Arch Linux User Repository

As of the 2.24.0-2 release, Zsh shell completion is no longer provided by the package to mirror the official packages. Users that wish to use shell completion can add a line to their shell's dotfile.

See the official docs for instructions specific to your shell: https://developer.1password.com/docs/cli/reference/commands/completion/

---

It is recommended to verify the authenticity of the binary by using Agilebits's PGP code signing key. Their public key ID is published in the install documentation.

gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22

@chopps Thanks for giving notice. I can confirm the SHAs of all three editions have changed ( not only amd64), and this definitely was not the case two weeks ago. This means someone may have changed the binaries on AgileBit’s server without bumping either of version number, build number, and release date.

Generally, this can be indicative of a compromised download. I recommend to always keep that in mind before you install anything that shows a checksum error. In this particular case though, the changed binaries are still signed by AgileBits, and my GPG says the signature is 100 % OK. Therefore I feel the package to be probably safe to use.

With all that said, I have reached out [1] to AgileBits and will wait for their response before I update the signatures in the PKGBUILD.

[1] https://discussions.agilebits.com/discussion/91299/cli-binaries-changed-without-notice-signature-still-ok-though

I'm getting a validation failure on the amd64 zip. I downloaded and checked the signature (and did a bit more work to actually trust the signature by finding a picture of the business card of the signer showing the fingerprint), and my zip file appears valid. My sha256sum for it is different from this PKGBUILD.

Bumped to v0.4.1. Thanks @dmeijboom for the heads up!

Thanks @betsu and @mattikus! Updated.

@Sh4rk I just update the package to v0.4.

--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Felix Seidel <felix@seidel.me>

 pkgname=1password-cli
-pkgver=0.3
+pkgver=0.4
 pkgrel=1
 pkgdesc="1Password command line tool"
 arch=('x86_64' 'i686' 'arm')
@@ -13,11 +13,12 @@ source_x86_64=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_amd
 source_i686=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_386_v$pkgver.zip")
 source_arm=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_arm_v$pkgver.zip")

-sha256sums_x86_64=('0e2416b56b00fdd7f970365ed8a7e2b6e38f5c5d2c94c1fd68a980bcfee1529a')
-sha256sums_i686=('598f767b3e914f137cb0e8a0acac1ad72625ad011aa9d6a2d1bf45216a6e8c97')
-sha256sums_arm=('c0f2e59e536685bd5c8b8ca70a4fd8bd4becef7eee93b8d733276066e37b8cb2')
+sha256sums_x86_64=('421ca41fa376a6a6bc8e314c83959872e4658c5fbd3a20c0bf83a50922326b0b')
+sha256sums_i686=('e0ac90259ec0e49b517ca2afd3122523553c98f186af2f1fa0dfa18a989f3d43')
+sha256sums_arm=('0c32633587325e3874c19ba5e6e658eb1ba8b3354c15c3c9da3f9d9ef849d8ca')

 check() {
+  gpg --receive-keys 3FEF9748469ADBE15DA7CA80AC2D62742012EA22
   gpg --verify-files ${srcdir}/op.sig
 }

@Sh4rk You’re welcome, and thanks for applying the patch!

@Auerhuhn thanks for the patch and sorry for the delay! You're a co-maintainer now. :)

@Sh4rk Would you mind updating the package, or perhaps adding me as a co-maintainer?

This package really needs updating; v0.1.1 doesn’t even work anymore against the current API. I’ve prepared a patch; feel free to use it:

--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Felix Seidel <felix@seidel.me>

 pkgname=1password-cli
-pkgver=0.1.1
+pkgver=0.2.1
 pkgrel=1
 pkgdesc="1Password command line tool"
 arch=('x86_64' 'i686' 'arm')
@@ -13,9 +13,9 @@ source_x86_64=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_amd
 source_i686=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_386_v$pkgver.zip")
 source_arm=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_arm_v$pkgver.zip")

-sha256sums_x86_64=('6dc01dce5138f5ec8c6d6853fb22d02cfe1c0b0178f02754278d4dcac11f038b')
-sha256sums_i686=('b0edd3b2125e9bab79c7371b00f3356b37a073c65a9ca72c7b7984700e20a881')
-sha256sums_arm=('83aee44c19db20404d18bf2f1ce466294865b1f7a4f0e48bc0f925dc3dd3499d')
+sha256sums_x86_64=('3ba640545e32c94775534dfc8bf036398ad573d0f001492e7f1818e77d183b73')
+sha256sums_i686=('71fd9885d28346384dd7833552d7e0f149da0cbe774ad927ffceea8985a7dff0')
+sha256sums_arm=('b7cd9c03638ac2369db3b8f95cb2959642b219ed7938f6583561a6c5fc697c3d')

 check() {
   gpg --verify-files ${srcdir}/op.sig

I suggest this patch in order to pin the signature validation to the known fingerprint: ``` --- a/PKGBUILD +++ b/PKGBUILD @@ -8,6 +8,7 @@ arch=('x86_64' 'i686' 'arm') url="https://app-updates.agilebits.com/product_history/CLI" license=('custom') options=('!strip' '!emptydirs') +validpgpkeys=('3FEF9748469ADBE15DA7CA80AC2D62742012EA22') # 1Password <codesign@1password.com> source_x86_64=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_amd64_v$pkgver.zip") source_i686=("https://cache.agilebits.com/dist/1P/op/pkg/v$pkgver/op_linux_386_v$pkgver.zip") ```

for the security minded, you will probably want to verify the pgp signature of the binary. # manually keybase pgp verify -d op.sig -S 1password -i op # using gpg integration keybase follow 1password keybase pgp pull 1password # now pacaur should find the public key in your local gpg ring pacaur -S 1password-cli