When I decided to set up my Mac with PGP encrypted communications, I could not believe how hard it was -- not just to set up the software, but to understand how to use PGP properly. There was no 'PGP for Dummies' tutorial for OS X on the internet. So I decided to write one. This is my über simple, nerd-free tutorial for anyone on Mac. In it, I will:
- Cover exactly how to install and configure PGP on OS X
- Demonstrate how to use PGP in real life
Why this tutorial is the best (ever)
- It works with every app. Unlike other tutorials for PGP, this tutorial does not care what program you use. If you install or uninstall apps, PGP will keep working. If you want to encrypt email, you can use any email program -- Mail.app, Thunderbird, Sparrow, Gmail, Airmail. Or, you can encrypt something besides email, you can do that too. You can write an encrypted letter in Word. You can encrypt a formula in Excel. You can encrypt a URL in Safari. You can encrypt a text with Messages. You can encrypt a bash command in Terminal. It does not matter.
- It is Mac friendly. There is a certain way of doing things on a Mac. If you're not a Mac fan, you won't understand. (That's okay.) Many of the tutorials I found for OS X are not Mac friendly. Many want you to install bloated, Windows-like software; or, install questionable add-ons. I've done the opposite. This PGP tutorial is super Mac friendly. It's PGP, installed the way Steve Jobs would have done it.
- Simple. Above all, this PGP setup is simple. Once you understand how it works, there is nothing you cannot do.
Mar 01, 2015 yum install gnupg. Ubuntu / Debian. Apt-get install gnupg. The easiest way to install the GPG command line tools on your Mac is to first install Homebrew, a package management system that makes thousands of software packages available for install on your Mac.
GPG Suite 2020.1 - OpenPGP on macOS. Download the latest versions of the best Mac apps at safe and trusted MacUpdate. Installation After downloading please verify the integrity of your Gpg4win package. Then double-click on the file you have downloaded and follow the instructions on the screen (or look at the documentation) and read the current README file. Gpg4win Compendium 3.0.0 (Released: 2016-11-30). Nov 19, 2019 GPG on its own is a basic command-line tool, but GPGTools for macOS provides a GUI interface and advanced features. It is worth noting that in 2018 GPGTools make headlines due its vulnerability to the EFAIL attack which affected all versions of PGP at the time.
I looked into dozens of ways to set up PGP on my Mac. A lot of them suck for a plurality of reasons. Across the board, this is the best way for 95% of use cases.
Step 1: Install the GPGTools GPG Suite for OS X
This step is simple. Visit the GPGTools website and download the GPG Suite for OS X. Once downloaded, mount the DMG and run the 'Install'.
Inside the installer, you can stick with all default parameters save one exception. On the 'Installation Type' screen, press 'Customize'..
And uncheck the GPGMail package:
Then press 'Install.'
Step 2: Creating your very own PGP key
When the installer completes, a new app called 'GPG Keychain Access' will launch. A small window will pop up immediately and say: 'GPG Keychain Access would like to access your contacts.' Press 'OK.'
As soon as you press 'OK,' a second window will pop up that says 'Generate a new key pair.' Type in your name and your email address. Also, check the box that says 'Upload public key after generation.' Your window should look like this:
Expand the 'Advanced options' section. Incrase the key length to 4096 for extra NSA-proof'edness. Reduce the 'Expiration date' to 1 year from today. Your window should look like this:
Press 'Generate key.'
As soon as you press 'Generate key,' the 'Enter passphrase' window will pop up. Okay, now this is important..
A brief word about your passphrase
The entire PGP encryption will rest on your passphrase. So, first and foremost.. don't use a passphrase that other people know! Pick something only you will know, and others can't guess. And once you have a passphrase selected, don't give it to other people.
Second, do not use a password, but rather a passphrase -- a sentence. For example, 'Pennstate55' is less preferable than 'I graduated from Penn State in 1955, ya heard?!' The longer your passphrase, the more secure your key.
Lastly, make sure your passphrase is something you can remember. Since it is long, there is a tendancy you might forget it. Don't. The consequences to that will be dire. Make sure you can remember your passphrase.
Back to Step 2..
Once you decide on your passphrase, type it in the 'Enter passphrase' window. Turn on the 'Show typing' option, so you can be 100% sure that you've typed in your passphrase without any spelling errors. When everything looks good, press 'OK:'
Will be asked to reenter the passphrase. Do it, and press 'OK:'
You will then see a message saying, 'We need to generate a lot of random bytes..' Wait for it to complete:
Et voilà! Your PGP key is ready to use:
Step 3: Set PGP keyboard shortcuts
Next, you will set up four global keyboard shortcuts in OS X.
Open System Preferences, select the 'Keyboard' pane, and go to the 'Shortucts' tab. On the left hand side, select 'Services.' Then, on the right, scroll down to the subsection 'Text' and look for a bunch of entries that start with 'OpenPGP:'
Go through each OpenPGP entry, unchecking each one and deleting the keyboard shortcut:
Next, you will enable and set four shortcuts:
- Enable 'OpenPGP: Decrypt' and set its shortcut to ⌃⌥⌘- (i.e., control option command minus)
- Enable 'OpenPGP: Encrypt' and set its shortcut to ⌃⌥⌘= (i.e., control option command equals)
- Enable 'OpenPGP: Sign' and set its shortcut to ⌃⌥⌘[ (i.e., control option command open bracket)
- Enable 'OpenPGP: Verify' and set its shortcut to ⌃⌥⌘] (i.e., control option command close bracket)
Your keyboard shortcuts should now look like this:
That's it! You're done setting up PGP with OpenGPG on OS X! Now, we will discuss how to use what we set up.
Step 4: How to send a secure email
You can encrypt anything with PGP, but most people will want to encrypt email. So, I will now take a few minutes to explain that. These steps can be transposed for any kind of encryption, from any app on your computer.
To secure an email in PGP, you will sign and encrypt the body of the message. You can just sign or just encrypt, but combining both operations will result in optimum security. Conversely, when you receive a PGP-secured email, you will decrypt and verify it. This is the 'opposite' of signing and encrypting.
Start off by writing your email:
Then, select the entire body of the email and press ⌃⌥⌘[ to sign it:
Next, open the GPG Keychain Access app. Press Command-F and type in the email address of the person you are sending your message to. This will search the public keyserver for your friend's PGP key:
If your friend has more than one key, select his most recent one:
You will receive a confirmation that your friend's key was successfully downloaded. You can press 'Close:'
You will now see your friend's public key in your keychain:
You can now quit GPG Keychain Access and return to writing the email.
Select the entire body of the email (everything, not just the part you wrote) and press ⌃⌥⌘= to encrypt it. A window will pop up, asking you who the recipient is. Select the friend's public key you just downloaded, and press 'OK:'
Your entire message is now encrypted! You can press 'Send' safely.
N.B. You will only need to download your friend's public key once. After that, it will always be available in your keychain until the key expires.
Step 4: How to receive a secure email
With our secure message sent, the recipient will now want to unscramble it. For the sake of this step, I will pretend I am the recipient.
I have recieved the message:
Copy the entire body, from, and including, '-----BEGIN PGP MESSAGE---', to, and including, '-----END PGP MESSAGE---'. Open your favorite text editor, and paste it:
Now select the entire text, and press ⌃⌥⌘- to decrypt the message. You will immediately be prompted for your PGP passphrase. Type it in and press 'OK:'
You will now see the decrypted message!
Adobe Acrobat XI Pro 11.2.35 + Crack (MAC OS X) File Type Create Time File Size Seeders Leechers Updated; Archive file: 2019-10-07: 18.31MB: 0: 12: 8 hours ago: Download. Tags; Adobe Acrobat Pro Crack MAC Related Torrents; Adobe Acrobat PRO DC 2019.010.20098 (Mac OS) + Crack www.Tech-Tools.me 127.97MB; Adobe Acrobat PRO DC 2019.010.20098. Acrobat xi pro torrent for mac. Download Adobe Acrobat XI Pro 11.0.22 for Mac latest free standalone offline setup. Acrobat 11.0 Pro XI is a powerful PDF handling solution providing a bundle of tools to view and edit PDF files on Mac OS X. Adobe Acrobat XI Pro 11.0.22 for Mac Review. Adobe Acrobat XI Pro 11.0.23 Full Crack For Mac Download: Adobe Acrobat XI Pro 11.0.23 Crack Full Keygen Torrent Download is more than simply the leading PDF converter. Its filled with clever gear that gives you even greater energy to speak. Effortlessly, seamlessly, brilliantly.
Next, you can verify the signature. Highlight the entire text, and press ⌃⌥⌘]. You will see a message confirming the verification:
You can press 'OK.'
What does encrypt, decrypt, sign, and verify mean?
Now that you know how to sign and encrypt outgoing messages, and decrypt and verify incoming ones, let us discuss what these terms mean.
