1Password 6.7 for Windows: a feature buffet

1Password 6.7 for Windows was meant to be a smaller update, but just like you always walk up to the buffet line with the best of intentions, we reached the end of the line with this update and ended up with three plates full of pastries. We have prepared a regular smorgasbord of 58 new features, improvements and fixes for you in this release. So grab a few extra plates and check out the latest Windows goodies. 🙂 Read more

Why We Love 1Password Memberships

TL;DR: We love 1Password. We love you. We believe 1Password memberships are the best and will shout it from the mountaintops, but standalone vaults aren’t being removed.

Recently a customer wrote in to praise us for handling a sticky situation with a quick and decisive response. They signed off their post with “from a happy customer”.

Jeff, our resident Chief Defender Against the Dark Arts, replied and signed his message with “from a happy 1Password maker”.

This was really cute and I loved the play on words. It also got me thinking though: we really are happy 1Password makers.

From a happy 1Password maker

Jeff’s phrase is similar to a statement that I tell our team often and expound upon during interviews: we all need to be working at our dream jobs. So I really shouldn’t be surprised by Jeff’s signature. But it stuck with me as I adored its simplicity.

Quick and to the point. And at the same time, a revelation. I absolutely loved it.

1Password is what it is today because we all love working here and have fun helping our customers. We are completely self-funded, independent, have turned down all offers from venture capitalists, and our board of directors consists entirely of people who work on 1Password and help customers directly each and every day.

As a result we’re able to provide true security and never compromise on protecting the privacy of our customers. We don’t have to and never will sell your information or spam you with ads.

The bottom line is we have a complete focus on 1Password and since we’re working on stuff we love, we’re excited and have the desire to constantly improve and make 1Password the best it can be. We’re happy to be able to do this.

Happy 1Password memberships

How is happiness related to 1Password memberships? Simple. We created 1Password memberships to make 1Password the best it can be. And a direct result of 1Password memberships is happier 1Password makers and customers alike.

I am so much happier now that 1Password has the power of memberships to help me help our customers. With memberships, there are several things that I no longer need to do, and as a direct result I have more time to improve 1Password and help more customers.

With 1Password memberships we have a wonderful set of things we no longer need to do. I call it my No More list and here are just the highlights:


No More telling people who had syncing misconfigured (or didn’t realize that syncing needed to be manually configured) that I’m sorry they lost their data when they reset their phone. With 1Password memberships, all your data is synced automatically when you sign in, so there’s nothing to set up or worry about configuring wrong.

No More telling people that I’m sorry that when they deleted some files from their hard drive they didn’t recognize they inadvertently deleted all their 1Password data. With 1Password memberships, everyone enjoys data loss protection that ensures this can never happen.

No More explaining that we don’t have any control or visibility into third-party sync solutions and are therefore limited when troubleshooting problems. With 1Password memberships, we are in complete control of both sides of the connection so we’re able to optimize things, quickly troubleshoot, and improve immediately when a problem is found. All this results in a rock solid solution that results in an entire category of issues no longer affecting our customers.

No More explaining why purchasing 1Password on one platform doesn’t automatically unlock it on all other platforms. Not only is it really hard for customers to understand that 1Password is “licensed per person, per platform, with paid upgrades”, but it’s an incredible mouthful for us to even say. With 1Password memberships, you simply subscribe once and you get access to 1Password everywhere.

No More needing to hold back on features for creating a “big splash” for major upgrades. These require purchasing a license upgrade and so it’s important that we save up features (often for a year or more) so we can woo customers to open up their wallets. With 1Password memberships, we can give people new features as soon as they are available so they can enjoy them right away. See Travel Mode and 1Password for Slackers for examples of this.

I wish I could also say No More for explaining to people who have forgotten their Master Password that 1Password uses true security and they therefore need to start over. But with 1Password memberships I can at least share the good news that families and teams can use Account Recovery to restore their own access.

And with the time we save from not needing to do these things, we’ll be able to improve 1Password itself to make it easier for customers to remember their Master Passwords. So perhaps someday soon this will indeed end up on my No More list.

