PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles

Welcome to Part 3 in a three-part series of posts that go in-depth on recent events that caused macOS to prevent 1Password for Mac from launching on our customer’s machines. In this thrilling conclusion we’ll go into what we’ve learned and what the rest of the developer community needs to do to prevent this same sort of pain in their own apps.

In case you need to catch up on your reading:

Part 1 : 1Password for Mac 6.5.5: Manual update required

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

We never take for granted that 1Password is an integral part of our customer’s workflows. It’s an app that has engendered a great deal of trust and any time we stumble and hurt our customers, we spend as much time as needed to fully understand what happened and make sure we cover our bases for the future. The events of this past week are no exception.

We’ve learned a fair amount over the last week, so let’s dive in.

Who This Affects

provisioning-bandaids@2xWe went over this a bit in part 2, but we’ve been able to confirm that the issue we ran into is one that affects any Developer ID signed application also containing a Provisioning Profile. If your app has declared any codesign entitlements there’s a good chance you’ve got a provisioning profile. Often developers think of codesign entitlements only in the context of sandboxing an application, but they’re used for other things as well. In our case it is used to declare a keychain access group.

The presence of the provisioning profile will depend on your use of app services, which you can see in the Capabilities pane in the project editor when viewing the target in Xcode. If any of these options are set, there’s a relatively good chance that your app is shipping with a provisioning profile.

terminal-icon@2xAs a user, you can see if an app contains a provisioning profile by right clicking on the app in Finder, and choosing “Show Package Contents”. Then navigating to Contents to see if there’s a “embedded.provisionprofile” file. Seeing its expiration date requires that you open Terminal and use the security cms -D -i command followed by the path to embedded.provisionprofile file. It will output the xml plist which will contain something that looks like this:

<key>ExpirationDate</key>

<date>2022-02-17T23:59:55Z</date>

Generally, this provisioning profile is set to expire at the same time as your Developer ID certificate. One of the hallmarks of 1Password is that it tends to adopt the latest and greatest technologies that Apple has to offer right on day one. For this reason our provisioning profile was generated relatively early on and therefore we are one of the first ones to experience this pain.

We urge all developers that distribute an app outside of the Mac App Store to check whether their app ships with a provisioning profile, and to verify its expiration date.

 

Short Term Fix

short-term-fix@2xWhen we generated our new provisioning profile last week we also created a new Developer ID certificate. Both this new certificate and the associated provisioning profile expire in 2022. In the short term this buys us a bit of time.

By the time you read this 1Password 6.6.1 will have been published on our website (with a major new version in the Mac App Store as well). This new version will help some users who have been having issues with the manual update process and also comes with a load of other goodies.

 

longterm-fix@2xLonger Term Fix

Apple has posted a thread on their Developer Forum indicating they’ve made changes to the developer center to help with this problem. Newly generated Developer ID Provisioning Profiles are now valid for 18 years instead of 5. That takes us up to 2035, just in time for us to start worrying about y2k38 bugs. If our customers are still using 1Password 6.6.1 in 2035 then they’ve certainly missed a few update notifications. ?

Apple recommends developers generate new provisioning profiles to obtain one that has the longer expiration date. We’ll be doing this on our side shortly.

In practical terms, this solves the issue for our customers.

 

Proper Long Term Fix

Ideally there would be no expiration that affects users. A few years ago I resurrected a system from 1988 and set up an operating system from 1994 on it. Expiration dates on software would have made this impossible. It pains me to think of someone being unable to run 1Password in the future out of curiosity because of arbitrary limits such as this.

The issue we’ve filed with Apple (rdar://30631939) regarding the inability to run apps with expired provisioning profiles remains open. We will continue to advocate for this to be changed and recommend that all developers of affected software do the same (please dupe the rdar). We’ll keep you updated if this changes.

 

out-of-the-storm@2x

Introducing 1Password 6.6 for Mac

I’m happy to announce we just finished assembling a new version of 1Password! It’s working its way through the update engines around the world now and hopefully it’s ready for you by the time you finish reading this. ?

The biggest change in this release is a whole new setup experience. We’ll dive into that in a moment, but first I’d like to share a cool new feature for those of you lucky enough to have one of those sexy new MacBook Pros.

We’ve been experimenting with the new Touch Bar since the beginning and added Touch Bar support along with Touch ID back in November as soon as the new Macs were available.

Today we’re taking the next step tap and giving you the ability to customize your Strong Password Generator settings directly from your Touch Bar!

I always enjoy the feel of tapping actions on the Touch Bar but sliding your finger across it is even better! Trust me, you’ll have a hard time customizing your password length just once. ?

There’s several other changes in this release as well, but let’s dive right into the big one now.

New Setup Flow

The biggest change is one that most of you probably won’t see until the next time you’re setting up a new Mac. Those new MacBook Pros with Touch ID really are pretty sweet so hopefully this isn’t too far in your future! ?

Starting today we have a lovely new flow for the setup screens1. Like their little cousin on iOS did earlier, 1Password for Mac makes getting started much simpler.

Now when you launch 1Password on a new Mac you’ll be greeted with a lovely page asking you if you’ve used 1Password before:

opm6-6-setup-screen

Those of you who have already been rocking with 1Password can use your existing data, and everyone else who’s just getting started can begin their free trial.

Free Trials From Mac App Store

We’ve always wanted everyone to be able to try 1Password before needing to purchase. Our website version has supported free trials since the very beginning, but it wasn’t possible in the Mac App Store when we first published 1Password there way back in 2011.

Thankfully Apple gave us a wonderful present at their Worldwide Developers Conference last year that made this possible for Mac App Store users as well.

1Password now comes with a 30 day free trial in the Mac App Store. Those downloading 1Password for the first time will start their trial and be prompted to subscribe once their trial expires:

opm-6-6-subscribe

Your single subscription allows you to use 1Password on all your devices and always have access to the latest versions.

Those who previously purchased 1Password in the Mac App Store will continue to be able to use 1Password as before and are not required to subscribe to our 1Password membership. Although there are a lot of great reasons why you should…

Benefits of a 1Password Membership

introducingI’ve been a license holder since the beginning. In fact, I’m pretty sure I got the first license we ever made!

If you’re a longtime license holder of 1Password like I was, I’m sure you’re wondering what all the hullabaloo is over our new service. I’m glad you asked and I’m happy to unlock that mystery for you! ?

There are a lot of benefits to a 1Password Membership over a standalone license, but for me it boils down to convenience, security, and peace of mind.

convenience-updatesLet’s start with convenience. With a membership, all I do is log in on a new device and all my data is there. I can even organize my items in multiple vaults and they all appear instantly.

And the best part is my membership gives me access to the latest version of 1Password on all my devices so I don’t need to worry about managing any licenses. I’m really happy that I don’t need to say “1Password is sold on a per-person, per-platform basis, with paid upgrades for major new versions” anymore. ?

double-securityOn the security side of things, I absolutely love our new encryption design that leverages Galois/Counter Mode for efficient authenticated encryption and our ingenious Two Secret Key Derivation starring our unique Account Key.

I know I know, I’m a huge geek and love the details, but these and many other things all add up to better performance and a secure-er than ever way to protect your data. You can check out our security page for a nice high level review, along with a detailed White Paper for my fellow geeks reading this. ?

As for peace of mind, this one is priceless. I simply sleep better at night.

sleep-at-night

With my 1Password membership, I know that all my data is backed up automatically for me, and every change is remembered so I can go back in time and restore my precious items whenever I need to. And with our Family account I can securely share passwords with Sara so she has access to everything she needs.

In short, I’m absolutely loving my 1Password membership. It’s the best way to use 1Password.

love-1password

Becoming a 1Password Member

If these benefits excite you and you want to join me, becoming a 1Password member is super easy.

You can jump on board and migrate all of your data over in just a few short steps. We have a quick guide on how to setup a new account and move over your data, along with a nice video showing how easy it is to do.

I know you’re busy so I’m happy to say you can finish the entire process in just a few minutes. Start by creating your new account here:

Start Your Free Trial Today

Often it feels like I’ve been using all these great new features for a lifetime, but looking back we introduced 1Password Teams only 15 months ago, 1Password Families almost exactly one year ago, and 1Password Memberships just 6 months ago.

It’s amazing how quickly I came to rely on these benefits and how I was able to fall in love with 1Password all over again. I think you will, too.

Enjoy! ❤️ ??


  1. Those with eagle eyes might be saying “again?” since 1Password 6.5 had a new setup experience for those who downloaded from our website. But we’ve iterated on the design and now everyone gets to join in on the fun, including those who install using the Mac App Store. 

Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

As you may have read, this weekend was a little hectic for us and some of our app developer friends1. On Saturday we got word that users of 1Password for Mac were seeing the app fail to launch correctly. It took a few hours, but we diagnosed the problem and released an update that corrected the issue. This issue will only have affected users that downloaded 1Password for Mac directly from our website, so if you downloaded it from the Mac App Store you had a much more calm weekend than we did.

But alas, that story has already been told. Now it’s time for the nitty gritty technical details about all the forces that aligned against us that had us staring up a giant wall of crashing water like George Clooney and Mark Wahlberg.

Prologue: Not All Certificates Are Created Equal

There’s a lot of information to unpack in this post, but before I get started, I’d like to address an assumption I’m seeing far too many people making: that what happened to us was simply an issue of an expired certificate and that all we needed to do was create a new one, just like you do for SSL certificates.

That’s simply not true.

Developer certificates are much different than SSL certificates and serve a very different purpose. Unlike a simple SSL certificate, our developer certificate is used to sign 1Password and needs to be valid during build time. The expiry time of a certificate or provisioning profile should have no impact on whether or not macOS will allow an app to launch or not.
An analogy may be helpful here: if you think of the developer certificate as a carton of eggs, and 1Password as a cake, then it is important not to use expired eggs to make the cake. The fact that the eggs may expire a few days after making the cake should have no effect on the cake itself. After all, the cake is already made and delivered.

Jumping out of the galley and back into our developer world, an expired certificate typically doesn’t affect us until the next time we need to do a release, which would have been this week with our next betas. Certificates control our ability to sign new apps. They don’t affect existing released apps.

For example, we have some users still using 1Password 3 for Mac (hey there, if that’s you, you should really consider upgrading to a 1Password membership as soon as possible!). The first release of 1Password 3 was in 2009, around 8 years ago. Assuming a user is happy with 1Password 3, how long should they expect to be able to continue using the software they paid for? The only acceptable answer to that question is: as long as they feel like it.

Obviously there’s plenty of reasons for why a user would want to upgrade to newer versions, but the fact of the matter is that a user shouldn’t be reliant on us to keep providing updated builds of an unmaintained app just to keep it running. Unlike an SSL certificate, this isn’t something we can simply fix from our end. Fixing the issue we ran into this weekend is a matter of creating a new build of the app and having users update to the new version.

Taking a Tour of the Engine Room

iCloud Sync

To properly understand what happened, let’s take a step back and look at the different parts of this.

In Mac OS X 10.7 Apple introduced Gatekeeper. Gatekeeper is really quite awesome as it gives users control over what software is allowed to run on their system. The default is to allow software from verified and trusted developers: those apps that have been uploaded to the Mac App Store, or those signed with Developer ID certificates made available to the developer by Apple.

