Re: Most secure GPG combination for Mac OS X
comments On Tue, Nov 6, 2018 at 7:54 AM Damien Goutte-Gattat < dgouttegat...@incenp.org> wrote: > Hi, > > First, a warning: I am by no means a "security expert" and I have > very little experience with Mac OS X, which I only use at my > workplace (and only because my employer didn't let me use a > GNU/Linux workstation...). > > However and for what it's worth: > > On Tue, Nov 06, 2018 at 06:48:07AM -0500, Nicholas Papadonis wrote: > > I noticed that there are two OSX packages for GPG: > > > > Mac GPG Installer from the gpgtools project > > GnuPG for OS X Installer for GnuPG > > There's a third possibility, which is the one I use: install the GnuPG > provided by the MacPorts project [1]. > > This raises another question about the security of the ports project itself. I read that Homebrew had some security issues, a majority which come from the installer making /usr/local/bin writable by users other than root. This allows an unprivileged application to inject a malicious binary there, for instance sudo. /usr/local/bin is first in the search path and therefore the administrator password could be captured. I also read Macports may not have this security issue because the installer runs as root and all installations run as root. > Install MacPorts and then simply run: > > $ port install gnupg2 > > MacPorts packagers seem keen to provide the latest versions and to > update their ports quickly when upstream publishes a new release. > For example, Libgcrypt was updated to version 1.8.4 the day after > that version was released. > > Thanks for the suggestion. I'm hoping to clear up my security questions on Macports as well. I suspect there could be many security holes based upon the tool chain to compile the ports and all hands involved in the source trees. Nicholas > > > I'm considering using the Mac Mail.app > > I tried to build the Mail.app plugin from the gpgtools project, > but failed. I don't remember what the problem was, just that I > gave up. > > I am currently using alternatively Neomutt (also installed through > MacPorts), which natively supports GnuPG, and Thunderbird with > Enigmail. Everything is working fine, including smartcard support. > Whether this is a "better integrated" solution than using Mail.app > I cannot tell. > > Hope that helps a bit. > > Damien > > [1] https://www.macports.org/ > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Most secure GPG combination for Mac OS X
* Nicholas Papadonis: > I'm considering using the Mac Mail.app, however am interested if > Thunderbird is better integrated from a security standpoint. Apple's on-board Mail requires a plugin to encrypt/decrypt messages. While GPG Suite (https://gpgtools.org) provides said plugin, it is no longer free to use. Once the trial period runs out, you won't be able to encrypt, sign or verify unless you pay for a "support plan". I suggest you go for Thunderbird plus Enigmail, unless you are really keen on using Apple software. If you're willing to stray off the beaten path, you may also want to evaluate the Notmuch mail system (https://notmuchmail.org). I use EMACS as a frontend for Notmuch, meaning that I have powerful GPG integration provided by the editor, but there are other UIs as well. -Ralph ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Most secure GPG combination for Mac OS X
Am 06.11.2018 12:48 schrieb Nicholas Papadonis: Does anyone have suggestions on the most secure and reviewed combination for bits for sending secure email on OS X? I noticed that there are two OSX packages for GPG: Mac GPG Installer from the gpgtools project GnuPG for OS X Installer for GnuPG Is any one preferred, have more eyes reviewing source, better release management in terms of security concerns? Any details? Am I better off building from source? Well, i never have read that GnuPG had a security audit, regardless of platform used, nor the plug-ins for various apps. For example recently Enigmal for Thunderbird had a fatal security bug which send encrypted email unencrypted under Windows. You can build from source, which i did also in the past or use for example MacPorts GnuPG distribution. I'm considering using the Mac Mail.app, however am interested if Thunderbird is better integrated from a security standpoint. At the lowest level, my assumption is that the command line tools can be used to encrypt / decrypt blocks of text, which I will also be interested in using. I used Mail.app in the past too and later switched to Thunderbird/Eingmail. Currently i use the GnuPG package from Patrick Brunschwieg (Enigmail developer) in combination with Claws-Mail (MacPorts). I also use GnuPG often as commandline tool. Appreciate a security experts guidance immersing myself into more secure communication. While i am no security expert and only a Mac dummie i like the fact that one can build from source and use it on an off-line computer, even if the email received is in PGP/MIME format, because scripts are available which allows a conversion. Regards Stefan ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Most secure GPG combination for Mac OS X
Hi, First, a warning: I am by no means a "security expert" and I have very little experience with Mac OS X, which I only use at my workplace (and only because my employer didn't let me use a GNU/Linux workstation...). However and for what it's worth: On Tue, Nov 06, 2018 at 06:48:07AM -0500, Nicholas Papadonis wrote: > I noticed that there are two OSX packages for GPG: > > Mac GPG Installer from the gpgtools project > GnuPG for OS X Installer for GnuPG There's a third possibility, which is the one I use: install the GnuPG provided by the MacPorts project [1]. Install MacPorts and then simply run: $ port install gnupg2 MacPorts packagers seem keen to provide the latest versions and to update their ports quickly when upstream publishes a new release. For example, Libgcrypt was updated to version 1.8.4 the day after that version was released. > I'm considering using the Mac Mail.app I tried to build the Mail.app plugin from the gpgtools project, but failed. I don't remember what the problem was, just that I gave up. I am currently using alternatively Neomutt (also installed through MacPorts), which natively supports GnuPG, and Thunderbird with Enigmail. Everything is working fine, including smartcard support. Whether this is a "better integrated" solution than using Mail.app I cannot tell. Hope that helps a bit. Damien [1] https://www.macports.org/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Most secure GPG combination for Mac OS X
Does anyone have suggestions on the most secure and reviewed combination for bits for sending secure email on OS X? I noticed that there are two OSX packages for GPG: Mac GPG Installer from the gpgtools project GnuPG for OS X Installer for GnuPG Is any one preferred, have more eyes reviewing source, better release management in terms of security concerns? Any details? Am I better off building from source? I'm considering using the Mac Mail.app, however am interested if Thunderbird is better integrated from a security standpoint. At the lowest level, my assumption is that the command line tools can be used to encrypt / decrypt blocks of text, which I will also be interested in using. Appreciate a security experts guidance immersing myself into more secure communication. (ps please reply to my personal email as well, for some reasons my subscription request won't go through. Maybe for accepting that the confirmation is sent through an insecure channel. :| ) Thank you, Nicholas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users