Nudging people towards 1Password memberships


Now of course not everyone is on 1Password memberships yet, so we do indeed still work through these issues every day. So it’s not truly a No More list. At least not yet. Still, the number of people on memberships continues to grow every day, so we’re quickly seeing more and more of these bright spots as we move throughout our day.

All these bright spots add up to an even happier set of 1Password makers. And that’s as important for you as it is for us, because the happier a 1Password maker is, the better they’ll be able to widen the smiles of 1Password customers everywhere. Nothing great was ever created without passion, and this is just as true for designing and developing software as it is for customer support. I’m really excited about this and hope that someday 100% of our customers will embrace 1Password memberships.

Now the thing is, I know it’s not realistic to expect everyone to be able to be able to join one of our memberships at this time. As great as 1Password memberships are, I know that our excitement for them can cause some people to become worried. After all, many have corporate policies or regional restrictions that prevent them from using a hosted solution like ours, and so they’re understandably concerned and want to know that there’s a future for them with 1Password.

These worries are compounded by the fact that 1Password 6 for Windows was designed from the ground up to support 1Password Teams customers only (and then later expanded to include family and individual plans), and we are unsure how this adventure will play out on the Windows side of the world, so we haven’t made any public announcements about when support for standalone vaults will be added, if ever. Many Mac users worry that the same fate awaits 1Password 6 for Mac, and that we will remove support for local vaults and force them to pay again.

This isn’t going to happen. First, it would be evil to take away something you’ve already paid for. And evil doesn’t make for a Happy 1Password Customer, which is the cornerstone for a Happy 1Password Maker. It’s simply not who we are.

For those who purchased 1Password 6 for Mac already, you’re perfectly fine the way you are and can continue rocking 1Password the way you have been. There’s no requirement to change anything as we will not be removing features or forcing you to subscribe. In fact we’re still selling licenses of 1Password 6 for Mac for those that really need them (you can find them today on the setup screen under More Options).

And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today.

We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults. But 1Password memberships are indeed awesome and are the best way to use 1Password, and as such, I am going to continue to nudge you over when ever I can 🙂

Love Dave,
A Happy 1Password Maker ❤️ 🇨🇦

P. S. Please don’t think our excitement for memberships has anything to do with money. We’re completely self-funded so we don’t have any investors forcing us to make changes by looking solely at our bottom line. We were doing just fine selling individual licenses and AgileBits was already steadily growing before 1Password Teams was even introduced. We created 1Password Memberships because we had a vision for how 1Password could be even better and we followed our dreams. The result has been stupendously awesome and better than our wildest dreams! Today, over 95% of our revenues are coming from subscribers, which is truly mind blowing. Many investment strategists would say it makes sense to simply drop support for everything else and focus on the money. That’s not how we do things around here. We focus on people, love, and happiness. It’s the way we do things and I wouldn’t have it any other way.

P. P. S. You can create a 1Password membership and move all your existing data over today in just a few minutes. Learn more here. Like I said, I’m going to continue to non-apologetically nudge you over whenever I can 😉

Net neutrality: Keeping the Internet safe and accessible for all

Lo, everyone! Back on October 29, 1969, that two-letter greeting was the first message sent over ARPANET, the predecessor to the World Wide Web. Today, on July 12, 2017, people from around the globe are coming together for a day of action to fight for net neutrality. The principle of net neutrality states that all Internet traffic should be treated equally, but those who control the transmission of that data have been fighting for the right to place their preferred data in the fast lane and leave data they don’t like in a traffic jam. We here at AgileBits care quite a lot about data, and while we’re glad your sensitive data is safely locked away, we think the data we want to share on the Internet should remain accessible to everyone. Read more

Introducing 1Password 6.6 for Windows

We’ve been hard at work on a major update for 1Password 6 for Windows and I’m so excited to finally share it with all of you.  1Password 6.6 for Windows is here and it is HUGE.  I can’t possibly discuss every new feature here – there are 24 brand new features and 89 total changes made – but I’ll highlight a few that I’m most excited about. Read more

Be your own key master with 1Password

Encryption is great. By magic (well, by math) it converts data from a useful form to complete gibberish that can only be turned back into useful data with secret number called a key.

