Most secure GPG combination for Mac OS X

Nicholas Papadonis nick.papadonis.ml at gmail.com
Tue Nov 6 23:32:44 CET 2018 

comments
On Tue, Nov 6, 2018 at 7:54 AM Damien Goutte-Gattat <
dgouttegattat at incenp.org> wrote:

> Hi,
>
> First, a warning: I am by no means a "security expert" and I have
> very little experience with Mac OS X, which I only use at my
> workplace (and only because my employer didn't let me use a
> GNU/Linux workstation...).
>
> However and for what it's worth:
>
> On Tue, Nov 06, 2018 at 06:48:07AM -0500, Nicholas Papadonis wrote:
> > I noticed that there are two OSX packages for GPG:
> >
> >           Mac GPG Installer from the gpgtools project
> >           GnuPG for OS X Installer for GnuPG
>
> There's a third possibility, which is the one I use: install the GnuPG
> provided by the MacPorts project [1].
>
>
This raises another question about the security of the ports project
itself.  I read that Homebrew had some security issues, a majority which
come from the installer making /usr/local/bin writable by users other than
root.  This allows an unprivileged application to inject a malicious binary
there, for instance sudo.  /usr/local/bin is first in the search path and
therefore the administrator password could be captured.  I also read
Macports may not have this security issue because the installer runs as
root and all installations run as root.


> Install MacPorts and then simply run:
>
>   $ port install gnupg2
>
> MacPorts packagers seem keen to provide the latest versions and to
> update their ports quickly when upstream publishes a new release.
> For example, Libgcrypt was updated to version 1.8.4 the day after
> that version was released.
>
> Thanks for the suggestion.  I'm hoping to clear up my security questions
on Macports as well.  I suspect there could be many security holes based
upon the tool chain to compile the ports and all hands involved in the
source trees.

Nicholas

>
> > I'm considering using the Mac Mail.app
>
> I tried to build the Mail.app plugin from the gpgtools project,
> but failed. I don't remember what the problem was, just that I
> gave up.
>
> I am currently using alternatively Neomutt (also installed through
> MacPorts), which natively supports GnuPG, and Thunderbird with
> Enigmail. Everything is working fine, including smartcard support.
> Whether this is a "better integrated" solution than using Mail.app
> I cannot tell.
>
> Hope that helps a bit.
>
> Damien
>
> [1] https://www.macports.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20181106/4dd94678/attachment-0001.html>

More information about the Gnupg-users mailing list