Please remove MacGPG from due to serious security concerns

Ville Määttä mailing-lists at
Fri Feb 20 15:45:32 CET 2015

On 20.02.15 11:29, Lukas Pitschl wrote:
> It would be great if there’s an outline of the changes which might break backwards compatibility (if any).

From usage point of view:

>> The things that would require a little changing are the launchd
>> templates that are used to start gpg-agent et al. I've been using my own
>> templates already before and with 2.1 it's even simpler as per the
>> changes to related gpg-agent. This sort of a script is not even
>> necessary unless one needs SSH support which I do. I've attached my new
>> template here.
> Since gpg-agent was changed to be started on demand we’ve not been using any launchd scripts, as there no longer seems to be a need for them.

Well sure you do, with 2.0.* branch? At leasts the templates are being
installed by the suite installer. The on-demand change is with 2.1.

> since all the communication goes through our Libmacgpg framework.

What is the need for Libmacgpg and its dependencies to MacGPG? I.e. why
don't the tools just directly communicate with gpg-agent et al.? (Not
including basic abstraction of functionality.)

> One that was recently mentioned on our support platform is that pinentry doesn’t store pass phrases if used with homebrew’s gnupg, it does however if they’re using MacGPG2

Hmm, why would pinentry cache anything? I might be quite wrong but
shouldn't gpg-agent be responsible for this?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150220/6b718eb7/attachment-0001.sig>

More information about the Gnupg-users mailing list