Gatekeeper ensures that apps that have been tampered with will refuse to run, and also provides Apple with a way to revoke certain certificates if a developer has been found to be doing harm (i.e. distributing Developer ID signed malware). These simple steps stop a wide variety of attack vectors and we think the world of Apple for having implemented this.

The next layer is the Provisioning Profile. Provisioning Profiles provide information about what the app can do, as well as who can run it. There are certain services on the Mac that require that the app include a Provisioning Profile. In our case, we needed to start using a Provisioning Profile when we added support for unlocking 1Password using Touch ID.

To be clear, Touch ID itself doesn’t necessitate the profile, but in order to unlock your vault we need to store a secret and we choose to store it the OS X keychain. The specific configuration we’re using for that requires declaring that we want access to a specific keychain access group, which needs to be declared in a provisioning profile. The provisioning profile is included in the app bundle and cannot be updated independently of the app.

Next up… XPC. We use XPC to communicate between the 1Password main app and 1Password mini – the little 1Password that runs in your menu bar – and it’s really quite awesome. 1Password mini acts as the brains of the whole operation, and the larger app is mostly just responsible for displaying information. The reason we love XPC so much is because it’s an inter process communication tool that actually provides us the building blocks we need to perform mutual authentication. What this means is that 1Password mini will refuse to communicate with the main app unless it can prove that it’s signed by us. The inverse is true as well.

Storm Clouds Gather

clouds-gathering@2xAt around 3pm EST on February 18th we started getting reports of failures in 1Password for Mac. Folks were seeing an error appear that 1Password was unable to connect to 1Password mini.

Unable to start 1Password

This initial failure occurred due to the fact that the provisioning profile embedded in 1Password mini had an expiration date. Expiration dates seem to be required, and due to the fact that the expiration date elapsed, Gatekeeper decided that 1Password mini was no longer safe to run. We’ve filed a bug with Apple as we feel that this shouldn’t be the case (rdar://30631939 for those of you reading along inside the Mothership).

Only 1Password mini contains the Provisioning Profile as all Touch ID operations happen within that process. This meant that Gatekeeper was deciding that our main 1Password app could launch. Upon launching, 1Password performs its start up sequence which includes asking the system to launch 1Password mini if it’s not already running. When doing so, the system would log the following to the console:

com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): Binary is improperly signed.
com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): removing service since it exited with consistent failure reason When validating /Applications/1Password 6.app/Contents/Library/LoginItems/2BUA8C4S2C.com.agilebits.onepassword4-helper.app/Contents/MacOS/2BUA8C4S2C.com.agilebits.onepassword4-helper:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
com.apple.xpc.launchd[1] (com.apple.ReportCrash[11041]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash

The 1Password main app detected the failure and provided an error panel telling the user that it couldn’t connect to mini.

Due to the expired Provisioning Profile, 1Password mini wouldn’t launch. And without mini running, 1Password itself was unable to startup successfully. Both mini and 1Password itself were signed with the same Developer ID certificate. Gatekeeper allowed 1Password to run, but due to the different rules for apps with provisioning profiles, it would not allow mini to run.

As far as we can tell, the only way to correct this problem is to provide a new build of the app with an updated provisioning profile with a new expiration date. Within a few hours we were able to publish a new version which did exactly this. As of 6.5.4, we had an app that users could download and run again.

The Eye Of The Storm

eye-of-the-storm@2xAfter this initial bout of terror, death defying feats, and mad scrambles we figured the technical portion of this exercise was finished and had begun transitioning into customer support mode; helping allay the fear, uncertainty, and doubt that this event had caused.

Little did we know at the time, we were only in the eye of the storm – the calm center before things would get rough again.

1Password for Mac includes an updater within the app so that users can easily upgrade to the latest versions as they become available. This updater validates downloads before performing the update to ensure that the updated app is in fact from AgileBits. One of the steps taken during validation is looking at the code signature of the downloaded app and ensuring that it satisfies the following security requirement:

anchor apple generic and identifier com.agilebits.onepassword4 and certificate leaf[subject.CN] = “Developer ID Application: Agilebits Inc.”

This check has worked really well for us. It’s simple and does the trick.

This check is also extremely specific about the common name2 it looks for. When we generated our updated provisioning profile we also needed to generate a new Developer ID certificate. We didn’t realize it at the time, but the common name of newly created certificates now include the team identifier in addition to the company name;  “Developer ID Application: AgileBits Inc. (2BUA8C4S2C)” vs. “Developer ID Application: AgileBits Inc.”. Close. Super close. But we weren’t looking for a “close” match.

The result of this new common name was that even though our app would now launch, the automatic updater would never run successfully because as far as it was concerned the update being provided wasn’t valid and therefore needed to be rejected. This is what users who could still run 6.5.3 and tried to update to 6.5.4 saw.

Once we discovered this problem we had no choice but to pull the 6.5.4 update and issue a 6.5.5 update that included a modified security requirement check. Sadly this didn’t address the fact that users running 6.5.3 and earlier are not able to automatically update to 6.5.5.

Moving Forward and Heading Home

heading-home@2xThis was painful for everyone. We lost sleep over the weekend, but worse than that… our users temporarily lost access to some of their most important information. This is unacceptable to us and we want to make sure this doesn’t happen again.

We’ve reached out to Apple for help and guidance on what we can do to avoid this happening again in the future. Our new provisioning profile doesn’t expire until 2022, but we’ll make sure that this is resolved far before then so that you need not worry about that happening.

If you’re a developer of a Developer ID signed app, we recommend that you check to see if your app includes a provisioning profile. Since that’s mostly handled automatically by Xcode, it’s likely that there are apps out there whose developers aren’t even aware of the inclusion of the provisioning profile. Check the expiration date, and ensure that you release an updated build with an updated provisioning profile well before the expiration date is hit so your users have time to update.

