Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Safest Way to get GPG
gnupg-users at gnupg
Nov 17, 2022, 6:35 PM
Post #1 of 4 (323 views)
Permalink
Good morning,

I'm sorry this question has already been posted on the mailing list, but the existing answers are a little out of date and I'm looking forward to updated advice from security experts on this. What is the safest/most reliable way to get GnuPG as a command line application on macOS?

I know it can be found with either 1) GPG Tools, 2) GnuPG for OS X, or 3) one of the package managers. GPG Tools is most often recommended, but this may be due to GUI integration. Its drawback is that it offers the LTS instead of the stable version.

I appreciate Ralph Seichter's work on the GnuPG for OS X project, but his GPG 2.3.8 package uses Libksba 1.6.0, which was recently announced to have security vulnerabilities. I can say it did not instill confidence in me. :)

Finally, Homebrew, but not MacPorts/Fink, has GnuPG 2.3 in its repository. But I've read that even popular package managers are prone to supply chain attacks if they don't ship with the OS itself.

Compared to Unix, there may be no perfect option to safely obtain GPG 2.3 on macOS other than compiling it yourself, but recommendations on how to do it in the best way (including possible mitigations and countermeasures) are appreciated.

Many thanks,
Michaela

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Safest Way to get GPG [ In reply to ]
gnupg-users at gnupg
Nov 20, 2022, 6:30 PM
Post #2 of 4 (321 views)
Permalink
Good morning,

I'm wondering if anyone on this mailing list has any suggestions for my question. FYI, using gpgconf --show-versions to check the latest version of GnuPG for OS X shows KSBA 1.6.0.

Many thanks,
Michaela

Nov 18, 2022, 02:35 by gnupg-users@gnupg.org:

> Good morning,
>
> I'm sorry this question has already been posted on the mailing list, but the existing answers are a little out of date and I'm looking forward to updated advice from security experts on this. What is the safest/most reliable way to get GnuPG as a command line application on macOS?
>


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Safest Way to get GPG [ In reply to ]
gnupg-users at gnupg
Nov 21, 2022, 12:59 PM
Post #3 of 4 (317 views)
Permalink
Hi,

On Friday, 18 November 2022 02:35:24 GMT Michaela Tilson via Gnupg-users wrote:
> I'm looking forward to updated advice from security experts on this. What is the safest/most reliable way to get GnuPG as a command line application on macOS?

Not pretending to be any kind of security expert, but on my professional Mac, I use MacPorts, with a custom copy of the ports repository where I upgraded gnupg2 to the latest release from the 2.3 branch.


> GPG Tools is most often recommended, but this may be due to GUI integration. Its drawback is that it offers the LTS instead of the stable version.

I _also_ use GPG Tools, but _solely_ for the Apple Mail plugin. The plugin uses the MacPorts-installed GnuPG binaries and daemons instead of those from GPG Tools, so I can benefit from the 2.3 branch.


> But I've read that even popular package managers are prone to supply chain attacks if they don't ship with the OS itself.

As mentioned above, I have a local clone of the ports repository and I install my ports from there. I did that for GnuPG primarily so that I could bump the version from 2.2.x to 2.3.x, but even if you don’t change anything to the ports tree, having it locally on your machine allows you to manually inspect any Portfile – in particular, you can check the hashes for the source tarballs, and compare them with the hashes from the GnuPG website and/or from the latest announcement e-mail.

(And if you already have access to a working GnuPG installation somewhere – on another machine maybe??–, you can then download the GnuPG tarballs from gnupg.org along with the corresponding signatures, check the signatures, and compute the hashes yourself on the now verified tarballs. Then compare with the hashes in the Portfiles.)

Hope that helps!

- Damien

Attached Files:

Re: Safest Way to get GPG [ In reply to ]
gnupg-users at gnupg
Nov 25, 2022, 12:14 AM
Post #4 of 4 (302 views)
Permalink
Hi Damien,

Thanks for your helpful advice. Does anyone else have any suggestions for best practices for safely installing the 2.3 branch under macOS?

Many thanks,
Michaela

Nov 21, 2022, 20:59 by dgouttegattat@incenp.org:

> Hope that helps!
>
> - Damien
>


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal