Please remove MacGPG from gnupg.org due to serious security concerns

Lukas Pitschl lukele at gpgtools.org
Fri Feb 20 15:54:50 CET 2015


> 
> Well sure you do, with 2.0.* branch? At leasts the templates are being
> installed by the suite installer. The on-demand change is with 2.1.
> 

If I’m not mistaken it has been added in 2.0.24 or the like.
The template for launchd is no longer installed by our installer. If it’s still on your system, it might not have been properly removed.

>> since all the communication goes through our Libmacgpg framework.
> 
> What is the need for Libmacgpg and its dependencies to MacGPG? I.e. why
> don't the tools just directly communicate with gpg-agent et al.? (Not
> including basic abstraction of functionality.)
> 

Libmacgpg is similar to gpgme, but more friendly and easier to integrate for Objective-C projects.
We communicate with the gnupg binary, which then invokes gpg-agent when necessary.

>> One that was recently mentioned on our support platform is that pinentry doesn’t store pass phrases if used with homebrew’s gnupg, it does however if they’re using MacGPG2
> 
> Hmm, why would pinentry cache anything? I might be quite wrong but
> shouldn't gpg-agent be responsible for this?
> 

gpg-agent does the caching, but pinentry communicates with gpg-agent. We’ve not been able to look into the homebrew issue yet, so not sure why that’s not working properly there.
Unless the users chooses to store their passphrase in OS X’s Keychain, then the lookup occurs directly in pinentry. (this is OS X only stuff, not sure if there’s something similar on Linux)

> --
> Ville
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150220/919a6675/attachment.sig>


More information about the Gnupg-users mailing list