We’ve also filed an enhancement request with Apple asking that developers be notified via email of impending distribution certificate or provisioning profile expirations with explanations of repercussions. This was filed as rdar://30631968.

If you have questions about any of this, please don’t hesitate to ask us in the comments below.

Love,
The 1Password Mac Team
❤️

P.S. Happy 5th Birthday to Gatekeeper! ? We were one of the first apps to sign with Developer ID certificates, use XPC, and leverage the entitlements required for Touch ID. It’s always exciting being on the cutting edge of technology but we wouldn’t have it any other way. ?

Further Reading

This was the second post in a three part series. See the exciting prequel and sequel here:

Part 1 : 1Password for Mac 6.5.5: Manual update required

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles


  1. The exact same perfect storm appears to caused our friends at Smile to hit the same rough seas that we had. You can see Adam Engst’s story in TidBITS for details on how this affected PDFPen. 
  2. The Common Name is the subject.CN part of the security requirement. As our Chief Defender of the Dark Arts often says of Common Names: they are often very uncommon. The name is inherited from older identify management systems. I don’t need to say much more as Jeff loves explaining things, so let’s all sit back and watch what he says in his comment that I’m sure he’ll be adding soon. 

1Password for Mac 6.5.5: Manual update required

tl;dr

As a result of an expired provisioning profile and format change in the developer certificate, customers who downloaded 1Password for Mac directly from our site will need to manually update to the latest version. Those using 1Password from the Mac App Store are not affected.

For those who are interested, here are the events that conspired against us to make for an interesting Family Day weekend…

Fire at the office

I was out at the gym yesterday when I received a call from my wife. I thought she was calling about our belated Valentine’s dinner we had planned. Instead she rather alarmingly told me that “Sara called and said there is a fire at the office”.

Rushing home, I was expecting to hear that the hammocks and standing desks had gone up in flames. (Happily our servers are all virtual so I wasn’t too concerned). The “fire at the office” turned out to be a fire with 1Password for Mac. Customers were getting an error message when trying to start 1Password!

Unable to start 1Password

I urgently gathered our Mac team who were enjoying their holiday weekend to figure out what happened. We quickly recreated the issue and found this error in the logs: Binary is improperly signed. This seemed very strange to me as this version was released back in 2016.

We knew our developer certificate was going to expire on Saturday, but thought nothing of it because we believed those were only necessary when publishing a new version. Apparently that’s not the case. In reality it had the unexpected side effect of causing macOS to refuse to launch 1Password properly.

New certificate, new format

We renewed our certificate and released 1Password 6.5.4 thinking all would be well. And that’s when the other shoe dropped. When we created the new certificate it had a new format for the Common Name.

While this sounds like an inconsequential change, our built-in installer goes to great lengths to validate that every 1Password update is actually 1Password. Since our installer did not recognize the new certificate format it refused to update.

No problem can’t be solved without yet another build, so we created 1Password 6.5.5 ?

Long story short, 1Password 6.5.5 is now available and solves all these problems. The only catch is it requires you to install it manually.

Moving forward

As you might imagine, we have a whole new level of understanding of the importance of expiring provisioning profiles and certificates. Our new certificate expires in 2022 but I can guarantee you we will be renewing it far before then.

I do apologize for the inconvenience and extra work that this will cause you. I am sure you had better things to do on your long weekend too. If you have any problems with this update please let us know.

I also want to take a quick moment to say “Thank You”. The understanding that I’ve seen from the 1Password community is overwhelming. You never cease to amaze me. It has truly been a humbling experience.

Having spent all Saturday fighting this fire, I still owe Brenda the dinner we were supposed to have had. After missing Valentine’s Day dinners two weeks in a row, I kind of wish the actual office had been on fire ?

Further Reading

This was the first post in a three part series. The story continues here:

Part 2 : Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles

1Password 6.5 for Mac: Fantastic Secrets and Where to Find Them

These past few months we’ve been toiling like house elves on an incredibly new and awesome version of 1Password for Mac and I am happy to report it is available now.

As development on 1Password 6.5 was winding down Apple made an announcement that presented us with an incredible opportunity: The arrival of a magical new MacBook Pro with Touch Bar and Touch ID. We were there on day one with Touch ID support on iOS and maintaining that tradition on macOS was a no brainer.

We have a lot of ground to cover in this marvellous story so open your textbooks to page 394 and let’s read on, shall we?

Unlocking with your fingerprint is as easy as swish and flick

So how about that new Touch ID support? There’s no need to utter any incantations to magically unlock 1Password with your fingerprint. Just enable the Touch ID setting in Security Preferences and you’ll be good to go.

Those of us with the new MacBook Pro here at AgileBits have been known to quietly whisper “Alohamora” under our breath as we perform this charm, and quite frankly, we recommend you do the same.

wizard-card

But Touch ID support is just the collectible wizard card that comes with the chocolate frog that is our massive 6.5 release.

Practice your wandless magic

Touch ID isn’t the only new piece of magic to which we’ve hitched our broomstick. The new Touch Bar is almost as awesome as picking up the latest offering at Weasley’s Wizard Wheezes (but without the fear factor).

We’ve only just begun to take advantage of all the cool capabilities the Touch Bar makes possible, and already it has improved the way we use 1Password every day. For me it’s a toss up between the beautiful menu of categories that appears when I create a new item or being able to switch vaults with a tap.

touch-bar

Other incantations you can conjure with the Touch Bar include:

  • Adding a new item
  • Choosing the category in which you want to create an item
  • Locking your vault easier than casting the “Colloportus” spell
  • Activating search (to find the game-winning golden snitch, of course)

All aboard on Platform 9 3/4!