I happen to think that the term “key” that we use for encryption and decryption keys is a poor metaphor, as it suggests unlocking a door or a box. Cryptographic keys are more like special magic wands that are essential to the process of transforming data from its useful (decrypted) form to gibberish and back again. Read more

Google I/O 2017: Fun, Sun, Autofill!

Unlike Jupiter’s Io, which completes its orbit every 2 days, Google I/O only comes around once a year. Thousands of people register, and a select number are chosen at random. This year, Michael, Saad, and I were lucky enough to get tickets (hmm…maybe I should play the lottery)!

While Michael has attended I/O in the past, this was a first for Saad and me. We went in not quite knowing what to expect, which only added to the excitement for us.

At AgileBits, we primarily work remotely, so we don’t often get the chance to see each other face to face and just talk. Sure, we can chat on Slack, but it’s also nice to be able to talk in person and riff off of each other.

So meeting up with Saad and Michael for Google I/O led to some of the most informative and productive conversation I’ve had lately. I handle customer support, while they mainly handle development, so we can often have different perspectives on issues and priorities. We hash things out over phone calls and chat regularly, but it’s nothing like putting our heads together and talking til the wee hours, face to face.

Of course the best part about Google I/O, the reason thousands make the trek to Silicon Valley every year, is seeing all the talks and all the new things! I’d watched some I/O keynote and session videos in the past, but nothing quite captures the energy of seeing it live.

Suffice it to say we were super excited for the Google Keynote and the Developer Keynote. There were some fun announcements that got us chatting about the opportunities opened up by all of this great technology. And speaking of opportunities, Google had a chance to tell us which sweet Android O will be named after (Oreo?), but instead they teased us with “Oh no, we’re out of time!” I guess we’ll find out soon enough. 😉

We saw lots of talks on Android architecture, and an interesting one on Kotlin. They were super informative. I was really excited to see all the VR/AR advancements, and we got to play around with them a bit during demos.

The best talk for us was the talk on Autofill in Android O. We’ve got a bit of a special interest in that topic, and we were thrilled to be featured in their presentation. I think the three of us were a little too giddy about seeing our name up there.

On Thursday night, after the presentations and other activities had wrapped up for the day, LCD Soundsystem put on a show in the Shoreline Amphitheatre. This being my first I/O, I had no idea there was going to be a show. It was quite a nice surprise! They handed out glitter makeup pens on the way in, so the three of us got dolled up and headed in to see the band.

At one point, James Murphy, the band’s frontman, said, “This one’s for the lovers,” which was greeted with absolute silence. I cracked up at the thought of all of us in the audience–tech industry geeks who were mostly there with coworkers. He followed that with, “This one’s for all the lonely people?” That one got the applause he was looking for.

 

All in all, it was a great week. I’m so glad I got to experience Google I/O for the first time. It’s always a blast when we get the band back together, and it was absolutely worthwhile to fantasize about the future of the platform and what it means for 1Password.

More than just a penny for your thoughts — $100,000 top bounty

We believe that we’ve designed and built an extremely secure password management system. We wouldn’t be offering it to people otherwise.  But we know that we – like everyone else – may have blind spots. That is why we very much encourage outside researchers to hunt for security bugs. Today we are upping that encouragement by raising the top reward in our bug bounty program.

bugcrowd-logoWe have always encouraged security experts to investigate 1Password, and in 2015 we added monetary rewards though Bugcrowd. This has been a terrific learning experience for both us and for the researchers. We’ve learned of a few bugs, and they’ve learned that 1Password is not built like the web services they are used to attacking. [Advice to researchers: Read the brief carefully and follow the instructions for where we give you some internal documentation and various hints.]

Since we started with our bounty program, Bugcrowd researchers have found 17 bugs, mostly minor issues during our beta and testing period. But there have been a few higher payout rewards that pushed up the average to $400 per bug. So our average payout should cover a researcher’s Burp Suite Pro license for a year.

So far none of the bugs represented a threat to the secrecy of user data, but even small bugs must be found and squashed. Indeed, attacks on the most secure systems now-a-days tend to involve chaining together a series of seemingly harmless bugs.

