To confirm the authenticity of 1Password, the app and all its updates are digitally signed and offered exclusively through the official app store for your operating system or the 1Password downloads page. Always get 1Password updates from one of these sources, and always check these sources to make sure that you have the latest version.
App store downloads and updates are automatically verified
The digital signature of the 1Password app is automatically verified before installation:
- If you install 1Password or an update from the official app store* for your operating system
- If 1Password updates itself
* Official app stores include: Mac App Store, iOS App Store, Microsoft Store, and Google Play.
Manual downloads are partially verified by your operating system
If you manually download 1Password from the 1Password downloads page, your operating system will verify that it comes from a known developer and hasn’t been tampered with.
To confirm that the installer is authentic
To confirm that the installer is authentic, you can verify the digital signature before installation.
Regular installer
Unzip the installer that you downloaded.
Open Terminal, which is in the Utilities folder of your Applications folder.
Copy and paste the following command, followed by the path to “1Password Installer.app”. For example, if the installer is in your Downloads folder:
spctl --assess -vv ~/Downloads/1Password\ Installer.appPress Return.
If the command returns the following, the code signature of the 1Password installer is valid:
/Users/<username>/Downloads/1Password Installer.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: AgileBits Inc. (2BUA8C4S2C)
The installer automatically verifies the files it downloads. If any file has an issue, installation stops without changes to your system, and you’ll see a message that the installer encountered an error.
| Hash | Fingerprint |
|---|---|
| SHA‑256 | 60 0C DD 51 9C AE 2C FF BB BB 8A DB 62 14 3E C9 E3 D8 67 48 42 DA 98 BB 02 39 36 5D 1D B9 0C 99 |
| SHA‑256 | 75 74 B9 83 A6 43 7E FB 23 B9 4E B4 BE 19 F5 07 35 20 40 DB 2D 4F 99 3D 22 DA C7 6B 3B 1C 85 FF |
| SHA‑256 | 82 F8 EB 3E A3 EF 22 E0 F9 08 89 19 74 6A C6 8F 74 44 34 C6 1A 05 14 A0 74 A4 F3 5A 0C 4F 46 81 |
| SHA‑256 | C6 9B 45 73 B8 87 AB CA EB 29 E7 4D 8E F3 A4 9A D3 AD 8B 68 3C 3D C2 2B A7 50 2B 37 A6 87 80 69 |
Package installer
Double-click the 1Password package (.pkg) file to open the installer. If you see “This package will run a program to determine if the software can be installed”, click Continue. This won’t begin the installation.
Click the lock icon in the top right corner of the installer window. If you don’t see the lock icon, the package is unsigned, and you shouldn’t install it.
Select Developer ID Installer: AgileBits Inc. (2BUA8C4S2C). If you see a different developer ID, or the certificate doesn’t have a green checkmark indicating that it’s valid, don’t install the package.
Click the triangle next to “Details” and scroll down.
Make sure that the SHA-256 fingerprint in the installer matches one of the following fingerprints from the current or earlier AgileBits certificate. If they match, the signature is verified; click OK to continue the installation.
| Hash | Fingerprint |
|---|---|
| SHA‑256 | FA 3D 24 7E B5 00 F5 90 0A 06 3F F3 71 53 3E 8F 73 71 C2 82 E0 6D 2A 71 8E 8E 42 D7 22 F9 79 CC |
| SHA‑1 | 91 66 5C AF AA 46 4F 34 7A 9F F0 0F C4 77 A1 7A DA 14 BD 7E |
| SHA‑256 | 14 1D D8 7B 2B 23 12 11 F1 44 08 49 79 80 07 DF 62 1D E6 EB 3D AB 98 5B C9 64 EE 97 04 C4 A1 C1 |
| SHA‑1 | 9C D4 06 D2 9E C6 25 E3 6B CF 8B AA 61 6E 75 57 31 A7 D4 A9 |
The installer automatically verifies the files in the package. If any file has an issue, installation stops without changes to your system, and you’ll see a message that the installer encountered an error.
Help
1Password uses Microsoft’s Trusted Signing , which results in short-lived certificates with regularly updating thumbprints.
Instead of verifying the thumbprint of a certificate, you can verify the time stamp countersignature or the subscriber identity validation EKU for the 1Password installer.
Verify the time stamp countersignature
To verify that the 1Password installer was signed within the validity timeframe, you can review the certificate’s time stamp countersignature with PowerShell or a tool like SignTool.
In PowerShell, copy and paste the following command, replace path\to\1Password.installer with the path to the 1Password installer, and run the command.
Get-AuthenticodeSignature -FilePath "path\to\1Password.installer" | format-list *
As long as the dates in the SignerCertificate section are within the timeframe of the dates in the TimeStamperCertificate section, the certificate is valid.
If you’ve installed SignTool, copy and paste the following command, replace path\to\1Password.installer with the path to the 1Password installer, and run the command.
signtool verify /pa /v "path\to\1Password.installer"
As long as the timestamped signature date is before the expiry date issued to the Microsoft Public RSA Time Stamping Authority at the bottom, the certificate is valid.
Verify the subscriber identity validation EKU
If you need to verify the 1Password installer in a script or other automated use cases, you can make sure that our subscriber identity validation EKU is associated with the 1Password installer’s certificate.
For reference, here is our current subscriber identity validation EKU: 1.3.6.1.4.1.311.97.661420558.769123285.207353056.500447802
You can use copy the following PowerShell command, replace path\to\1Password.installer with the path to the 1Password installer, and run it to confirm that the value above is listed in the ObjectId column:
(Get-AuthenticodeSignature -FilePath "path\to\1Password.installer").SignerCertificate.EnhancedKeyUsageList
Was this article helpful?
Glad to hear it! If you have anything you'd like to add, feel free to contact us.
Sorry to hear that. Please contact us if you'd like to provide more details.