pgp signature not trusted

I upgraded PGP signatures:

$ curl -sS https://downloads.1password.com/linux/keys/1password.asc | gpg --import
gpg: key AC2D62742012EA22: 3 signatures not checked due to missing keys
gpg: key AC2D62742012EA22: "Code signing for 1Password <codesign@1password.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

But during checking 1password-cli source, I got:

gpg: Signature made śro, 28 maj 2025, 12:15:49 CEST
gpg:                using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7  CA80 AC2D 6274 2012 EA22

Is something wrong with your PGP signature?
I'm worried about whether the 1Password code is secure.

best practices

checks

linux

AJCxZ0
23 days ago
If you are trying to check that `op_linux_amd64_v2.31.1.zip` was signed with the detached signature `op.sig`, then you should run `gpg --verify op.sig op_linux_amd64_v2.31.1.zip`.
The check done during the package installation is almost certainly done correctly and the process should fail if the check fails. In the trust model with which you're working, the successful install of a native or AUR package should give you confidence that the file(s) fetched have not been modified since the package was last updated.

4 Replies

Jacek
New Contributor
27 days ago
This check is performed during package installation in ArchLinux.
Here is a full check in Linux:
[jacek@lixlap08 1password-cli]$ ls -lh op* -rwxr-xr-x 1 jacek jacek 24M 05-28 12:04 op -rw-r--r-- 1 jacek jacek 8,7M 07-12 21:38 op_linux_amd64_v2.31.1.zip -rw-r--r-- 1 jacek jacek 566 05-28 12:15 op.sig [jacek@lixlap08 1password-cli]$ gpg --verify op.sig gpg: assuming signed data in 'op' gpg: Signature made śro, 28 maj 2025, 12:15:49 CEST gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22 gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7 CA80 AC2D 6274 2012 EA22
So, if I understand correctly, there is nothing to worry about, and the code is authentic/secure?
- AJCxZ0
  Bronze Expert
  23 days ago
  If you are trying to check that `op_linux_amd64_v2.31.1.zip` was signed with the detached signature `op.sig`, then you should run `gpg --verify op.sig op_linux_amd64_v2.31.1.zip`.
  The check done during the package installation is almost certainly done correctly and the process should fail if the check fails. In the trust model with which you're working, the successful install of a native or AUR package should give you confidence that the file(s) fetched have not been modified since the package was last updated.
  - Jacek
    New Contributor
    23 days ago
    Great, thanks.

AJCxZ0

Bronze Expert

28 days ago

You imported the key published on the web site into your keyring.

While you say, "checking 1password-cli source", you don't show what you actual ran. The signature shown has the correct fingerprint. There is nothing wrong with the signature and you mention no reason to think that there is something wrong or any reason why you are "worried about whether the 1Password code is secure" (ignoring what "is secure" could actually mean).

That said, 1Password still hasn't pushed their recently updated key to the keyservers:

$ gpg --fingerprint AC2D62742012EA22
pub   rsa4096 2017-05-18 [SC] [expired: 2025-05-16]
      3FEF 9748 469A DBE1 5DA7  CA80 AC2D 6274 2012 EA22
uid           [ expired] Code signing for 1Password <codesign@1password.com>

$ gpg --refresh-keys AC2D62742012EA22
gpg: refreshing 1 key from hkps://keys.openpgp.org
gpg: key AC2D62742012EA22: "Code signing for 1Password <codesign@1password.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

$ curl -sS https://downloads.1password.com/linux/keys/1password.asc | gpg --import
gpg: key AC2D62742012EA22: 3 signatures not checked due to missing keys
gpg: key AC2D62742012EA22: "Code signing for 1Password <codesign@1password.com>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: Note: signatures using the SHA1 algorithm are rejected
gpg: Note: third-party key signatures using the SHA1 algorithm are rejected
gpg: (use option "--allow-weak-key-signatures" to override)
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

$ gpg --list-public-keys codesign@1password.com
pub   rsa4096 2017-05-18 [SC] [expires: 2032-05-16]
      3FEF9748469ADBE15DA7CA80AC2D62742012EA22
uid           [ unknown] Code signing for 1Password <codesign@1password.com>

and setting the key expiry for 2032 is not wise, so 1Password certainly could do better.

Forum Discussion

pgp signature not trusted

4 Replies

Recent Discussions

View access of vault details for subaccounts (staff)

CISO access to reports

Integration status: Connection Problem in Chrome on Win11

Share a password without sharing the associate Notes?

msixbundle doesnt work on intune