Capture the top flag to get $100,000

Capture the flag for $100,000

Our 1Password bug bounty program offers tiered rewards for bug identification, starting at $100. Our top prize goes to anyone who can obtain and decrypt some bad poetry (in particular, a horrible haiku) stored in a 1Password vault that researchers should not have access to. We are raising the reward for that from $25,000 to $100,000. (All rewards are listed in US dollars, as those are easier to transfer than hundreds or thousands of Canadian dollars worth of maple syrup.) This, it turns out, makes it the highest bounty available on Bugcrowd.

We are raising this top bounty because we want people really trying to go for it. It will take hard work to even get close, but that work can pay off even without reaching the very top prize: In addition to the top challenge, there are other challenges along the way. But nobody is going to get close unless they make a careful study of our design.

Go for it

Here’s how to sign-up:

  • Go to bugcrowd.com and set up an account.
  • Read the documentation on the 1Password bugcrowd profile
  • The AgileBits Bugcrowd brief instructs researchers where to find additional documentation on APIs, hints about the location of some of the flags, and other resources for taking on this challenge. Be sure to study that material.
  • Go hunting!

If you have any questions or comments – we’d love to hear from you. Feel free to respond on this page, or ping us an email at security@agilebits.com.

A year in the life of the Best Password Manager for Android

Hello again friends! 👋

When I last wrote about 1Password for Android, we had just released version 6.4 with support for Android 7.0 and all of its Nougat-y goodness. We’ve been hard at work since then, but before I tell you about some of the great changes we’ve introduced in version 6.5, I want to take a moment to celebrate.

android-central-1I’m incredibly proud to say that we’ve been awarded “Best Password Manager” by Android Central! While we naturally think that 1Password is the best, it’s always fantastic to have a great site like Android Central back us up with their recommendation. And the timing couldn’t have been better as we were also celebrating a birthday last month… 1Password 6 for Android just turned one!

So come with us on a journey as we celebrate 1Password 6 for Android’s birthday, and look back on a year of Googly wonder!

Birthday beginnings 🎁

Let’s start with the release of 1Password 6. This was a huge release that restyled our pixels with Material Design, made unlocking your vaults quick and easy with Fingerprint Unlock, and introduced support for 1Password memberships.

In the months that followed, we released 4 major updates to 1Password 6. These updates made search available from first launch, added All Vaults to allow you to view all of your items at once, and made it easier to type passwords into other devices with Large Type. We also made 1Password more convenient to use alongside other apps by adding support for Nougat’s split-screen mode.

All of these changes were focused on making it more convenient for you to stay secure with 1Password. Features like Fingerprint Unlock and Universal Search are all about getting you to the data you need quickly. 1Password memberships make your data available whenever and wherever you need it with instant sync and web-based access through 1Password.com.features

Speaking of 1Password memberships, I want to take a moment to celebrate another birthday. Not only did we release 1Password 6 for Android last February, but we also launched 1Password Families.

Enjoying Families with family ❤️

As you might imagine, I’m the resident password guru and all-around IT guy for my family. While I would never complain that it’s a burdensome job, anything that makes it easier to manage devices and accounts for Juliana and the kids is a big win for me. So when we launched 1Password Families a year ago, it was a no-brainer for me to switch us over. In the time since, my role in family tech support has gotten so much easier…

convenience-updatesSetting up 1Password on all our devices. Our house is littered with devices spanning the Android, iOS, and Mac platforms. Setting up each one is now as simple as installing 1Password, scanning an Account Code, and entering the Master Password.

Making passwords easy! No one in my family needs to think too hard about creating strong unique passwords. Instead, we simply use the strong password generator in 1Password to create a new password for each new account we create. No re-using passwords and no arcane rules or formulas to follow.

securely-shareStoring more than passwords. We also use 1Password to store everything from credit cards to passports to locker combinations. Anything that should be kept secret, yet be available whenever and wherever we need it, goes in 1Password.

Sharing with the right people. There are some items that I only want to share with Juliana and other items that I want the kids to have access to as well. 1Password makes it easy for me to organize our items into multiple vaults and share those vaults appropriately.

Recovery Time Machine

Restoring previous versions of items. I no longer need to worry that an item will be accidentally changed or deleted. If that ever did happen, the new Item History feature will help me get it back. All I need to do is log in on 1Password.com and restore the version of the item back the way it was.

As you can see, 1Password Families adds up to a lot of peace of mind for everyone and makes my IT role in my family much easier! And now that I’ve gone on about how our 1Password membership has made managing my digital life easier, I’m eager to help you do the same.

The best gets better! 🎉

In version 6.5, we’ve made it easier than ever to get started with 1Password and get straight to what matters – keeping your personal information safe and secure.

If you’re a current 1Password customer but haven’t started your 1Password membership yet, you really should check it out. We’ve made it super easy to move your items over, so you can experience the best way to use 1Password.

You can sign up for a new individual account in Settings > 1Password accounts and then migrate your existing data in with the new ability to copy items.

And if you’ve never used 1Password before, you can sign up for a new individual 1Password membership and start your free 30-day trial right from first launch. Start with something for yourself and then when you’re ready, invite family members or team members to join you.

Wowzas! what a year! 🎉

We’ve got even more new features and improvements planned for the year ahead, and I look forward to sharing more about these with you soon. In the meantime, I hope you enjoy the best version of the Best Password Manager for Android yet!

out-of-the-storm

P.S. Here’s Paddy chilling on the beach after winning the Best Password Manager for Android. Our developers weren’t invited as she has us working on the next update already. She’s a tough project manager, but the results speak for themselves ?

Introducing 1Password 6.6 for Mac

I’m happy to announce we just finished assembling a new version of 1Password! It’s working its way through the update engines around the world now and hopefully it’s ready for you by the time you finish reading this. ?

The biggest change in this release is a whole new setup experience. We’ll dive into that in a moment, but first I’d like to share a cool new feature for those of you lucky enough to have one of those sexy new MacBook Pros.

We’ve been experimenting with the new Touch Bar since the beginning and added Touch Bar support along with Touch ID back in November as soon as the new Macs were available.

Today we’re taking the next step tap and giving you the ability to customize your Strong Password Generator settings directly from your Touch Bar!

I always enjoy the feel of tapping actions on the Touch Bar but sliding your finger across it is even better! Trust me, you’ll have a hard time customizing your password length just once. ?

There’s several other changes in this release as well, but let’s dive right into the big one now.

New Setup Flow

The biggest change is one that most of you probably won’t see until the next time you’re setting up a new Mac. Those new MacBook Pros with Touch ID really are pretty sweet so hopefully this isn’t too far in your future! ?

Starting today we have a lovely new flow for the setup screens1. Like their little cousin on iOS did earlier, 1Password for Mac makes getting started much simpler.

Now when you launch 1Password on a new Mac you’ll be greeted with a lovely page asking you if you’ve used 1Password before:

opm6-6-setup-screen

Those of you who have already been rocking with 1Password can use your existing data, and everyone else who’s just getting started can begin their free trial.

Free Trials From Mac App Store

We’ve always wanted everyone to be able to try 1Password before needing to purchase. Our website version has supported free trials since the very beginning, but it wasn’t possible in the Mac App Store when we first published 1Password there way back in 2011.

Thankfully Apple gave us a wonderful present at their Worldwide Developers Conference last year that made this possible for Mac App Store users as well.

1Password now comes with a 30 day free trial in the Mac App Store. Those downloading 1Password for the first time will start their trial and be prompted to subscribe once their trial expires:

opm-6-6-subscribe

Your single subscription allows you to use 1Password on all your devices and always have access to the latest versions.

Those who previously purchased 1Password in the Mac App Store will continue to be able to use 1Password as before and are not required to subscribe to our 1Password membership. Although there are a lot of great reasons why you should…

Benefits of a 1Password Membership

introducingI’ve been a license holder since the beginning. In fact, I’m pretty sure I got the first license we ever made!

If you’re a longtime license holder of 1Password like I was, I’m sure you’re wondering what all the hullabaloo is over our new service. I’m glad you asked and I’m happy to unlock that mystery for you! ?

