Verify the authenticity of 1Password CLI
To confirm the authenticity of 1Password CLI, the tool and all its updates are digitally signed and offered exclusively through the 1Password CLI download page. Always get updates directly from 1Password, and always check to make sure that you have the latest version.
- Mac
- Windows
ZIP file
To confirm that the contents of the 1Password CLI ZIP file are authentic, unzip the file, then run the following command in the unzipped folder:
Package file
To confirm the 1Password CLI installer file is authentic, you can verify the digital signature before installation.
- Double-click the 1Password CLI installer to open it. If you see "This package will run a program to determine if the software can be installed", click Continue. This will not begin the installation.
- Click the lock icon in the top right corner of the installer window. If you don't see the lock icon, the package is unsigned, and you shouldn't install it.
- Select Developer ID Installer: AgileBits Inc. (2BUA8C4S2C). If you see a different developer ID, or the certificate doesn't have a green checkmark indicating that it's valid, don't install the package.
- Click the triangle next to Details and scroll down.
- Make sure that the SHA-256 fingerprint in the installer matches the following fingerprint from the current AgileBits certificate. If they match, the signature is verified; click OK and continue installation.
Hash | Fingerprint |
---|---|
SHA‑256 | 14 1D D8 7B 2B 23 12 11 F1 44 08 49 79 80 07 DF 62 1D E6 EB 3D AB 98 5B C9 64 EE 97 04 C4 A1 C1 |
The installer automatically verifies the files in the package. If any file has an issue, installation stops without changes to your system, and you'll see a message that the installer encountered an error.
To confirm the 1Password CLI installer for Windows is authentic, you can use gpg or verify its Authenticode signature. Both options must be run in PowerShell as an administrator.
To verify the 1Password CLI installer using gpg, run these commands in the directory where you extracted the op.exe
binary:
To verify the Authenticode signature of the op.exe
binary, navigate to the directory where the binary is located and run the following command to ensure that the SignerCertificate
field is 4303B08E811A555F92453427BB01DFE35E71B754
and that it is valid.