Of all the work that went into this new version, I want to highlight a piece that many of you may never see. That piece is a brand new first-run experience that anyone setting up 1Password for the first time will encounter.

new-first-run
Setting up 1Password for the first time on a new Mac is now just like that first swig of Butterbeer: warm, inviting, and deliciously sweet! We’ve completely rewritten this experience from the ground up. You can now create a brand new 1Password account directly inside the app so it’s easier than ever to get up and running.

Accio your items from anywhere

Accio your items with Alfred and LaunchBar!
Speaking of 1Password.com, one of things we’ve all missed was the inability to access our 1Password.com items from our favorite productivity tools like Alfred and LaunchBar. For version 6.5 we worked closely with the fine folks at both Alfred and LaunchBar to correct this egregious shortcoming. As of this writing Alfred has released an update for this new integration and LaunchBar has an update coming soon!

More goodies than Bertie Bott’s has flavours!

1Password 6.5 truly is an enormous release, packed with over 100 new features, improvements, and fixes. Here’s the full list for your studies. Be sure to pay close attention to all these Bits and Botts as they may appear on your upcoming Ordinary Wizarding Level Examinations.

New

  • 1Password can now be unlocked with your fingerprint on the new Touch ID-capable MacBook Pro.
  • Touch Bar support has landed! While using 1Password you will see enhanced controls in the Touch Bar on your new MacBook Pro.
  • 1Password has a whole new first-run experience! Setting up 1Password has never been easier. {OPM-4200}
  • You can now scan 1Password Account codes using the FaceTime HD camera on your Mac!
  • 1Password can now fill additional text, email, and password fields for items created outside the browser extension. {BRAIN-111}
  • 1Password will now ask you to migrate items from your Primary vault to newly added Personal vaults when adding a 1Password.com Account. {OPM-4240}
  • 1Password will now offer to automatically add any 1Password.com account to 1Password for Mac after signing into that account in your web browser. {OPM-4236}
  • Added the ability to copy 1Password Documents across 1Password.com accounts. {OPM-3974}
  • Added a Download Local Copy item to the context menu for Document items. {OPM-3939}
  • Added the ability to manage your 1Password account subscription within the app (AgileBits Store Only). {OPM-4249}

Improved

  • Improved filling of credit card expiration dates. {BRAIN-138}
  • Updated our translations with the latest from our incredible translators on Crowdin.
  • Renamed the Start Over menu item to Reset All 1Password Data. {OPM-4069}
  • 1Password mini’s menu width is automatically resized to fit long browser extension names. {OPM-4112}
  • After migrating to a 1Password.com account, the new account vault becomes the default vault for saving. {OPM-4534}
  • Improved the wording in Add Account preferences. {OPM-4444}
  • Improved wording in Accounts Preferences regarding 1Password.com Accounts. {OPM-4306}
  • Improved handling of sync when Folder Syncing to a removable disk. {OPM-4414}\
  • Updated to the latest 1Password brain for improved Login saving and form filling.
  • 1Password is now better at avoiding “search” and “newsletter” forms when filling. {BRAIN-289}
  • 1Password is now better at saving Logins on pages with search fields. {BRAIN-274}
  • 1Password is now better at avoiding search fields on Russian and German websites. {BRAIN-293}
  • 1Password is now better at handling sneaky password fields on Swedish websites. {BRAIN-310}
  • Improved the wording of the macOS authentication prompt. {OPM-3768}
  • We now enter edit mode after converting a Password to a Login. {OPM-4284}
  • Updated the password generator minimum and maximum values. {OPM-4409}
  • Added mechanisms for strengthening communication with 1Password.com.
  • Improved the parsing for certain improperly formatted web addresses. {OPM-4281}
  • Improved network efficiency with 1Password.com accounts {OPM-4290}
  • Added a notification to update to the latest 1Password version when features aren’t compatible with the 1Password.com Account server. {OPM-4177}
  • Changed naming of Wi-Fi sync to WLAN sync. {OPM-3851}
  • Empty address fields are now hidden when viewing items. {OPM-3902}
  • Updated the way 1Password determines which URLs to match in the extension. {OPM-4078}
  • When merging vaults during sync setup the password hint is no longer truncated if it’s too long. {OPM-4053}
  • Removed some potentially offensive words that were present in the word list for our Word-based Strong Password Generator. {OPI-3129}
  • The error message for when 1Password mini is quarantined by the system is now less mysterious. {OPM-4102}
  • Added a hover button and Voice Over support to item attachments. {OPM-624}
  • Removed several instances where 1Password for Teams or 1Password for Families language was used and replaced with 1Password Account.
  • Made numerous improvements to the way text is handled throughout the app to make translation easier.
  • Improved WLAN sync error handling. {OPI-3314}
  • Personal and Shared vaults will now display the user or team avatars if they don’t have their own avatar. {OPM-4032}
  • Improved the first run experience when using onepassword://team-account links. {OPM-4019, OPM-3905}
  • Improved the custom icon display for 1Password.com account items in the main 1Password app. {OPM-4125}
  • Improved the experience when deleting the last 1Password.com account when no local vaults exist. {OPM-4033}
  • Decreased the delay in uploading custom icons for Teams and Families vaults. {OPM-4124}
  • The account details preference pane now shows when you’re in trial mode. {OPM-4562}

