Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Jacek
3 months agoNew Contributor
pgp signature not trusted
I upgraded PGP signatures:
$ curl -sS https://downloads.1password.com/linux/keys/1password.asc | gpg --import
gpg: key AC2D62742012EA22: 3 signatures not checked due to missing keys
gpg: key AC2D62742012EA22: "Code signing for 1Password <codesign@1password.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
But during checking 1password-cli source, I got:
gpg: Signature made śro, 28 maj 2025, 12:15:49 CEST
gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7 CA80 AC2D 6274 2012 EA22
Is something wrong with your PGP signature?
I'm worried about whether the 1Password code is secure.
If you are trying to check that `op_linux_amd64_v2.31.1.zip` was signed with the detached signature `op.sig`, then you should run `gpg --verify op.sig op_linux_amd64_v2.31.1.zip`.
The check done during the package installation is almost certainly done correctly and the process should fail if the check fails. In the trust model with which you're working, the successful install of a native or AUR package should give you confidence that the file(s) fetched have not been modified since the package was last updated.
4 Replies
- JacekNew Contributor
This check is performed during package installation in ArchLinux.
Here is a full check in Linux:[jacek@lixlap08 1password-cli]$ ls -lh op* -rwxr-xr-x 1 jacek jacek 24M 05-28 12:04 op -rw-r--r-- 1 jacek jacek 8,7M 07-12 21:38 op_linux_amd64_v2.31.1.zip -rw-r--r-- 1 jacek jacek 566 05-28 12:15 op.sig [jacek@lixlap08 1password-cli]$ gpg --verify op.sig gpg: assuming signed data in 'op' gpg: Signature made śro, 28 maj 2025, 12:15:49 CEST gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22 gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7 CA80 AC2D 6274 2012 EA22
So, if I understand correctly, there is nothing to worry about, and the code is authentic/secure?
- AJCxZ0Bronze Expert
If you are trying to check that `op_linux_amd64_v2.31.1.zip` was signed with the detached signature `op.sig`, then you should run `gpg --verify op.sig op_linux_amd64_v2.31.1.zip`.
The check done during the package installation is almost certainly done correctly and the process should fail if the check fails. In the trust model with which you're working, the successful install of a native or AUR package should give you confidence that the file(s) fetched have not been modified since the package was last updated.
- JacekNew Contributor
Great, thanks.
- AJCxZ0Bronze Expert
You imported the key published on the web site into your keyring.
While you say, "checking 1password-cli source", you don't show what you actual ran. The signature shown has the correct fingerprint. There is nothing wrong with the signature and you mention no reason to think that there is something wrong or any reason why you are "worried about whether the 1Password code is secure" (ignoring what "is secure" could actually mean).
That said, 1Password still hasn't pushed their recently updated key to the keyservers:
$ gpg --fingerprint AC2D62742012EA22 pub rsa4096 2017-05-18 [SC] [expired: 2025-05-16] 3FEF 9748 469A DBE1 5DA7 CA80 AC2D 6274 2012 EA22 uid [ expired] Code signing for 1Password <codesign@1password.com> $ gpg --refresh-keys AC2D62742012EA22 gpg: refreshing 1 key from hkps://keys.openpgp.org gpg: key AC2D62742012EA22: "Code signing for 1Password <codesign@1password.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ curl -sS https://downloads.1password.com/linux/keys/1password.asc | gpg --import gpg: key AC2D62742012EA22: 3 signatures not checked due to missing keys gpg: key AC2D62742012EA22: "Code signing for 1Password <codesign@1password.com>" 1 new signature gpg: Total number processed: 1 gpg: new signatures: 1 gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: Note: signatures using the SHA1 algorithm are rejected gpg: Note: third-party key signatures using the SHA1 algorithm are rejected gpg: (use option "--allow-weak-key-signatures" to override) gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u $ gpg --list-public-keys codesign@1password.com pub rsa4096 2017-05-18 [SC] [expires: 2032-05-16] 3FEF9748469ADBE15DA7CA80AC2D62742012EA22 uid [ unknown] Code signing for 1Password <codesign@1password.com>
and setting the key expiry for 2032 is not wise, so 1Password certainly could do better.