z> varlock --version
0.6.4
z> op --version
2.32.1
z> op run -- python test.py
z> varlock run -- python test.py
Traceback (most recent call last):
File "/data/mcrowe/Programming/AI/certification/varlock-repro/test.py", line 5, in <module>
raise ValueError("ANTHROPIC_API_KEY should not start with op://")
ValueError: ANTHROPIC_API_KEY should not start with op://
Command failed with exit code 1
command [python test.py] failed
try running the same command without varlock
if you get a different result, varlock may be the problem...
System setup:
System Configuration Summary
OS & Platform
- OS: Manjaro Linux (rolling, Arch-based)
- Kernel: 6.12.77-1-MANJARO (PREEMPT_DYNAMIC)
- Architecture: x86_64
- Display Server: Wayland (KWin-based) — see note below
1Password Installation
- App version: 8.12.5-1 (installed via pacman/AUR)
- CLI version: 2.32.1
- Install path: /opt/1Password/
- Config dir: ~/.config/1Password/
- Agent socket: ~/.1password/agent.sock
- Currently running: Yes (since Mar 28)
1Password Security Settings
- Authenticated Unlock (biometry/system auth): Enabled
- Require account password after: 30 days
- Auto-lock after: 480 minutes (8 hours)
- Auto-lock trigger: ScreenSaverActivated detected
- SSH Agent: Enabled (session duration: 12h, authorization model: application)
- Debug tools: Enabled
- Hardware acceleration: Enabled
1Password Polkit Policy
- Unlock: auth_self required
- CLI authorization: auth_self required (allowed users: mcrowe, testuser)
- SSH Agent authorization: auth_self required (allowed users: mcrowe, testuser)
- Polkit version: 127
YubiKey Configuration
- Model: YubiKey 5C NFC
- Firmware: 5.4.3
- Form factor: Keychain (USB-C)
- USB interfaces: OTP, FIDO, CCID
- NFC: Enabled
- Applications enabled: OTP (both slots programmed), FIDO U2F, FIDO2, OATH, PIV, OpenPGP, YubiHSM Auth
- ykman version: 5.9.0
PAM / System Authentication
- /etc/pam.d/system-auth: pam_u2f.so configured as sufficient with nouserok cue [cue_prompt=Tap your Yubikey]
- /etc/pam.d/sudo: pam_u2f.so configured as optional with same cue prompt
- U2F keys registered: 2 keys for user mcrowe (both ES256 +presence)
AppArmor
- Status: Disabled (service inactive, not enabled at boot)
- 1Password profile: Exists at /etc/apparmor.d/1password but set to unconfined
---
Regarding "varlock" not being acknowledged
Given your follow-up about "varlock" — 1Password's polkit integration triggers auth_self which goes through PAM. Your PAM chain is: pam_u2f.so (sufficient) → pam_unix.so. When 1Password asks polkit to
authenticate you, polkit should invoke PAM, which should prompt you to tap your YubiKey. If the prompt never appears, the issue could be:
1. Polkit isn't routing through PAM correctly — polkit 127 on Manjaro may handle auth_self differently
2. The 1Password KeyringHelper (~/.config/1Password/logs/KeyringHelper/) may have more detail — you could check those logs
3. Wayland + polkit agent — make sure you have a polkit authentication agent running for your desktop environment (e.g., polkit-kde-agent)
You can verify your polkit agent is running with: ps aux | grep polkit | grep -v grep