Note on OSX Mail: It is possible to use PGP with the build-in mail program of OSX. But we do not recommend this because this option relies on a hack of the program which is neither open or supported by its developer and breaks with every update of the mail program. Setting max-cache-ttl 0 in your.gnupg/gpg-agent.conf file does seem to be a good solution. Especially since it works. There's also the gpg-agent option --no-allow-external-cache that's supposed to: Tell Pinentry not to enable features which use an external cache for passphrases. Some desktop environments prefer to unlock all credentials with one master pass‐ word and may have installed a Pinentry which employs an additional external cache to implement such a policy. By using this option the Pinentry is advised not to make use of such a cache and instead always ask the user for the requested passphrase. That sounds like it should always ask for the passphrase, but it does not appear to do that. Or, it only always asks, when an external cache exists. Or, you could keep letting gpg-agent cache passphrases, but on demand clear them with by sending a SIGHUP signal (with kill, killall, pkill, etc): This signal flushes all cached passphrases and if the program has been started with a configuration file, the configuration file is read again. Only certain options are honored: quiet, verbose, debug, debug-all, debug-level, debug-pinen‐ try, no-grab, pinentry-program, pinentry-invisible-char, default-cache-ttl, max- cache-ttl, ignore-cache-for-signing, no-allow-external-cache, allow-emacs-pinen‐ try, no-allow-mark-trusted, disable-scdaemon, and disable-check-own-socket. Scdaemon-program is also supported but due to the current implementation, which calls the scdaemon only once, it is not of much use unless you manually kill the scdaemon. ![]() Engimail, gnupg & pinentry on Mac OS X using Homebrew 20 Sep 2017 NB: this post assumes a basic familiarity with PGP. I had almost none before starting, so if you follow the links I provide and spend a little while reading, you’ll be just as qualified to start hacking on this as I was. I’ve recently become interested in using for secure email communications. I run macOS 10.11 El Capitan, and I decided to install, a simple PGP plugin for, to try it out. Enigmail requires an existing installation of. You can get it from the, but I use to install new packages whenever possible, to keep things centralized and streamline updates. Homebrew is smart about where it puts packages, and Enigmail is smart about where it looks for them, so this would be a seamless install (cue foreboding music). Step 1: brew install gnupg. Step 2: download and install Enigmail. Step 3: security! Free video player for mac. Or so it seemed. The Enigmail setup wizard successfully generated keys, but failed at the next step with: “The revocation certificate could not be created.”, so this was a serious obstacle. While I was able to find of error, nobody expressly answered the question of “how do you fix this on a Mac without stepping outside the Homebrew ecosystem?” After some digging, I found the problem. Here are the dependencies Homebrew installs with gnupg. $ brew deps gnupg adns gettext gmp gnutls libassuan libffi libgcrypt libgpg-error libksba libtasn1 libunistring libusb nettle npth p11-kit pinentry Here’s the problem: pinentry is a program for authenticating to gpg-agent (the program to which GnuPG farms out passphrase entry), but it only runs at the command prompt. Enigmail is looking for a GUI authentication program. Fortunately, the Homebrew package pinentry-mac seems to be exactly that – a GUIfied verison of pinentry. So, brew install pinentry-mac. Then, in ~/.gnupg/gpg-agent.conf, add the line pinentry-program /usr/local/bin/pinentry-mac. This points gpg-agent to the right authentication program, so that when Enigmail asks for authentication, the user is prompted to enter the password used to encrypt their private key.
0 Comments
Leave a Reply. |