got word that users of 1Password for Mac were seeing the app fail to launch correctly. It took a few hours, but we diagnosed the problem and released an update that corrected the issue. This issue will only have affected users that downloaded 1Password for Mac directly from our website, so if you downloaded it from the Mac App Store you had a much more calm weekend than we did.

But alas, that story has already been told. Now it’s time for the nitty gritty technical details about all the forces that aligned against us that had us staring up a giant wall of crashing water like George Clooney and Mark Wahlberg.

Prologue: Not All Certificates Are Created Equal

There’s a lot of information to unpack in this post, but before I get started, I’d like to address an assumption I’m seeing far too many people making: that what happened to us was simply an issue of an expired certificate and that all we needed to do was create a new one, just like you do for SSL certificates.

That’s simply not true.

Developer certificates are much different than SSL certificates and serve a very different purpose. Unlike a simple SSL certificate, our developer certificate is used to sign 1Password and needs to be valid during build time. The expiry time of a certificate or provisioning profile should have no impact on whether or not macOS will allow an app to launch or not.
An analogy may be helpful here: if you think of the developer certificate as a carton of eggs, and 1Password as a cake, then it is important not to use expired eggs to make the cake. The fact that the eggs may expire a few days after making the cake should have no effect on the cake itself. After all, the cake is already made and delivered.

Jumping out of the galley and back into our developer world, an expired certificate typically doesn’t affect us until the next time we need to do a release, which would have been this week with our next betas. Certificates control our ability to sign new apps. They don’t affect existing released apps.

For example, we have some users still using 1Password 3 for Mac (hey there, if that’s you, you should really consider upgrading to a 1Password membership as soon as possible!). The first release of 1Password 3 was in 2009, around 8 years ago. Assuming a user is happy with 1Password 3, how long should they expect to be able to continue using the software they paid for? The only acceptable answer to that question is: as long as they feel like it.

Obviously there’s plenty of reasons for why a user would want to upgrade to newer versions, but the fact of the matter is that a user shouldn’t be reliant on us to keep providing updated builds of an unmaintained app just to keep it running. Unlike an SSL certificate, this isn’t something we can simply fix from our end. Fixing the issue we ran into this weekend is a matter of creating a new build of the app and having users update to the new version.

Taking a Tour of the Engine Room

iCloud Sync

To properly understand what happened, let’s take a step back and look at the different parts of this.

In Mac OS X 10.7 Apple introduced Gatekeeper. Gatekeeper is really quite awesome as it gives users control over what software is allowed to run on their system. The default is to allow software from verified and trusted developers: those apps that have been uploaded to the Mac App Store, or those signed with Developer ID certificates made available to the developer by Apple.

Gatekeeper ensures that apps that have been tampered with will refuse to run, and also provides Apple with a way to revoke certain certificates if a developer has been found to be doing harm (i.e. distributing Developer ID signed malware). These simple steps stop a wide variety of attack vectors and we think the world of Apple for having implemented this.

The next layer is the Provisioning Profile. Provisioning Profiles provide information about what the app can do, as well as who can run it. There are certain services on the Mac that require that the app include a Provisioning Profile. In our case, we needed to start using a Provisioning Profile when we added support for unlocking 1Password using Touch ID.

To be clear, Touch ID itself doesn’t necessitate the profile, but in order to unlock your vault we need to store a secret and we choose to store it the OS X keychain. The specific configuration we’re using for that requires declaring that we want access to a specific keychain access group, which needs to be declared in a provisioning profile. The provisioning profile is included in the app bundle and cannot be updated independently of the app.

Next up… XPC. We use XPC to communicate between the 1Password main app and 1Password mini – the little 1Password that runs in your menu bar – and it’s really quite awesome. 1Password mini acts as the brains of the whole operation, and the larger app is mostly just responsible for displaying information. The reason we love XPC so much is because it’s an inter process communication tool that actually provides us the building blocks we need to perform mutual authentication. What this means is that 1Password mini will refuse to communicate with the main app unless it can prove that it’s signed by us. The inverse is true as well.

Storm Clouds Gather

clouds-gathering@2xAt around 3pm EST on February 18th we started getting reports of failures in 1Password for Mac. Folks were seeing an error appear that 1Password was unable to connect to 1Password mini.

Unable to start 1Password

This initial failure occurred due to the fact that the provisioning profile embedded in 1Password mini had an expiration date. Expiration dates seem to be required, and due to the fact that the expiration date elapsed, Gatekeeper decided that 1Password mini was no longer safe to run. We’ve filed a bug with Apple as we feel that this shouldn’t be the case (rdar://30631939 for those of you reading along inside the Mothership).

Only 1Password mini contains the Provisioning Profile as all Touch ID operations happen within that process. This meant that Gatekeeper was deciding that our main 1Password app could launch. Upon launching, 1Password performs its start up sequence which includes asking the system to launch 1Password mini if it’s not already running. When doing so, the system would log the following to the console:

com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): Binary is improperly signed.
com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): removing service since it exited with consistent failure reason When validating /Applications/1Password 6.app/Contents/Library/LoginItems/2BUA8C4S2C.com.agilebits.onepassword4-helper.app/Contents/MacOS/2BUA8C4S2C.com.agilebits.onepassword4-helper:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
com.apple.xpc.launchd[1] (com.apple.ReportCrash[11041]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash

The 1Password main app detected the failure and provided an error panel telling the user that it couldn’t connect to mini.

Due to the expired Provisioning Profile, 1Password mini wouldn’t launch. And without mini running, 1Password itself was unable to startup successfully. Both mini and 1Password itself were signed with the same Developer ID certificate. Gatekeeper allowed 1Password to run, but due to the different rules for apps with provisioning profiles, it would not allow mini to run.

As far as we can tell, the only way to correct this problem is to provide a new build of the app with an updated provisioning profile with a new expiration date. Within a few hours we were able to publish a new version which did exactly this. As of 6.5.4, we had an app that users could download and run again.

The Eye Of The Storm

eye-of-the-storm@2xAfter this initial bout of terror, death defying feats, and mad scrambles we figured the technical portion of this exercise was finished and had begun transitioning into customer support mode; helping allay the fear, uncertainty, and doubt that this event had caused.

Little did we know at the time, we were only in the eye of the storm – the calm center before things would get rough again.

1Password for Mac includes an updater within the app so that users can easily upgrade to the latest versions as they become available. This updater validates downloads before performing the update to ensure that the updated app is in fact from AgileBits. One of the steps taken during validation is looking at the code signature of the downloaded app and ensuring that it satisfies the following security requirement:

anchor apple generic and identifier com.agilebits.onepassword4 and certificate leaf[subject.CN] = “Developer ID Application: Agilebits Inc.”

This check has worked really well for us. It’s simple and does the trick.

This check is also extremely specific about the common name2 it looks for. When we generated our updated provisioning profile we also needed to generate a new Developer ID certificate. We didn’t realize it at the time, but the common name of newly created certificates now include the team identifier in addition to the company name;  “Developer ID Application: AgileBits Inc. (2BUA8C4S2C)” vs. “Developer ID Application: AgileBits Inc.”. Close. Super close. But we weren’t looking for a “close” match.

The result of this new common name was that even though our app would now launch, the automatic updater would never run successfully because as far as it was concerned the update being provided wasn’t valid and therefore needed to be rejected. This is what users who could still run 6.5.3 and tried to update to 6.5.4 saw.

Once we discovered this problem we had no choice but to pull the 6.5.4 update and issue a 6.5.5 update that included a modified security requirement check. Sadly this didn’t address the fact that users running 6.5.3 and earlier are not able to automatically update to 6.5.5.

Moving Forward and Heading Home

heading-home@2xThis was painful for everyone. We lost sleep over the weekend, but worse than that… our users temporarily lost access to some of their most important information. This is unacceptable to us and we want to make sure this doesn’t happen again.

We’ve reached out to Apple for help and guidance on what we can do to avoid this happening again in the future. Our new provisioning profile doesn’t expire until 2022, but we’ll make sure that this is resolved far before then so that you need not worry about that happening.