There are a lot of benefits to a 1Password Membership over a standalone license, but for me it boils down to convenience, security, and peace of mind.

convenience-updatesLet’s start with convenience. With a membership, all I do is log in on a new device and all my data is there. I can even organize my items in multiple vaults and they all appear instantly.

And the best part is my membership gives me access to the latest version of 1Password on all my devices so I don’t need to worry about managing any licenses. I’m really happy that I don’t need to say “1Password is sold on a per-person, per-platform basis, with paid upgrades for major new versions” anymore. ?

double-securityOn the security side of things, I absolutely love our new encryption design that leverages Galois/Counter Mode for efficient authenticated encryption and our ingenious Two Secret Key Derivation starring our unique Account Key.

I know I know, I’m a huge geek and love the details, but these and many other things all add up to better performance and a secure-er than ever way to protect your data. You can check out our security page for a nice high level review, along with a detailed White Paper for my fellow geeks reading this. ?

As for peace of mind, this one is priceless. I simply sleep better at night.

sleep-at-night

With my 1Password membership, I know that all my data is backed up automatically for me, and every change is remembered so I can go back in time and restore my precious items whenever I need to. And with our Family account I can securely share passwords with Sara so she has access to everything she needs.

In short, I’m absolutely loving my 1Password membership. It’s the best way to use 1Password.

love-1password

Becoming a 1Password Member

If these benefits excite you and you want to join me, becoming a 1Password member is super easy.

You can jump on board and migrate all of your data over in just a few short steps. We have a quick guide on how to setup a new account and move over your data, along with a nice video showing how easy it is to do.

I know you’re busy so I’m happy to say you can finish the entire process in just a few minutes. Start by creating your new account here:

Start Your Free Trial Today

Often it feels like I’ve been using all these great new features for a lifetime, but looking back we introduced 1Password Teams only 15 months ago, 1Password Families almost exactly one year ago, and 1Password Memberships just 6 months ago.

It’s amazing how quickly I came to rely on these benefits and how I was able to fall in love with 1Password all over again. I think you will, too.

Enjoy! ❤️ ??


  1. Those with eagle eyes might be saying “again?” since 1Password 6.5 had a new setup experience for those who downloaded from our website. But we’ve iterated on the design and now everyone gets to join in on the fun, including those who install using the Mac App Store. 

Certificates, Provisioning Profiles, and Expiration Dates: The Perfect Storm

As you may have read, this weekend was a little hectic for us and some of our app developer friends1. On Saturday we got word that users of 1Password for Mac were seeing the app fail to launch correctly. It took a few hours, but we diagnosed the problem and released an update that corrected the issue. This issue will only have affected users that downloaded 1Password for Mac directly from our website, so if you downloaded it from the Mac App Store you had a much more calm weekend than we did.

But alas, that story has already been told. Now it’s time for the nitty gritty technical details about all the forces that aligned against us that had us staring up a giant wall of crashing water like George Clooney and Mark Wahlberg.

Prologue: Not All Certificates Are Created Equal

There’s a lot of information to unpack in this post, but before I get started, I’d like to address an assumption I’m seeing far too many people making: that what happened to us was simply an issue of an expired certificate and that all we needed to do was create a new one, just like you do for SSL certificates.

That’s simply not true.

Developer certificates are much different than SSL certificates and serve a very different purpose. Unlike a simple SSL certificate, our developer certificate is used to sign 1Password and needs to be valid during build time. The expiry time of a certificate or provisioning profile should have no impact on whether or not macOS will allow an app to launch or not.
An analogy may be helpful here: if you think of the developer certificate as a carton of eggs, and 1Password as a cake, then it is important not to use expired eggs to make the cake. The fact that the eggs may expire a few days after making the cake should have no effect on the cake itself. After all, the cake is already made and delivered.

Jumping out of the galley and back into our developer world, an expired certificate typically doesn’t affect us until the next time we need to do a release, which would have been this week with our next betas. Certificates control our ability to sign new apps. They don’t affect existing released apps.

