Category Archives: Mac OS X

Compiling and Installing GnuPG Classic v1.4.20 on Mac OS X

Compiling from source code is a straightforward way to ensure that you have a genuine copy of GnuPG on your machine. Since GnuPG may be used to verify other software packages, it is important that your copy is not tampered with.

This post will outline the steps for compiling GnuPG classic v1.4.20 from source for Mac OS X rather than the latest version of GnuPG (v2.0.x) because it is much simpler to compile. Compiling GnuPG from source is certainly not any more difficult that using GnuPG, which is a command line program.

1.) Install command line developer tools for Mac OS X. This is dead simple on recent versions of Mac OS X 10.9 and up, simply open the Terminal and type “xcode-select –install”. The dialog below will appear and allow you to install the command line tools.xcode-select

For older versions of Mac OS X, the procedure outlined here may work.

2.) Download the source code archive for GnuPG v1.4.20 here and the signature here. The signature is a text file that we will use to verify the source code archive.

3.) Decompress and extract the source code archive.

bzip2 -d gnupg-1.4.20.tar.bz2
tar -xvf gnupg-1.4.20.tar

4.) From the source code directory, run the configure script to make sure your command line tools are installed.

cd gnupg-1.4.20

5.) Assuming there are no errors, from the same directory run make to compile gnupg.

At this point, if everything went correctly, you should find the gpg executable in the g10 subfolder.

6.) If you wish to install GnuPG 1.4.20 as your default gpg:

sudo make install

You must uninstall other versions of gpg (including those installed by other software packages) before installing.

GPG Suite security even worse than imagined

Apparently there are security issues with GPGSuite beyond keeping track of users' IP addresses with an auto-updater.
Apparently there are security issues with GPGSuite beyond keeping track of users’ IP addresses with an auto-updater.

The leading OpenPGP client for Mac OS X has recently pushed a security update due to a bug that allows a local user to execute shell commands with root privileges.

As if it weren’t enough, by default, GPG Suite regularly contacts to check for updates. So not only does keep tabs on the IP addresses you use without explicitly getting permission, a carrier or state level entity could easily compile a list of GPG Suite users by monitoring requests to the upgrade server (here and here). It doesn’t matter they are using SSL/TLS because the private information is your IP address.

Think about it, after a few months, your upstream carrier (or whomever has access to their logs) could compile a list of every IP users of GPG Suite use. My opinion of GPG Suite users notwithstanding, I am sure they have more interesting data stored on their computers than the average person.

NouveauPG is sandboxed, so it is entitled only to access files selected by the user using the system open and save dialog box. Absolutely no network access allowed. (The only autoupdate mechanism is through the App Store version, which is the same one used for OS X autoupdate. There is no way for a third-party other than Apple to know exactly what is being updated, and tracking IP’s to the Apple update servers will only give you a list of Macintosh users.)

Activity monitor showing all the unsandboxed processes from a GPG Suite installation.
Activity monitor showing all the unsandboxed processes from a GPG Suite installation.
Activity monitor showing the single sandboxed process for NouveauPG
Activity monitor showing the single sandboxed process for NouveauPG.

Quickstart Guide to NouveauPG for OS X

To encrypt a message for some party, you must first import their certificate into NouveauPG.

You can import public key certificates from either the clipboard or a file.

Before using a certificate, be sure it’s valid. NouveauPG will warn before performing encryption with an invalid certificate.

 Click on Compose Message to write a new message for the recipient.

You can either type a message or choose a file to encrypt. At this time, NouveauPG will only encrypt plain text files. (UTF-8 supported)

You can export your encrypted message by copying to the clipboard, or save as a text file.

If you wish to receive encrypted messages from another party, you must first create a new identity. Press the add button on the lower left hand corner of the window.

An identity looks a lot like the public key certificate but you have two more options: Decrypt Message and Private Keystore

The two new options are protected by the password you chose while creating the account.

To decrypt a message, either paste the encrypted message in the space provided or load an encrypted message from a file.

You should use the Private Keystore feature to backup your identity. Make sure your keystore is saved on an encrypted volume. To restore an identity, or move it to a new computer, simply import the private key block.

The number one issue that people have brought up (which I mention in numerous places is that you cannot export your private key to a different PGP program) There is a good reason for this, it’s very technical but it’s the reason NouveauPG has such a simpler interface than any other competitors.

NouveauPG for OS X waiting for review

new icon
The New Icon

After taking into account feedback from the beta last year, and taking a “break” to develop NouveauPG for iOS, I am now pleased to announce the first GA release of NouveauPG for OS X.

Functionally, not much has changed from the beta, however many bugs have been removed and the interface is polished to the degree expected in the Apple App Stores.

Screen Shot 2015-03-01 at 1.02.07 PM

How to Encrypt Messages using NouveauPG for OS X

NOTE: this post pertains to v1.10

OpenPGP allows you to pass secure data  across an insecure channel such websites, forums, and even private e-mail.

To decrypt messages, you first must generate a key pair before anyone can encrypt messages for you.

The key pair has a public part and a private part.

Often the public part is called a public key certificate.

If you only want to send encrypted messages to another party using OpenPGP, you do not need to generate a key. You need to get the public key certificate of the intended recipient.

Copy the public key certificate to the clipboard
Copy the public key certificate to the clipboard

Copy the public key certificate to your clipboard.

Importing clipboard contents into NouveauPG
A public key certificate has been validated and can be imported into NouveauPG, Note this is from an older version, but the popup is the same

Import the public key certificate from your clipboard.

Make sure it is selected as your current recipient. Press encrypt.

Your encrypted message will pop up, where you can copy the message to the clipboard or save to a file. It is practically impossible to decrypt the message without the private key, so you can post the message anywhere without worrying about anyone else reading it.