If you’re a developer of a Developer ID signed app, we recommend that you check to see if your app includes a provisioning profile. Since that’s mostly handled automatically by Xcode, it’s likely that there are apps out there whose developers aren’t even aware of the inclusion of the provisioning profile. Check the expiration date, and ensure that you release an updated build with an updated provisioning profile well before the expiration date is hit so your users have time to update.

We’ve also filed an enhancement request with Apple asking that developers be notified via email of impending distribution certificate or provisioning profile expirations with explanations of repercussions. This was filed as rdar://30631968.

If you have questions about any of this, please don’t hesitate to ask us in the comments below.

Love,
The 1Password Mac Team
❤️

P.S. Happy 5th Birthday to Gatekeeper! ? We were one of the first apps to sign with Developer ID certificates, use XPC, and leverage the entitlements required for Touch ID. It’s always exciting being on the cutting edge of technology but we wouldn’t have it any other way. ?

Further Reading

This was the second post in a three part series. See the exciting prequel and sequel here:

Part 1 : 1Password for Mac 6.5.5: Manual update required

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles


  1. The exact same perfect storm appears to caused our friends at Smile to hit the same rough seas that we had. You can see Adam Engst’s story in TidBITS for details on how this affected PDFPen. 
  2. The Common Name is the subject.CN part of the security requirement. As our Chief Defender of the Dark Arts often says of Common Names: they are often very uncommon. The name is inherited from older identify management systems. I don’t need to say much more as Jeff loves explaining things, so let’s all sit back and watch what he says in his comment that I’m sure he’ll be adding soon. 

1Password for Mac 6.5.5: Manual update required

tl;dr

As a result of an expired provisioning profile and format change in the developer certificate, customers who downloaded 1Password for Mac directly from our site will need to manually update to the latest version. Those using 1Password from the Mac App Store are not affected.

For those who are interested, here are the events that conspired against us to make for an interesting Family Day weekend…

Fire at the office

I was out at the gym yesterday when I received a call from my wife. I thought she was calling about our belated Valentine’s dinner we had planned. Instead she rather alarmingly told me that “Sara called and said there is a fire at the office”.

Rushing home, I was expecting to hear that the hammocks and standing desks had gone up in flames. (Happily our servers are all virtual so I wasn’t too concerned). The “fire at the office” turned out to be a fire with 1Password for Mac. Customers were getting an error message when trying to start 1Password!

Unable to start 1Password

I urgently gathered our Mac team who were enjoying their holiday weekend to figure out what happened. We quickly recreated the issue and found this error in the logs: Binary is improperly signed. This seemed very strange to me as this version was released back in 2016.

We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version. Apparently that’s not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly.

New certificate, new format

We renewed our certificate and released 1Password 6.5.4 thinking all would be well. And that’s when the other shoe dropped. When we created the new certificate it had a new format for the Common Name.

While this sounds like an inconsequential change, our built-in installer goes to great lengths to validate that every 1Password update is actually 1Password. Since our installer did not recognize the new certificate format it refused to update.

No problem can’t be solved without yet another build, so we created 1Password 6.5.5 ?

Long story short, 1Password 6.5.5 is now available and solves all these problems. The only catch is it requires you to install it manually.

Moving forward

As you might imagine, we have a whole new level of understanding of the importance of expiring provisioning profiles and certificates. Our new certificate expires in 2022 but I can guarantee you we will be renewing it far before then.

I do apologize for the inconvenience and extra work that this will cause you. I am sure you had better things to do on your long weekend too. If you have any problems with this update please let us know.

I also want to take a quick moment to say “Thank You”. The understanding that I’ve seen from the 1Password community is overwhelming. You never cease to amaze me. It has truly been a humbling experience.

Having spent all Saturday fighting this fire, I still owe Brenda the dinner we were supposed to have had. After missing Valentine’s Day dinners two weeks in a row, I kind of wish the actual office had been on fire ?

Further Reading

This was the first post in a three part series. The story continues here:

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles