Safest Way to get GPG

Michaela Tilson cdmichaela3 at tutanota.com
Fri Nov 18 03:35:24 CET 2022


Good morning,

I'm sorry this question has already been posted on the mailing list, but the existing answers are a little out of date and I'm looking forward to updated advice from security experts on this. What is the safest/most reliable way to get GnuPG as a command line application on macOS?

I know it can be found with either 1) GPG Tools, 2) GnuPG for OS X, or 3) one of the package managers. GPG Tools is most often recommended, but this may be due to GUI integration. Its drawback is that it offers the LTS instead of the stable version.

I appreciate Ralph Seichter's work on the GnuPG for OS X project, but his GPG 2.3.8 package uses Libksba 1.6.0, which was recently announced to have security vulnerabilities. I can say it did not instill confidence in me. :)

Finally, Homebrew, but not MacPorts/Fink, has GnuPG 2.3 in its repository. But I've read that even popular package managers are prone to supply chain attacks if they don't ship with the OS itself.

Compared to Unix, there may be no perfect option to safely obtain GPG 2.3 on macOS other than compiling it yourself, but recommendations on how to do it in the best way (including possible mitigations and countermeasures) are appreciated.

Many thanks,
Michaela



More information about the Gnupg-users mailing list