Add 1password-cli Formula

[kevinli23]

Problem

The current method of downloading the cli using brew conflicts with the cask 1password-cli that is hosted on homebrew/cask.

Solution

In order to avoid future conflicts with upgrading the CLI, adding a Formula and specifying the build-from-source flag when running brew install will solve that.

[SimonBarendse]

The Biometric Unlock feature requires the CLI to be installed in /usr/local/bin/ as part of the validation the 1Password apps do to validate the authenticity of the binary that connects (https://developer.1password.com/docs/cli/get-started#install).

We'll need to figure out a way forward here that achieves these three things:

1. We continue to provide the same security guarantees
2. Allow installation via a Brew Formulae (in a different location)
3. 1Password apps allow connections via Biometric Unlock

I recommend chatting with @jpcoenen.

[jkyjustin]

The Biometric Unlock feature requires the CLI to be installed in /usr/local/bin/ as part of the validation the 1Password apps do to validate the authenticity of the binary that connects (https://developer.1password.com/docs/cli/get-started#install).

We'll need to figure out a way forward here that achieves these three things:

1. We continue to provide the same security guarantees
2. Allow installation via a Brew Formulae (in a different location)

Hey @SimonBarendse - Horia's submitted an MR on core that includes the brew formula installation location sandbox exception that's been getting enough approvals. I think we can merge this and begin testing it.

We can serve the Cask and formula both in this tap for now while we test - what do you think?

[jkyjustin]

Looks like merging this may not work.

When trying to install the formula via this tap on this branch, I get the following error:

> brew install https://github.com/1Password/homebrew-tap/blob/add-formula-download/Formula/op-cli.rb
Error: Non-checksummed download of op-cli formula file from an arbitrary URL is unsupported! 'brew extract' or 'brew create' and 'brew tap-new' to create a formula file in a tap on GitHub instead.

Looking a bit more into this error, it seems that brew is only allowing formula rb files generated by their brew commands due to security reasons:

For security reasons Homebrew stopped allowing direct Formula references like that.

ruediger/VobSub2SRT#87

Of course these pkgs can be still installed via local formula ruby files (brew install --build-from-source <formula>.rb) but I don't think that will be the optimal experience for our users.

Update: It looks like first adding the tap and then installing the package still works:

> brew tap 1password/tap
> brew install op-cli
> op -v
2.4.1
> brew list
==> Formulae
awscli		c-ares		go		libnghttp2	node		[email protected]	readline	six
bash		ca-certificates	icu4c		libuv		oniguruma	pandoc		redis		sqlite
brotli		gdbm		jq		mpdecimal	op-cli		[email protected]	shellcheck	xz

==> Casks
1password-cli	docker
> brew info op-cli
1password/tap/op-cli: stable 2.4.1


/usr/local/Cellar/op-cli/2.4.1 (3 files, 13.8MB) *
  Built from source on 2022-06-10 at 15:51:08
From: https://github.com/1password/homebrew-tap/blob/HEAD/op-cli.rb

Would appreciate if anyone else could confirm this. What I don't understand is how brew is able to figure out to pull the op-cli.rb file from this branch when it's not on master and no branch is specified 🤔

[vitorgalvao]

The Biometric Unlock feature requires the CLI to be installed in /usr/local/bin/ as part of the validation the 1Password apps do to validate the authenticity of the binary that connects (https://developer.1password.com/docs/cli/get-started#install).

Looks like this is no longer the case, and that the 1Password CLI now works fine in /opt/homebrew/bin.

[AndyTitu]

Closing