For example, we have some users still using 1Password 3 for Mac (hey there, if that’s you, you should really consider upgrading to a 1Password membership as soon as possible!). The first release of 1Password 3 was in 2009, around 8 years ago. Assuming a user is happy with 1Password 3, how long should they expect to be able to continue using the software they paid for? The only acceptable answer to that question is: as long as they feel like it.

Obviously there’s plenty of reasons for why a user would want to upgrade to newer versions, but the fact of the matter is that a user shouldn’t be reliant on us to keep providing updated builds of an unmaintained app just to keep it running. Unlike an SSL certificate, this isn’t something we can simply fix from our end. Fixing the issue we ran into this weekend is a matter of creating a new build of the app and having users update to the new version.

Taking a Tour of the Engine Room

iCloud Sync

To properly understand what happened, let’s take a step back and look at the different parts of this.

In Mac OS X 10.7 Apple introduced Gatekeeper. Gatekeeper is really quite awesome as it gives users control over what software is allowed to run on their system. The default is to allow software from verified and trusted developers: those apps that have been uploaded to the Mac App Store, or those signed with Developer ID certificates made available to the developer by Apple.

Gatekeeper ensures that apps that have been tampered with will refuse to run, and also provides Apple with a way to revoke certain certificates if a developer has been found to be doing harm (i.e. distributing Developer ID signed malware). These simple steps stop a wide variety of attack vectors and we think the world of Apple for having implemented this.

The next layer is the Provisioning Profile. Provisioning Profiles provide information about what the app can do, as well as who can run it. There are certain services on the Mac that require that the app include a Provisioning Profile. In our case, we needed to start using a Provisioning Profile when we added support for unlocking 1Password using Touch ID.

To be clear, Touch ID itself doesn’t necessitate the profile, but in order to unlock your vault we need to store a secret and we choose to store it the OS X keychain. The specific configuration we’re using for that requires declaring that we want access to a specific keychain access group, which needs to be declared in a provisioning profile. The provisioning profile is included in the app bundle and cannot be updated independently of the app.

Next up… XPC. We use XPC to communicate between the 1Password main app and 1Password mini – the little 1Password that runs in your menu bar – and it’s really quite awesome. 1Password mini acts as the brains of the whole operation, and the larger app is mostly just responsible for displaying information. The reason we love XPC so much is because it’s an inter process communication tool that actually provides us the building blocks we need to perform mutual authentication. What this means is that 1Password mini will refuse to communicate with the main app unless it can prove that it’s signed by us. The inverse is true as well.

Storm Clouds Gather

clouds-gathering@2xAt around 3pm EST on February 18th we started getting reports of failures in 1Password for Mac. Folks were seeing an error appear that 1Password was unable to connect to 1Password mini.

Unable to start 1Password

This initial failure occurred due to the fact that the provisioning profile embedded in 1Password mini had an expiration date. Expiration dates seem to be required, and due to the fact that the expiration date elapsed, Gatekeeper decided that 1Password mini was no longer safe to run. We’ve filed a bug with Apple as we feel that this shouldn’t be the case (rdar://30631939 for those of you reading along inside the Mothership).

Only 1Password mini contains the Provisioning Profile as all Touch ID operations happen within that process. This meant that Gatekeeper was deciding that our main 1Password app could launch. Upon launching, 1Password performs its start up sequence which includes asking the system to launch 1Password mini if it’s not already running. When doing so, the system would log the following to the console:

com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): Binary is improperly signed.
com.apple.xpc.launchd[1] (2BUA8C4S2C.com.agilebits.onepassword4-helper[11038]): removing service since it exited with consistent failure reason When validating /Applications/1Password 6.app/Contents/Library/LoginItems/2BUA8C4S2C.com.agilebits.onepassword4-helper.app/Contents/MacOS/2BUA8C4S2C.com.agilebits.onepassword4-helper:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
com.apple.xpc.launchd[1] (com.apple.ReportCrash[11041]): Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash

The 1Password main app detected the failure and provided an error panel telling the user that it couldn’t connect to mini.

Due to the expired Provisioning Profile, 1Password mini wouldn’t launch. And without mini running, 1Password itself was unable to startup successfully. Both mini and 1Password itself were signed with the same Developer ID certificate. Gatekeeper allowed 1Password to run, but due to the different rules for apps with provisioning profiles, it would not allow mini to run.