Fixed

  • Fixed the layout of the Start Over dialog so that it worked better with more verbose languages. {OPM-4167}
  • Fixed an issue where custom icons would not upload to 1Password.com accounts. {OPM-4049}
  • Fixed an issue where vault switching in mini was not instantly mirrored in the main app if it was in the background. {OPM-3523}
  • Fixed a bug that could cause instability in the Preferences window. {OPM-3983}
  • Fixed a bug when removing an attachment file before saving the item with the attachment. {OPM-4057}
  • Fixed an issue that caused Reset iCloud Data to be enabled even though there weren’t any local vaults. {OPM-4104}
  • Fixed an issue that caused problems with VoiceOver navigating password values. {OPM-3343}
  • Fixed an issue that caused category sorting in All Vaults to not sort properly when only non-1Password Account vaults were present. {OPM-4131}
  • Fixed an issue that would cause WLAN sync to not activate after unlocking 1Password for Mac. {OPM-4129}
  • The anchored Large Type window no longer crops off the top of characters in a long password. {OPM-4135}
  • The tab key now cycles through fields properly again when editing an item. {OPM-4083}
  • Fixed an issue where some unrecognized data in an item would be lost while saving. {OPM-4234}
  • Fixed autosubmit on fideliti.co.uk. {BRAIN-268}
  • Fixed a layout issue in macOS Sierra when choosing fields while exporting CSV or tab-delimited files. {OPM_4241}
  • Fixed a layout issue with the Password Generator on macOS Sierra. {OPM-4304}
  • Fixed the multi-line height calculation for notes and tags in macOS Sierra. {OPM-4297}
  • Obliterated a hang that could be caused by Documents with missing metadata.
  • Fixed a rare crash when scanning a QR code when creating a one-time password or adding a 1Password.com account. {OPM-4351}
  • Fixed instance where logging into 1Password.com may not offer to add that account to 1Password when using Bartender. {OPM-4435}
  • Resolved a logic flaw that would result in a failure to properly load localized category names on macOS 10.12 {OPM-4433}
  • Fixed a crash that could happen when using custom icons. {OPM-4423}
  • Fixed a minor button alignment issue in account sign in setup screen. {OPM-4481}
  • Fixed issues introduced in a previous beta causing setup screen animations to fail in macOS 10.10 and 10.11 {OPM-4476, OPM-4477}
  • Fixed a crash that could occur when right clicking on 1Password mini. {OPM-4552}
  • Fixed a crash that could occur when scanning a QR Code for a TOTP field. {OPM-4500}
  • Resolved a height issue with the dialog window that appeared when enabling local vaults in the Preferences window. {OPM-4390}
  • Fixed a rare crash when syncing with iCloud. {OPM-4328}
  • 1Password would fail to fill sites that had previously saved fields 1Password ignores during filling. {BRAIN-299}
  • Fixed an issue where certain Favorites could cause issues while syncing with 1Password.com accounts. {OPM-4402}
  • Fixed a bug in the item selection logic. {OPM-4417}
  • Fixed an issue that could cause 1Password mini to hang while copying large numbers of items across vaults. {OPM-4395}
  • Fixed a crash that could occur during sync via AgileKeychain. {OPI-3713}
  • Fixed an issue preventing two my.1password.com accounts from being added at one time. {OPM-4312}
  • Fixed an issue that would cause 1Password to authenticate twice with 1Password.com upon startup instead of just once. {OPM-4286}
  • Fixed an issue that caused broken custom icons. {OPM-4314}
  • Fixed an issue that could create a username conflict when manually saving a login on some sites. {OPM-4156}
  • Fixed an issue where item counts were being squished on macOS Sierra. {OPM-4228}
  • Fixed an issue that caused problems reading scanned QR Codes. {OPM-4322}
  • Fixed a crash that could happen when removing the Primary vault on OS X 10.10 Yosemite. {OPM-4309}
  • Fixed a crash that could occur when disabling vaults outside of 1Password accounts. {OPM-4273}
  • Fixed the Large Type window so that it stays on screen after being anchored by dragging it. {OPM-4152}
  • Fixed an issue where the verify code signature setting wasn’t being consulted when 1Password was locked. {OPM-4165, OPM-4178}
  • Login filling failed on tecmarket.it. {BRAIN-254}
  • Resolved an issue where 1Password would incorrectly identify the designated username and password field when saving a Login. {BRAIN-207}
  • Resolved an issue where 1Password would fill credit card month value into quantity fields when the field was of number type.
  • Resolved an issue where 1Password would attempt to fill into disabled or read-only fields. {BRAIN-263}
  • Radio buttons were being improperly saved and restored. (Existing Logins will need to be resaved.) {BRAIN-74}
  • 1Password would not fill the same password value into more than one field. {BRAIN-83, BRAIN-84}
  • Fixed an issue that caused a crash when using the Strong Password Generator. {OPM-3676, OPM-4218}
  • Fixed issues that could occur while using your browser during 1Password’s setup {OPM-4565, OPM4569}
  • Fixed an issue where animations could get stacked and cause unintended view layout in the Setup and QR scanner windows. {OPM-4571}
  • Fixed an issue that prevented tabbing among the buttons in the Setup window. {OPM-4566}
  • Fixed a spacing issue with the Preferences window when viewing the security preferences with a 1Password.com account vault selected. {OPM-4570}
  • Fixed a crash with the QR scanning window in the Mac App Store version. {OPM-4572}
  • Fixed a crash when trying to unlock from the browser extension when still in setup mode. {OPM-4333}

This was an incredible release and we hope you love it as much as we loved creating it. So long for now and good luck on your Owls!

Having fun with Touch ID and the Touch Bar in 1Password

Yesterday was the special Apple event and all activity at AgileBits stopped as our entire team watched the live stream to see what goodies would be coming our way. For me, the most exciting news by far was the announcement of the new MacBook Pro with its amazing Touch Bar and Touch ID.

I remember how excited I was at the Apple developers conference when they first added Touch ID to iOS 8. I rushed back to the hotel, Xcode beta in hand, and added Touch ID to 1Password that very night. The joy of seeing 1Password unlock with just a tap was overwhelming.

Well, here I am again with that exact same feeling ?

