comments On Tue, Nov 6, 2018 at 7:54 AM Damien Goutte-Gattat < dgouttegat...@incenp.org> wrote:
> Hi, > > First, a warning: I am by no means a "security expert" and I have > very little experience with Mac OS X, which I only use at my > workplace (and only because my employer didn't let me use a > GNU/Linux workstation...). > > However and for what it's worth: > > On Tue, Nov 06, 2018 at 06:48:07AM -0500, Nicholas Papadonis wrote: > > I noticed that there are two OSX packages for GPG: > > > > Mac GPG Installer from the gpgtools project > > GnuPG for OS X Installer for GnuPG > > There's a third possibility, which is the one I use: install the GnuPG > provided by the MacPorts project [1]. > > This raises another question about the security of the ports project itself. I read that Homebrew had some security issues, a majority which come from the installer making /usr/local/bin writable by users other than root. This allows an unprivileged application to inject a malicious binary there, for instance sudo. /usr/local/bin is first in the search path and therefore the administrator password could be captured. I also read Macports may not have this security issue because the installer runs as root and all installations run as root. > Install MacPorts and then simply run: > > $ port install gnupg2 > > MacPorts packagers seem keen to provide the latest versions and to > update their ports quickly when upstream publishes a new release. > For example, Libgcrypt was updated to version 1.8.4 the day after > that version was released. > > Thanks for the suggestion. I'm hoping to clear up my security questions on Macports as well. I suspect there could be many security holes based upon the tool chain to compile the ports and all hands involved in the source trees. Nicholas > > > I'm considering using the Mac Mail.app > > I tried to build the Mail.app plugin from the gpgtools project, > but failed. I don't remember what the problem was, just that I > gave up. > > I am currently using alternatively Neomutt (also installed through > MacPorts), which natively supports GnuPG, and Thunderbird with > Enigmail. Everything is working fine, including smartcard support. > Whether this is a "better integrated" solution than using Mail.app > I cannot tell. > > Hope that helps a bit. > > Damien > > [1] https://www.macports.org/ >
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
