Safest Way to get GPG
Damien Goutte-Gattat
dgouttegattat at incenp.org
Mon Nov 21 21:59:12 CET 2022
Hi,
On Friday, 18 November 2022 02:35:24 GMT Michaela Tilson via Gnupg-users wrote:
> I'm looking forward to updated advice from security experts on this. What is the safest/most reliable way to get GnuPG as a command line application on macOS?
Not pretending to be any kind of security expert, but on my professional Mac, I use MacPorts, with a custom copy of the ports repository where I upgraded gnupg2 to the latest release from the 2.3 branch.
> GPG Tools is most often recommended, but this may be due to GUI integration. Its drawback is that it offers the LTS instead of the stable version.
I _also_ use GPG Tools, but _solely_ for the Apple Mail plugin. The plugin uses the MacPorts-installed GnuPG binaries and daemons instead of those from GPG Tools, so I can benefit from the 2.3 branch.
> But I've read that even popular package managers are prone to supply chain attacks if they don't ship with the OS itself.
As mentioned above, I have a local clone of the ports repository and I install my ports from there. I did that for GnuPG primarily so that I could bump the version from 2.2.x to 2.3.x, but even if you don’t change anything to the ports tree, having it locally on your machine allows you to manually inspect any Portfile – in particular, you can check the hashes for the source tarballs, and compare them with the hashes from the GnuPG website and/or from the latest announcement e-mail.
(And if you already have access to a working GnuPG installation somewhere – on another machine maybe? –, you can then download the GnuPG tarballs from gnupg.org along with the corresponding signatures, check the signatures, and compute the hashes yourself on the now verified tarballs. Then compare with the hashes in the Portfiles.)
Hope that helps!
- Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20221121/92e095f1/attachment.sig>
More information about the Gnupg-users
mailing list