Please remove MacGPG from due to serious security concerns

Jonathan Schleifer js-gnupg-users at
Wed Feb 18 11:54:28 CET 2015

Am 17.02.2015 um 14:31 schrieb Werner Koch <wk at>:

> GnuPG's speedo build system also downloads stuff via the Makefile but it
> verifies the checksums before proceeding. The checksums are taken from a
> public file which has a detached signature and the public key for that
> is one of the GnuPG release signing keys.

While this is much better from a security point of view, it still means that building needs an internet connection. It would be nice to be able to build it on an air-gapped machine, which I guess is quite a common use case for GnuPG.

To be fair, though, I never noticed that until you mentioned it :).


More information about the Gnupg-users mailing list