As far as we can tell, the only way to correct this problem is to provide a new build of the app with an updated provisioning profile with a new expiration date. Within a few hours we were able to publish a new version which did exactly this. As of 6.5.4, we had an app that users could download and run again.

The Eye Of The Storm

eye-of-the-storm@2xAfter this initial bout of terror, death defying feats, and mad scrambles we figured the technical portion of this exercise was finished and had begun transitioning into customer support mode; helping allay the fear, uncertainty, and doubt that this event had caused.

Little did we know at the time, we were only in the eye of the storm – the calm center before things would get rough again.

1Password for Mac includes an updater within the app so that users can easily upgrade to the latest versions as they become available. This updater validates downloads before performing the update to ensure that the updated app is in fact from AgileBits. One of the steps taken during validation is looking at the code signature of the downloaded app and ensuring that it satisfies the following security requirement:

anchor apple generic and identifier com.agilebits.onepassword4 and certificate leaf[subject.CN] = “Developer ID Application: Agilebits Inc.”

This check has worked really well for us. It’s simple and does the trick.

This check is also extremely specific about the common name2 it looks for. When we generated our updated provisioning profile we also needed to generate a new Developer ID certificate. We didn’t realize it at the time, but the common name of newly created certificates now include the team identifier in addition to the company name;  “Developer ID Application: AgileBits Inc. (2BUA8C4S2C)” vs. “Developer ID Application: AgileBits Inc.”. Close. Super close. But we weren’t looking for a “close” match.

The result of this new common name was that even though our app would now launch, the automatic updater would never run successfully because as far as it was concerned the update being provided wasn’t valid and therefore needed to be rejected. This is what users who could still run 6.5.3 and tried to update to 6.5.4 saw.

Once we discovered this problem we had no choice but to pull the 6.5.4 update and issue a 6.5.5 update that included a modified security requirement check. Sadly this didn’t address the fact that users running 6.5.3 and earlier are not able to automatically update to 6.5.5.

Moving Forward and Heading Home

heading-home@2xThis was painful for everyone. We lost sleep over the weekend, but worse than that… our users temporarily lost access to some of their most important information. This is unacceptable to us and we want to make sure this doesn’t happen again.

We’ve reached out to Apple for help and guidance on what we can do to avoid this happening again in the future. Our new provisioning profile doesn’t expire until 2022, but we’ll make sure that this is resolved far before then so that you need not worry about that happening.

If you’re a developer of a Developer ID signed app, we recommend that you check to see if your app includes a provisioning profile. Since that’s mostly handled automatically by Xcode, it’s likely that there are apps out there whose developers aren’t even aware of the inclusion of the provisioning profile. Check the expiration date, and ensure that you release an updated build with an updated provisioning profile well before the expiration date is hit so your users have time to update.

We’ve also filed an enhancement request with Apple asking that developers be notified via email of impending distribution certificate or provisioning profile expirations with explanations of repercussions. This was filed as rdar://30631968.

If you have questions about any of this, please don’t hesitate to ask us in the comments below.

Love,
The 1Password Mac Team
❤️

P.S. Happy 5th Birthday to Gatekeeper! ? We were one of the first apps to sign with Developer ID certificates, use XPC, and leverage the entitlements required for Touch ID. It’s always exciting being on the cutting edge of technology but we wouldn’t have it any other way. ?

Further Reading

This was the second post in a three part series. See the exciting prequel and sequel here:

Part 1 : 1Password for Mac 6.5.5: Manual update required

Part 3 : PSA for macOS Developers: Renew Your Certificates & Provisioning Profiles


  1. The exact same perfect storm appears to caused our friends at Smile to hit the same rough seas that we had. You can see Adam Engst’s story in TidBITS for details on how this affected PDFPen. 
  2. The Common Name is the subject.CN part of the security requirement. As our Chief Defender of the Dark Arts often says of Common Names: they are often very uncommon. The name is inherited from older identify management systems. I don’t need to say much more as Jeff loves explaining things, so let’s all sit back and watch what he says in his comment that I’m sure he’ll be adding soon.