Security and privacy

How to verify the authenticity of the 1Password app

If you manually download the 1Password app, you can verify its signature to confirm that it’s authentic.

To confirm the authenticity of 1Password, the app and all its updates are digitally signed and offered exclusively through the official app store for your operating system or the 1Password downloads page. Always get 1Password updates from one of these sources, and always check these sources to make sure that you have the latest version.

App store downloads and updates are automatically verified

The digital signature of the 1Password app is automatically verified before installation:

  • If you install 1Password or an update from the official app store* for your operating system
  • If 1Password updates itself

* Official app stores include: Mac App Store, iOS App Store, Microsoft Store, and Google Play.

Manual downloads are partially verified by your operating system

If you manually download 1Password from the 1Password downloads page, your operating system will verify that it comes from a known developer and hasn’t been tampered with.

To confirm that the installer is authentic

To confirm that the installer is authentic, you can verify the digital signature before installation.

Regular installer

  1. Unzip the installer that you downloaded.

  2. Open Terminal, which is in the Utilities folder of your Applications folder.

  3. Copy and paste the following command, followed by the path to “1Password Installer.app”. For example, if the installer is in your Downloads folder:

     spctl --assess -vv ~/Downloads/1Password\ Installer.app

  4. Press Return.

If the command returns the following, the code signature of the 1Password installer is valid:

    /Users/<username>/Downloads/1Password Installer.app: accepted
	source=Notarized Developer ID
	origin=Developer ID Application: AgileBits Inc. (2BUA8C4S2C)

The installer automatically verifies the files it downloads. If any file has an issue, installation stops without changes to your system, and you’ll see a message that the installer encountered an error.

HashFingerprint
SHA‑25660 0C DD 51 9C AE 2C FF BB BB 8A DB 62 14 3E C9 E3 D8 67 48 42 DA 98 BB 02 39 36 5D 1D B9 0C 99
SHA‑25675 74 B9 83 A6 43 7E FB 23 B9 4E B4 BE 19 F5 07 35 20 40 DB 2D 4F 99 3D 22 DA C7 6B 3B 1C 85 FF
SHA‑25682 F8 EB 3E A3 EF 22 E0 F9 08 89 19 74 6A C6 8F 74 44 34 C6 1A 05 14 A0 74 A4 F3 5A 0C 4F 46 81

Package installer

  1. Double-click the 1Password package (.pkg) file to open the installer. If you see “This package will run a program to determine if the software can be installed”, click Continue. This won’t begin the installation.

  2. Click the lock icon in the top right corner of the installer window. If you don’t see the lock icon, the package is unsigned, and you shouldn’t install it.

  3. Select Developer ID Installer: AgileBits Inc. (2BUA8C4S2C). If you see a different developer ID, or the certificate doesn’t have a green checkmark indicating that it’s valid, don’t install the package.

  4. Click the triangle next to “Details” and scroll down.

  5. Make sure that the SHA-256 fingerprint in the installer matches one of the following fingerprints from the current or earlier AgileBits certificate. If they match, the signature is verified; click OK to continue the installation.

    the 1Password installer window showing the developer ID and fingerprints

HashFingerprint
SHA‑256FA 3D 24 7E B5 00 F5 90 0A 06 3F F3 71 53 3E 8F 73 71 C2 82 E0 6D 2A 71 8E 8E 42 D7 22 F9 79 CC
SHA‑191 66 5C AF AA 46 4F 34 7A 9F F0 0F C4 77 A1 7A DA 14 BD 7E
SHA‑25614 1D D8 7B 2B 23 12 11 F1 44 08 49 79 80 07 DF 62 1D E6 EB 3D AB 98 5B C9 64 EE 97 04 C4 A1 C1
SHA‑19C D4 06 D2 9E C6 25 E3 6B CF 8B AA 61 6E 75 57 31 A7 D4 A9

The installer automatically verifies the files in the package. If any file has an issue, installation stops without changes to your system, and you’ll see a message that the installer encountered an error.

  1. Right-click the 1Password setup executable (.exe) file and choose Properties.

  2. Select the Digital Signatures tab.

  3. Select Agilebits, then click Details. If you see a different signer, or the installer isn’t signed, don’t install the app.

  4. Make sure you see “This digital signature is OK”. Otherwise, the digital signature of the app is invalid, and you shouldn’t install it.

  5. Click View Certificate, then select the Details tab and scroll down.

  6. Make sure that the thumbprint in the installer matches the following thumbprint from the current AgileBits certificate. If they match, the signature is verified; install the app.

    the 1Password setup certificate details showing the thumbprint

Thumbprint
2b104986b3fae577d58ad157146a6801c387bc03

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: