Document need for 1Password to be installed to import on macOS

[nodevnul]

You need to rename the .opvault folder to something else before it will work. This is a macOS limitation.

Originally posted by @droidmonkey in https://github.com/keepassxreboot/keepassxc/issues/8258#issuecomment-1179783640

[nodevnul]

Sorry droidmonkey,

to what should I rename the folder ?

I renamed it to „Tresor”, without any dot that could indicate a suffix.

And - guess what - nothing. No import.

So would you mind to elaborate further ?

Thanks.

[droidmonkey]

It has been too long for me to remember what to do. 1Password declares the folder to be a file on macOS which screws up the file selection process. Try various things, unfortunately I cannot provide further support.

[nodevnul]

Ok, none of the proposals and undertakings by you work here:

https://github.com/keepassxreboot/keepassxc/issues/5002 https://github.com/keepassxreboot/keepassxc/issues/4069

Am 10.07.2022 um 22:31 schrieb Jonathan White @.***>:

It has been too long for me to remember what to do. 1Password declares the folder to be a file on macOS which screws up the file selection process. Try various things, unfortunately I cannot provide further support.

— Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/8259#issuecomment-1179794258, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQP4RBT6OE5PHFXFNIKRZIDVTMXKRANCNFSM53FQUPPA. You are receiving this because you authored the thread.

[nodevnul]

The 1PW 7 generated directory

1Password.opvault

is a directory in Finder and terminal. The question is: Why can't KPXC simply be directed to the

1Password.opvault/default and parse the files there for import ?

[droidmonkey]

Did you try this method? https://github.com/keepassxreboot/keepassxc/issues/4069#issuecomment-593407427

[nodevnul]

Yes,

does not work.

I asked Andrei from Keepassium and he suggested to create the folders manually and copy the files from the original default folder over. Yet this also does not work.

This really is a showstopper. If KeepassXC is positioned as a strong alternative to e. g. 1Password and „ordinary” users would like to migrate because they dislike the cloud only approach of 1PW (but let’s face it - 1PW is regarding its integration in workflows very top notch…) you certainly would not tell them they have to go the unencrypted csv-route or copy manually hundreds of entries over. In this case KeePassXC will simply fail to be considered - like it or not.

Am 11.07.2022 um 03:28 schrieb Jonathan White @.***>:

Did you try this method? #4069 (comment) https://github.com/keepassxreboot/keepassxc/issues/4069#issuecomment-593407427 — Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/8259#issuecomment-1179860479, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQP4RBREVGY67WJP74HGEH3VTN2FBANCNFSM53FQUPPA. You are receiving this because you authored the thread.

[nodevnul]

Ok, I think I found that little tidbit that probably makes the difference.

1. On my previous Macsystem macOS 10.13.6

• 1PW7 is installed as an app (of course) • The opvault-package that was generated through the sync-to-folder-feature in 1PW7 appears in the Finder truly as a package with the 1PW-icon

• Launching KPXC 2.7.1 here and navigating to that .opvault-package let’s me import as described in the user manual

2. On my new system macOS Monterey M1

• 1PW is NOT installed as an app • copying the .opvault-package as is from the old system to the new one will show it in Finder not as a package but as an ORDINARY folder

• The import here fails because „open” is greyed out

Conclusion

• KeypassXC will let import packages only - but they must be represented as such in Finder • A package can only be represented as such if the creator app is installed on the system • It appears that the installment of the creator app tells the system - and only then - that this „Package” is a package of that app

• Related Apple info on packages: https://developer.apple.com/documentation/uniformtypeidentifiers/uttype/3551543-package

But besides the technical file system dependencies regarding packages it appears that the discussion of the culprit is wrong to a good amount and the problem lies on the KPXC-side:

• According to Apple - if I understand correctly - the statement that macOS filesystem treats certain folders as „files” is wrong, because either they are packages (a collection of folders and files) or bundles - and this property is dependent on the creator app • Regardless if that .opvault-„Folder” shows as a package in Finder and terminal or as a folder - KPXC should be able to parse the contents just as a user can open a package by showing its contents or in the case where it represents as a standard folder can simply open the folder and browse through its contents.

Am 11.07.2022 um 16:08 schrieb Nico @.***>:

Yes,

does not work.

I asked Andrei from Keepassium and he suggested to create the folders manually and copy the files from the original default folder over. Yet this also does not work.

This really is a showstopper. If KeepassXC is positioned as a strong alternative to e. g. 1Password and „ordinary” users would like to migrate because they dislike the cloud only approach of 1PW (but let’s face it - 1PW is regarding its integration in workflows very top notch…) you certainly would not tell them they have to go the unencrypted csv-route or copy manually hundreds of entries over. In this case KeePassXC will simply fail to be considered - like it or not.

Am 11.07.2022 um 03:28 schrieb Jonathan White @. @.>>:

Did you try this method? #4069 (comment) https://github.com/keepassxreboot/keepassxc/issues/4069#issuecomment-593407427 — Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/8259#issuecomment-1179860479, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQP4RBREVGY67WJP74HGEH3VTN2FBANCNFSM53FQUPPA. You are receiving this because you authored the thread.

[keepassium]

I concur that this is likely related to .opvault folder being recognized as a package.

On macOS 12.4 with 1Password 7 installed and .opvault selectable, running mdls 1Password.opvault lists this (among the other things):

kMDItemContentType                     = "com.agilebits.opvault"
kMDItemContentTypeTree                 = (
    "com.agilebits.opvault",
    "com.apple.package",
    "public.directory",
    "public.item"
)

@nodevnul , does it contain "com.apple.package" on your M1 system?

[nodevnul]

There we have it: Without 1PW7 installed:

kMDItemContentType = "public.folder" kMDItemContentTypeTree = ( "public.folder", "public.directory", "public.item" )

Am 11.07.2022 um 17:15 schrieb KeePassium @.***>:

I concur that this is likely related to .opvault folder being recognized as a package.

On macOS 12.4 with 1Password 7 installed and .opvault selectable, running mdls 1Password.opvault lists this (among the other things):

kMDItemContentType = "com.agilebits.opvault" kMDItemContentTypeTree = ( "com.agilebits.opvault", "com.apple.package", "public.directory", "public.item" ) @nodevnul https://github.com/nodevnul , does it contain "com.apple.package" on your M1 system?

— Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/8259#issuecomment-1180539307, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQP4RBRP2Q5G7B25XPI4FDLVTQ3BRANCNFSM53FQUPPA. You are receiving this because you were mentioned.

[nodevnul]

So I think the md data can be modified in terminal, that is adding / modifying to the kMDItemContentType and kMDItemContentTypeTree:

kMDItemContentType = "public.folder" kMDItemContentTypeTree = "com.apple.package"

It depends if the property

"com.apple.package"

is sufficient to force it becoming a package, or if

"com.agilebits.opvault" must be present here. Because it will only be present if 1PW7 is actually installed, not ?

Am 11.07.2022 um 17:21 schrieb Nico @.***>:

There we have it: Without 1PW7 installed:

kMDItemContentType = "public.folder" kMDItemContentTypeTree = ( "public.folder", "public.directory", "public.item" )

Am 11.07.2022 um 17:15 schrieb KeePassium @. @.>>:

I concur that this is likely related to .opvault folder being recognized as a package.

On macOS 12.4 with 1Password 7 installed and .opvault selectable, running mdls 1Password.opvault lists this (among the other things):

kMDItemContentType = "com.agilebits.opvault" kMDItemContentTypeTree = ( "com.agilebits.opvault", "com.apple.package", "public.directory", "public.item" ) @nodevnul https://github.com/nodevnul , does it contain "com.apple.package" on your M1 system?

— Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/8259#issuecomment-1180539307, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQP4RBRP2Q5G7B25XPI4FDLVTQ3BRANCNFSM53FQUPPA. You are receiving this because you were mentioned.

[keepassium]

So I think the md data can be modified in terminal

I could not find a way to do that, it seems to be updated by some system service depending on installed apps.

Btw, try to import the opvault the other way round: Finder → right-click the .opvault → Open with... → Other → select KeePassXC. If it is greyed out, change the filter from "Recommended Applications" to "All Applications".

[droidmonkey]

Yah I thought we fixed this, we require 1PW to be installed on the system so that the "package" is registered. The old rename trick was before the fix. Unfortunately you can only choose a file OR a folder in pickers. So we original had a folder picker which failed when 1PW was installed, and on macOS we switched it to a file picker. Having 1PW installed is the most likely scenario so covers the majority of cases.

Should add a note about that in the docs.

[agsola]

Yah I thought we fixed this, we require 1PW to be installed on the system so that the "package" is registered. The old rename trick was before the fix.

I can confirm this. I had to go back to my old computer with 1Password installed in order to be able to import. No other solution worked (including changing extensions). With 1password installed, no additional action required. Just worked out of the box.

[metawops]

Unfortunately, for me it does not work.

I get the Read Database did not produce an instance Unable to decode masterKey: Malformed OpData01 due to a failed HMAC error after successfully selecting the .opvault package (looks like a file but is a folder) and entering my master password. (And my master password does not include any "special" characters, just letters, numbers and normal punctuation marks that are on any keyboard.)

I'm on macOS 12.6 (Monterey) with 1Password 6.8.9 installed and created a new local vault in which I copied all my ~1170 entries of my main vault. I then set up sync to a folder for that new local vault and got the .opvault directory. I'm using KeePassXC 2.7.1 (latest release as of this writing).

Interesting observation, though: when I right click on the .opvault entry in Finder and select "Open with ..." and choose KeePassXC to open it and enter my master password I then get another error message: Unable to open file /Users/stefan/1PasswordLocalVault.opvault. 🤷‍♂️

So, still no go for me. Any help/hints/ideas appreciated! 🙏

[droidmonkey]

You can only open opvault from the Import menu. You need to put the 1password password in when opening. The error you received in the first part of your message means your opvault is either corrupt or you entered the wrong password.

[metawops]

You can only open opvault from the Import menu. You need to put the 1password password in when opening. The error you received in the first part of your message means your opvault is either corrupt or you entered the wrong password.

Actually, no.

The process I described in my comment above was made on an m1 Pro Max Apple Silicon MacBook Pro.

I did the exact same thing now on my Intel based iMac and everything worked like a charm! So, my .opvault file is not corrupt and the password worked fine, too.

So it smells like it has something to do with the Apple Silicon build of KeePassXC I used on that M1 MacBook Pro. Sounds weird, I know. But that's the only difference. On the Intel iMac with the Intel build of KeePassXC everything worked. 🤷‍♂️

[droidmonkey]

Cool glad it worked but there is no code difference between the two platforms. Either way opvault format is no longer a thing in 1password so this import method is going away soon.

And yes that error message is output because decryption failed which means one of the two things I mentioned. Barring a compete failure in the decryption algorithm itself, which is very very unlikely.

[nodevnul]

Jonathan,

could the project then provide info on the project website on when exactly the import method will be deprecated ? Or can the method just be left as a feature in the code ? Although 1PW moved on to deprecate opvault yet there still might be users that decide to jump ship with their opvaults very late because they might still prefer to use 1PW 7 because they do not have any incentive to upgrade to systems that would require minimum 1PW 8.

thanks

Am 17.09.2022 um 14:54 schrieb Jonathan White @.***>:

Cool glad it worked but there is no code difference between the two platforms. Either way opvault format is no longer s thing in 1password so this import method is going away soon.

— Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/8259#issuecomment-1250066327, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQP4RBUGLXNKKMNOKITNWADV6W5RBANCNFSM53FQUPPA. You are receiving this because you were mentioned.

[droidmonkey]

Nothing stops you from downloading an older version of KeePassXC from our releases page. Carrying dead code around is not in our best interest, especially when it's somewhat flaky and for a now unsupported feature.

[nodevnul]

Yes, I understand that.

Yet IMHO the project would do users a favor to outline that on the website.

Am 17.09.2022 um 15:16 schrieb Jonathan White @.***>:

Nothing stops you from downloading an older version of KeePassXC from our releases page. Carrying dead code around is not in our best interest, especially when it's somewhat flaky and for a now unsupported feature.

— Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/8259#issuecomment-1250069886, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQP4RBR6JWVTWMOXTIDAFJ3V6XAB5ANCNFSM53FQUPPA. You are receiving this because you were mentioned.

[nodevnul]

If the opvault is without the package-flag it is an ordinary folder and the context menu does not provide a „Open with“ naturally.

I have already imported it on the old system and copied the KPXC-database to the new system - no problem.

Yet it would be intereseting if there is a way to edit the md properties…

Am 11.07.2022 um 17:47 schrieb KeePassium @.***>:

So I think the md data can be modified in terminal

I could not find a way to do that, it seems to be updated by some system service depending on installed apps.

Btw, try to import the opvault the other way round: Finder → right-click the .opvault → Open with... → Other → select KeePassXC. If it is greyed out, change the filter from "Recommended Applications" to "All Applications".

— Reply to this email directly, view it on GitHub https://github.com/keepassxreboot/keepassxc/issues/8259#issuecomment-1180576576, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQP4RBUC6JS6FBM2XUCTG3DVTQ62ZANCNFSM53FQUPPA. You are receiving this because you were mentioned.