Most secure GPG combination for Mac OS X

Nicholas Papadonis at
Tue Nov 6 23:32:44 CET 2018

On Tue, Nov 6, 2018 at 7:54 AM Damien Goutte-Gattat <
dgouttegattat at> wrote:

> Hi,
> First, a warning: I am by no means a "security expert" and I have
> very little experience with Mac OS X, which I only use at my
> workplace (and only because my employer didn't let me use a
> GNU/Linux workstation...).
> However and for what it's worth:
> On Tue, Nov 06, 2018 at 06:48:07AM -0500, Nicholas Papadonis wrote:
> > I noticed that there are two OSX packages for GPG:
> >
> >           Mac GPG Installer from the gpgtools project
> >           GnuPG for OS X Installer for GnuPG
> There's a third possibility, which is the one I use: install the GnuPG
> provided by the MacPorts project [1].
This raises another question about the security of the ports project
itself.  I read that Homebrew had some security issues, a majority which
come from the installer making /usr/local/bin writable by users other than
root.  This allows an unprivileged application to inject a malicious binary
there, for instance sudo.  /usr/local/bin is first in the search path and
therefore the administrator password could be captured.  I also read
Macports may not have this security issue because the installer runs as
root and all installations run as root.

> Install MacPorts and then simply run:
>   $ port install gnupg2
> MacPorts packagers seem keen to provide the latest versions and to
> update their ports quickly when upstream publishes a new release.
> For example, Libgcrypt was updated to version 1.8.4 the day after
> that version was released.
> Thanks for the suggestion.  I'm hoping to clear up my security questions
on Macports as well.  I suspect there could be many security holes based
upon the tool chain to compile the ports and all hands involved in the
source trees.


> > I'm considering using the Mac
> I tried to build the plugin from the gpgtools project,
> but failed. I don't remember what the problem was, just that I
> gave up.
> I am currently using alternatively Neomutt (also installed through
> MacPorts), which natively supports GnuPG, and Thunderbird with
> Enigmail. Everything is working fine, including smartcard support.
> Whether this is a "better integrated" solution than using
> I cannot tell.
> Hope that helps a bit.
> Damien
> [1]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list