Hi,

On Friday, 18 November 2022 02:35:24 GMT Michaela Tilson via Gnupg-users wrote:
> I'm looking forward to updated advice from security experts on this. What is 
> the safest/most reliable way to get GnuPG as a command line application on 
> macOS?

Not pretending to be any kind of security expert, but on my professional Mac, I 
use MacPorts, with a custom copy of the ports repository where I upgraded 
gnupg2 to the latest release from the 2.3 branch.


> GPG Tools is most often recommended, but this may be due to GUI integration. 
> Its drawback is that it offers the LTS instead of the stable version.

I _also_ use GPG Tools, but _solely_ for the Apple Mail plugin. The plugin uses 
the MacPorts-installed GnuPG binaries and daemons instead of those from GPG 
Tools, so I can benefit from the 2.3 branch.


> But I've read that even popular package managers are prone to supply chain 
> attacks if they don't ship with the OS itself.

As mentioned above, I have a local clone of the ports repository and I install 
my ports from there. I did that for GnuPG primarily so that I could bump the 
version from 2.2.x to 2.3.x, but even if you don’t change anything to the ports 
tree, having it locally on your machine allows you to manually inspect any 
Portfile – in particular, you can check the hashes for the source tarballs, and 
compare them with the hashes from the GnuPG website and/or from the latest 
announcement e-mail.

(And if you already have access to a working GnuPG installation somewhere – on 
another machine maybe? –, you can then download the GnuPG tarballs from 
gnupg.org along with the corresponding signatures, check the signatures, and 
compute the hashes yourself on the now verified tarballs. Then compare with the 
hashes in the Portfiles.)

Hope that helps!

- Damien

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to