Installing 1Password in Bluefin (a better way?)

Is there a better way to install 1Password other than via rpm-ostree? Of course there is a Flatpak version but I need system integration to unlock it using my fingerprint reader (as far as I’m aware and have tried).

I also saw this somewhere but I have no idea how to use it or if it works in Bluefin: modules/modules/bling/installers/1password.sh at c0943c009d578214d8bd3d6f185a106420dc034e · blue-build/modules · GitHub

I know there has to be other 1Password users here. How are y’all using it in Bluefin?

There’s some inprogress sysexts here: GitHub - travier/fedora-sysexts: Example sysexts for Fedora image based systems

I haven’t had a chance to play with 1password yet though.

I just tried out the 1password-gui sysext and it seems to work fine, but the instructions are a bit different for ublue images.

The first bit of instructions are the same:

sudo install -d -m 0755 -o 0 -g 0 /var/lib/extensions /var/lib/extensions.d /etc/sysupdate.d
sudo restorecon -RFv /var/lib/extensions /var/lib/extensions.d /etc/sysupdate.d
SYSEXT="1password-gui"
RELEASE_TAG="fedora-kinoite-41"
URL="https://github.com/travier/fedora-sysexts/releases/download/${RELEASE_TAG}/${SYSEXT}.conf"
curl --silent --location "${URL}" | sudo tee "/etc/sysupdate.d/${SYSEXT}.conf"

However, we have to modify the sysupdate file to point to the correct variant. In my case, I had to update it to Kinoite because I’m using Aurora (%o-%W-%w was expanding to aurora-aurora-dx-41 which is totally wrong), but the process should be similar for Bluefin:

DIFF=$(cat <<EOF
6c6
< Path=https://github.com/travier/fedora-sysexts/releases/download/%o-%W-%w/
---
> Path=https://github.com/travier/fedora-sysexts/releases/download/fedora-kinoite-%w/
EOF
)

echo "$DIFF" | sudo patch -p0 "/etc/sysupdate.d/${SYSEXT}.conf"

After that, the instructions are the same:

sudo /usr/lib/systemd/systemd-sysupdate list
sudo /usr/lib/systemd/systemd-sysupdate update
sudo systemctl restart systemd-sysext.service
systemd-sysext status

It succesfully installed 1password into /usr/bin. I can’t quite get the fingerprint reader to work, but that’s probably an unrelated issue on my side.

Is the flatpak listed here not an option?

The Flatpak has a few limitations, as listed on that website:

• You’ll need to lock and unlock 1Password in your browser separately from the app.
• You won’t be able to unlock 1Password or 1Password CLI with system authentication.
• You won’t be able to use the SSH agent.

These limitations should go away if using the rpm or a sysext, in theory.

Ok, yeah that makes sense. I think you are right, a sysext/layered package shouldn’t have the restrictions.

Do these work when layered? I have 1Password layered but only the SSH agent works. Unlocking 1Password with system auth partially works. I have to unlock 1Password seperately when my desktop session starts but after that it works with system auth, I guess. But I was never able to make browser integration work.

It’s the one thing I layer, and it works well.
Any reason to go with more complex setups?

I’m on Aurora/Framework 13 (12th gen Intel) and I used the instructions here and I find that system authentication and SSH agent work great with the desktop app. I do have to separately log in to the browser extensions, though. I assumed it was because the browsers are installed via flatpak.

I have followed your instructions to install 1Password GUI, thank you very much for this! Does this approach hinder OS updates happening in the background? I just started with Aurora-dx today, so I’m still unsure about how this behaves.

I wonder now though, what is the recommended approach to install 1Password CLI? Would it be then simply with homebrew? Because somehow the CLI installed from sysext cannot connect to the GUI.

sysexts installed with this method are automatically updated with systemd-sysupdate.service and shouldn’t affect the main system updates.

For the CLI, it probably makes sense to install it using homebrew.

I’ve realized that I can run 1Password inside a Fedora 41 container via distrobox. With this approach, I followed the official instructions from 1Password for Fedora. Once installed, the 1Password GUI and CLI can both be exported with distrobox-export --app 1password and distrobox-export --bin $(which op). Sadly, the 1Password browser extension installed in Firefox doesn’t connect to the 1Password GUI, but it does for Chromium, which I also installed in and exported from the same distrobox container as the 1Password GUI/CLI.

This approach seems to be quite robust, since it doesn’t involve any layering.