Archive for September 8, 2011

Thursday, September 8, 2011

1Password 3.9

1Password 3.9 is now available, and only from the Mac App Store. It’s the first non-Apple application I’ve installed that’s sandboxed:

icarus$ codesign -d --entitlements - /Applications/1Password.app
Executable=/Applications/1Password.app/Contents/MacOS/1Password
??qq&<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.print</key>
    <true/>
    <key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
    <string>com.agilebits.onepassword-osx-helper</string>
</dict>
</plist>
icarus$ codesign -d --entitlements - /Applications/1Password.app/Contents/Library/LoginItems/1Password\ Helper.app
Executable=/Applications/1Password.app/Contents/Library/LoginItems/1Password Helper.app/Contents/MacOS/1Password Helper
??qq?<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.temporary-exception.files.home-relative-path.read-only</key>
    <array>
        <string>/Library/Safari/Databases/safari-extension_com.agilebits.onepassword-safari-2bua8c4s2c_0/</string>
        <string>/Library/Application Support/Google/Chrome/Default/databases/chrome-extension_gkndfifopckmhdkohjeoljlbfnjhekfg_0/</string>
        <string>/Library/Application Support/Firefox/Profiles/OnePassword.sqlite</string>
    </array>
    <key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
    <array>
        <string>/Dropbox/</string>
    </array>
</dict>
</plist>
icarus$ codesign -d --entitlements - /Applications/1Password.app/Contents/Library/LoginItems/1Password\ Helper.app/Contents/XPCServices/ThumbnailService.xpc/Executable=/Applications/1Password.app/Contents/Library/LoginItems/1Password Helper.app/Contents/XPCServices/ThumbnailService.xpc/Contents/MacOS/ThumbnailService
??qq/<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
</dict>
</plist>

You can see that the XPC service that fetches thumbnails over the network does not have access to the filesystem. And the helper application that reads the files only acts as a server.

Because of sandboxing and the Mac App Store, various features have been removed. You can now only have one keychain, and it must either be stored in 1Password’s container or at the top level of Dropbox’s standard location. Dropbox support and communicating with the browser extensions require temporary entitlements.

Normally I would be up in arms about a good application being crippled by Apple’s rules, but in this case I don’t think I’ll miss anything—unless (until?) the temporary entitlements go away. I have a single keychain, I don’t store it in a funny location, and I don’t want to inject code into my browsers.

Furthermore, I have no reason to distrust AgileBits—and they seem like a great company from our limited dealings—but it never seemed prudent to let my password application auto-update by contacting their server. With the Mac App Store, I can get automatic updates from Apple while blocking the application itself from using the network.

Note: As far as I can tell, the 1-star review from “Ptg4mac” claiming that version 3.9 can’t read files from previous versions is incorrect.