It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
Forum Discussion
Solved
pgp signature not trusted
I upgraded PGP signatures: $ curl -sS https://downloads.1password.com/linux/keys/1password.asc | gpg --import
gpg: key AC2D62742012EA22: 3 signatures not checked due to missing keys
gpg: key AC2D62...
If you are trying to check that `op_linux_amd64_v2.31.1.zip` was signed with the detached signature `op.sig`, then you should run `gpg --verify op.sig op_linux_amd64_v2.31.1.zip`.
The check done during the package installation is almost certainly done correctly and the process should fail if the check fails. In the trust model with which you're working, the successful install of a native or AUR package should give you confidence that the file(s) fetched have not been modified since the package was last updated.
This check is performed during package installation in ArchLinux.
Here is a full check in Linux:
[jacek@lixlap08 1password-cli]$ ls -lh op*
-rwxr-xr-x 1 jacek jacek 24M 05-28 12:04 op
-rw-r--r-- 1 jacek jacek 8,7M 07-12 21:38 op_linux_amd64_v2.31.1.zip
-rw-r--r-- 1 jacek jacek 566 05-28 12:15 op.sig
[jacek@lixlap08 1password-cli]$ gpg --verify op.sig
gpg: assuming signed data in 'op'
gpg: Signature made śro, 28 maj 2025, 12:15:49 CEST
gpg: using RSA key 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
gpg: Good signature from "Code signing for 1Password <codesign@1password.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3FEF 9748 469A DBE1 5DA7 CA80 AC2D 6274 2012 EA22So, if I understand correctly, there is nothing to worry about, and the code is authentic/secure?
If you are trying to check that `op_linux_amd64_v2.31.1.zip` was signed with the detached signature `op.sig`, then you should run `gpg --verify op.sig op_linux_amd64_v2.31.1.zip`.
The check done during the package installation is almost certainly done correctly and the process should fail if the check fails. In the trust model with which you're working, the successful install of a native or AUR package should give you confidence that the file(s) fetched have not been modified since the package was last updated.
Great, thanks.
