Please remove MacGPG from gnupg.org due to serious security concerns

Lukas Pitschl lukele at gpgtools.org
Fri Feb 20 10:29:33 CET 2015 

> I haven't tried Patrick's installer but it should be a fine option as
> the core. The Mail plug-in should work just fine with 2.1 like it works
> with upstream 2.0.* builds. I'm not aware of any specific need for
> MacGPG in that regard. Same goes for the other little helpers.
> 

We also believe that gnupg 2.1 should work as is with our Mail plugin and our other applications, it also has some improvements we’ve currently added patches to, so we should be able to get rid of a lot of them. Unfortunately until now we’ve not had the time to look more closely into the changes of gnupg 2.1.
It would be great if there’s an outline of the changes which might break backwards compatibility (if any). Following gnupg-devel I’ve read about --allow-loopback-pinentry, which sounded like our tools might need some adjustments in that area.

> The things that would require a little changing are the launchd
> templates that are used to start gpg-agent et al. I've been using my own
> templates already before and with 2.1 it's even simpler as per the
> changes to related gpg-agent. This sort of a script is not even
> necessary unless one needs SSH support which I do. I've attached my new
> template here.
> 

Since gpg-agent was changed to be started on demand we’ve not been using any launchd scripts, as there no longer seems to be a need for them.

> I know, that's a lot of /shoulds/ :). There is an existing ticket [1]
> for MacGPG upgrade to 2.1 and it links to a couple of their support
> request [2] [3], one of them mentions the need to /"first have to adapt
> our library which is responsible for communicating with the gnupg
> binary"/. Lukas, maybe you could comment on the other tools'
> dependencies with MacGPG, if any.
> 

There’s no direct dependency on MacGPG from the tools, since all the communication goes through our Libmacgpg framework.
We have some users who are using homebrew’s gnupg or their own compiled version of gnupg and they’ve not run into major issues.
One that was recently mentioned on our support platform is that pinentry doesn’t store pass phrases if used with homebrew’s gnupg, it does however if they’re using MacGPG2, so there still seem to be minor differences, but some that should be fixed rather easily.
We’d be more than happy to work with gnupg-devel to get rid of our patches and build and distribute „vanilla" gnupg.

> [1]:
> https://gpgtools.lighthouseapp.com/projects/66001/tickets/142-update-to-gnupg-21
> [2]:
> https://gpgtools.tenderapp.com/discussions/problems/29108-gnupg-21-ecc-is-now-in-stable
> [3]:
> https://gpgtools.tenderapp.com/discussions/suggestions/150-gnupg-21-modern-for-mac
> 
> --
> Ville
> <com.ruriat.gpgagent.plist>

Best,

Lukas
GPGTools

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150220/fa2ac4c4/attachment-0001.sig>

More information about the Gnupg-users mailing list