Please remove MacGPG from due to serious security concerns

Jonathan Schleifer js-gnupg-users at
Wed Feb 18 12:12:04 CET 2015

Am 17.02.2015 um 20:16 schrieb Juergen Fenn <schneeschmelze at>:

> Enigmail has discussed recently to drop support for GnuPG1, making
> gpg-agent/pinentry a crucial issue on the Mac. The standard version of
> pinentry from MacPorts does not work properly out of the box.

For homebrew, there's a pinentry-mac formula, which unfortunately also does the remote code execution. I raised the issue with homebrew, however, most posts in that ticket were deleted because some people started questioning the review process of new formula and asked how this could even have gotten into homebrew.

The solution I chose is an ugly, but more secure one: I use pinentry-gtk with XDarwin. Sure it's ugly, even more so since it is upscaled on a retina display. But it's only for entering the PIN / passphrase, so I'd rather use that then pinentry-mac. I did not choose pinentry-curses because that didn't work well with signing Git commits.

> Anyway, alternatives should be mentioned on the GnuPG pages because—I
> agree to the OP—this is too important an issue, GnuPG also being used
> by  many people who seriously depend on its security.

I totally agree. There should at least be a big fat warning, saying to not use if it you really depend on security.

> The question is, can we use GnuPG on the Mac and rely on it?

I'd say yes. I'm using GnuPG 2.1.2 vanilla with a Gnuk token and don't see why it should be any less reliable than on Linux.


More information about the Gnupg-users mailing list