Now that the new MacBook Pro’s have Touch ID we can bring that same great feeling you are used to on iPhone to your Mac, and it looks pretty darn cool too. Take a look for yourself and see!

As stunning as it looks in the Xcode simulator on my soon-to-be-obsolete late 2013, 15” 2.3 GHz Retina MacBook Pro, I can’t wait until my new Mac arrives so I can use it for real.

Oh, and then there’s the new Touch Bar. Wow! I was really excited seeing Phil demo this. The Touch Bar introduces a brand new world to the Mac and with it comes some wonderful opportunities to make 1Password even better. Dan, our designer extraordinaire, has begun to explore what the Touch Bar can bring to 1Password and I’d like to share some early designs.

Touch Bar for 1Password

What Dan has come up with is really exciting and I can’t wait to play with it. I think that switching between my work and home vaults with just a tap is going to be the most awesome, albeit sliding my finger across the Touch Bar to generate a strong password comes in a close second.

The possibilities with the Touch Bar are limitless and I am excited to hear how you see yourself using the new Touch Bar with 1Password.

Please share your thoughts in the comments below ❤️

Chatting the Snaps at WWDC

What an exciting time it is in the world of Apple! My name is Connor; I’m what my colleagues like to call the “Millennial in Residence” on the AgileBits team, and I spend most of my time doing development and support for 1Password for iOS. Some of my team members and I were lucky enough to make the trip out to San Francisco recently to attend Apple’s annual Worldwide Developers Conference, otherwise known as WWDC. We spent the week watching presentations, participating in labs, and planning all the exciting things that are on the horizon for our iOS and Mac apps.

My trip started in the early hours of Sunday morning in Toronto’s Pearson airport, where I took the five-hour flight to San Francisco. From there, I was whisked by BART into downtown where I quickly checked in to my hotel and made my way to the Moscone Convention Center to begin the week. I was lucky this year to win Apple’s WWDC Scholarship, which got me a ticket to the conference and a chance to participate in some student-specific activities throughout the week. The first thing on the agenda was student orientation, where Apple presenters gave us their thoughts on what makes an app “great” and some amazing stories of how their lives led them to a coveted position at Apple. We then gathered for a giant group picture—there were 350 of us! The illustrious Tim Cook even joined us to take selfies and sign our badges (talk about an amazing souvenir).

Monday morning brought with it the ever-exciting keynote presentation, where Tim and his team of executives took the stage to introduce all of the hard work they’ve been doing during the past year. We saw some great updates to all of Apple’s operating systems, including watchOS, tvOS, iOS, and the newly renamed macOS Sierra. We saw how Apple is continuing to make its platforms work hand-in-hand with features like shared clipboard, Siri on the Mac, proximity unlock for Apple Watch, and many other awesome improvements. They also gave us some great improvements to 3D Touch which I am personally very excited about. The team and I were inside the Bill Graham public auditorium with several thousand other developers and members of the press as these announcements were made, and I can tell you that the energy in that room was incredible, especially since it was my first time experiencing an Apple keynote.

The ‪1Password‬ crew has our seats for today’s WWDC keynote!

A post shared by Michael Fey (@mrrooni) on

I spent the rest of the week in what Apple calls the labs: expansive areas covering most of Moscone’s first floor, dedicated to Apple engineers helping developers like me in one-on-one (and often fairly lengthy – thanks Alex!) sessions. I got the chance to improve my code, familiarize myself with new frameworks and language updates, and of course give feedback to the very engineers that built the tools we use every day. We also got an in-depth look at those new development tools; an extra helpful Xcode engineer even helped me with a build configuration problem that would have had me running in circles for the entire afternoon.

Many of us engaged in various “skunkworks” projects, where we took some of Apple’s new frameworks and attempted to bend them to our will in 1Password. While I can’t make any promises that they’ll ever see the light of day, I will say that we were very intrigued by the possibilities created by iMessage apps, Home screen widgets, and watchOS 3. It was also great for us to run the current version of 1Password on the developer preview builds of iOS 10 and macOS Sierra. I’m happy to report that it runs well! I also attended awesome talks by Apple engineers about advancements they’ve made in watchOS, the UIKit framework, and the Swift language. I learned more during the conference than I could even process at the time, so I’m glad I took notes throughout the week :)

It was also great for us to run the current version of 1Password on the developer preview builds of iOS 10 and macOS Sierra. I’m happy to report that it runs well!

The other hugely important, exciting, and just plain fun aspect of “Dub Dub” was the chance to meet dozens of people who use the software we write. I had so many people walk up to me and ask about the various 1Password shirts I wore through the week.

Chatting the Snaps at WWDC 2016

Everyone I met was super friendly and had things to say about 1Password that really warmed my heart, like, “I’ve been using 1Password since my very first Mac,” or, “This is the first app I download every time I get a new phone.” Things like that are why my team and I work so hard to make 1Password great. We know that you really rely on it every day, and it was a truly humbling experience to talk to so many of you in person.

All in all, it was an amazing week. From teaching my cough more age-abundant co-workers how to use Snapchat (or in their words, how to “chat the snaps”), to the wonderful people we met, to the great new tools and products that Apple unveiled, it was an incredible experience for the entire 1Password team.

1Password 6.3 for Mac: The Passion Project

Spring has sprung and passion is in the air. The birds are feeling it, the bees are feeling it, we’re feeling it and so are you! We have heard your passionate pleas for some key improvements and we are overjoyed to share the results with you in our latest update to 1Password for Mac, version 6.3.

New browser support

Like many of you, we love trying out new browsers, but we are lost without our 1Password browser extensions. That’s why we added support for three more browsers in version 6.3: Vivaldi, Brave and Opera developer. Vivaldi aims to be the most customizable of browsers (and is it ever!), Brave is focused on security and privacy and Opera developer is for those who love to live on the edge. These browsers are now verified by 1Password, enabling you to log in to any website safely and securely.

Large Type

Did you know that you can embiggen your passwords? We introduced Large Type in 1Password 5.4 and it immediately became one of your favorite features. Among your love notes and thank-yous were some enthusiastic pleas to let the Large Type window be anchored so that you can click elsewhere without it disappearing. Now you can! Simply drag the window and it will become an anchored window that won’t disappear until you close it or lock your vault.

1Password 6.3 for Mac: Anchor the Large Type window

VoiceOver

Accessibility is important to us and VoiceOver support is a key tool in making 1Password more accessible to more users. 1Password 6.3 is now easier to navigate when using VoiceOver, especially when moving between the sidebar, item list, and item details. We have also made similar improvements to 1Password mini.

These are just some of the features in our latest release, but there are so many more. If you’d like to see the whole list of improvements, check out our full release notes.

What do you think of today’s update? Please share your thoughts with us in the comments or start a conversation with us in our discussion forums. We also invite you to reach out to us on Twitter or Facebook.

1Password 6.2 for Mac: The New Tricks Edition

You know what they say. “You can’t teach an old dog new tricks, but you can teach password managers new things.” I don’t know about old dogs, but 1Password has definitely learned some new tricks over the years. There have been dozens of new versions, hundreds of betas, and approximately a gazillion improvements! That’s a lot of changes, and we’re not about to stop now. Welcome to 1Password 6.2 for Mac: The New Tricks Edition.

A bigger brain

1Password logo: brain

One of the most magical things about 1Password is the handy-dandy browser extension, which automatically saves your passwords. It’s also the way 1Password knows how to fill in your information on sites asking for your shipping information or credit card number.

The extension is powered by what we call the brain, and boy has it been doing its homework lately. It studied numerous websites, drank some ginseng-infused green tea, and now is ready to fill your information on any website you throw at it. When you save a new Login, the brain will also take a stab at filling in a good title for you.

First-class importing

We’ve made 1Password a lot more versatile and accessible in recent months. We’ve had beautiful updates to 1Password for Android, iOS, and Mac. We announced 1Password for Teams and 1Password Families. We also have 1Password beta for Windows 10 in the Windows Store. This is the best time for you, your businesses, and your loved ones to join our 1Password family.

1Password 6.2 for Mac: Import Wizard

We wanted to make switching to 1Password a breeze, so we took another look to make sure importing data was simple. If you’re joining us from another app, jump right in—the water’s fine and the sailing’s smooth!

The whole bag o’ tricks

These are the two big new features available in 1Password for Mac, but that’s not all we have for you! This release features dozens of other improvements. We’ve made 1Password mini faster and play better with multiple active Chrome profiles. Plus, you can now restore existing data from iCloud when you’re setting up 1Password for Mac. If you’d like to learn about all of the changes in this update, take a gander at our full release notes.

What do you think of today’s update? Please share your thoughts with us in the comments or start a conversation with us in our discussion forums. We also invite you to reach out to us on Twitter or Facebook.

1Password 6.1 for Mac: The Mini Delights Edition

From time to time, something most people overlook makes me really happy: pulling a perfect loaf of bread out of the oven, going for a run on a beautiful day, or writing a fantastic line of code. And sometimes, those small things happen close together and combine into something truly delightful. That’s what 1Password 6.1 is all about: little things that come together to make one great update.

Find the right Login

If you’re anything like me, you not only have a lot of Logins, you have many for the same site. We’ve made it easier to tell which Login is which when you’re using 1Password mini by displaying the Login’s username next to the title when you have duplicate titles.

mini-duplicate-title

1Password mini is also smarter when searching for words that contain accents or other diacritics. While watching the Oscars the other night, I was a little disappointed that The Revenant didn’t win Best Picture. I could at least send the director a consolation prize like a 1Password t-shirt or something (a more exclusive club, after all). I never remember how to exactly spell his last name though, I just remember that it starts with “Ina” with accents somewhere. 1Password makes it easy now, I can search without the accents and it’ll find it just fine.

mini-accents

Teams & Families

One of my favorite parts of 1Password for Teams is that Documents became first-class items. You can see a list of all Documents, and you can link as many items as you want to the same Document. In 1Password 6.1, Documents have become even better, as you can now add Notes and even custom fields, just like with other items. Want to store a password field to go along with that file? Go right ahead.

document-fields

Sync

Syncing your data across all of your devices is one of the greatest conveniences 1Password offers. As part of 1Password 6.1, we’ve rebuilt how syncing is scheduled at the core level. This means that sync now takes fewer resources, so that 1Password mini can be more responsive to the things you want to do.

We’ve also improved iCloud Sync in the AgileBits Store version of 1Password. It’s important to us that the iCloud experience in both versions our app is as good as we can make it.

Licensing

Setting up a new Mac is super exciting! That new Mac smell. swoon Then reality hits: all of those apps that you’re installing, they’re going to want licenses. Licenses that you’ll have to manually enter or drag and drop or double-click or whatever. We thought it would be amazing if we could make it a little bit easier for you to register 1Password for Mac, so 1Password 6.1 will recognize the license you previously saved in a Software License item. It will automatically register itself, without you needing to lift a finger.

1Password 6.1 for Mac: automatic licensing

Better Startup

In my last blog post, I mentioned steps we were going to take to improve the startup process of the 1Password app. 1Password is now a little smarter during startup, and it will do more to communicate with you about what’s going on. If something goes wrong, we’ve added ways for it to detect the problem and tell you about it.

And much more!

These are just a few of the changes we’ve been working on. 1Password 6.1 is available today for all users of the AgileBits Store version of the app, and has been submitted to the Mac App Store for review.

If you want to know all the details about this release, read the full release notes.