Encrypt takes your secret key and the recipient's public key, and scrambles a message. The scrambled text is secure from prying eyes. The sender always encrypts.
Decrypt takes an encrypted message, combined with the your secret key and the sender's public key, and descrambles it. The recipient always decrypts.
Encrypt and decrypt can be thought of as opposites.
Signing a message lets the recipient know that you (the person with your email address and public key) acutally authored the message. Signing also provides additional cryptographic integrity: it ensures that no one has tampered with the encryption. The sender always signs a message.
Verifying a message is the process of analyzing a signed message, to determine if the signing is true.
Signing and verifying can be thought of as opposites.
When should I sign? When should I encrypt?
It is unnecessary to sign and encrypt every outgoing email. Well, then: when should you sign? And when should you encrypt? And when should you do nothing?
You have three rational choices when you are sending a message:
- Do nothing. If the contents of the email are public (non-confidential), and the recipient does not care whether you or an impostor sent the message, then do nothing. You can send the message as you've sent messages your whole life: in plain text.
- Sign, but don't encrypt. If the contents of the email are public (non-confidential), but the recipient wants assurance that you -- not an impostor -- actually sent the message, then you should sign but not encrypt. Simply follow the tutorial above, skipping over the encryption and decryption steps.
- Sign and encrypt. If the contents of the email are confidential, sign and encrypt. It does not matter whether the recipient wants assurance that you sent the message -- always sign when you encrpt.
I do nothing for 90% of emails I send; security is just not necessary. The remaining 10% of the time, I sign and encrypt. Whenever there is confidential information -- business plans, credit card numbers, bank numbers, social security numbers, corporate strategies, etc. -- I sign and encrypt. I define confidential information loosely, because I'd rather sign and encrypt unnecessarily than do nothing and leak sensitive information. As for the third option, I rarely sign, but do not encrypt. Your profession may warrant radically different usage of PGP.
Why don't you use PGP MIME attachments? Why don't you use the Mail.app PGP plugin?
Some PGP nerds prefer sending PGP with attachments (a.k.a., PGP MIME
type), instead of using plain text (a.k.a., PGP INLINE
).
Conversely, some PGP n00bs
want to know why I don't recommend using a PGP plugin for their email client (i.e., the Mail.app PGP plugin).
Here's why:
- Attachments are a pain in the ass.
- People who use mail plugins for encryption have no idea how they work; the result is a false sense of security.
- Inline text works places where attachments don't (the shell, Facebook, iMessage, etc.).
- The majority of people who have sent me
MIME
test emails using the Mail.app plugins sent undecryptable messages, because they have no idea what they're doing or how it works. - When a plugin generates an attachment and sends it before you can see what is going on, you have no idea what is happening or if it is working.
- Lots of applications and email clients do not have PGP built in, so you need inline anyway.
Try it out! Email me.
My email address is jerzygangi@gmail.com. Try sending me an encrypted, signed email. I'll reply.
If my tutorial was helpful, please send me a small donation through PayPal!
This feature was introduced in version 3.5 of Tower for Mac.Tower offers seamless support for GPG. Read on to find out what exactly you can do with GPG in Tower and find a list of Frequetly Asked Questions.
What is GPG?
GPG is a collection of tools that allow signing and encrypting of data using asymmetric cryptography (with public / private keys). Git uses GPG to sign and verify commits and tags. With such a signature, you can easily verify that a commit (or tag) was really made by a specific user.
Installing & Configuring GPG
We recommend installing GPG Tools from its website. This ensures a valid configuration that works well with Tower. If you install GPG via homebrew or other ways, you should make sure that you have set up the
gpg-agent
andpinentry-program
helpers correctly. You should also addno-tty
anduse-agent
to~/.gnupg/gpg.conf
if these values are missing there.After installing GPG on your machine, you need to configure the GPG binary in Tower. Open the Preferences dialog and select it on the 'Git Config' tab.
What Can You Do With GPG in Tower?
Verifying Signed Commits
Tower indicates directly in its History views if a commit was signed or not. On top of that, you can also see the signature status (green / orange / red) and access additional information through a popover window.
Verifying Signed Tags
Apart from commits, you can also verify the signatures for tags in Tower. Either right-click on the tag in the sidebar or directly click it in one of the commit views.
Setting & Managing Keys
You can easily select / set / switch keys in Tower:
- in the global configuration, in Tower's Preferences dialog
- in a specific repository, by selecting the 'Settings' item in the sidebar of an open repository
- in Tower's User Profiles
Signing Commits
You can configure if you want Tower to automatically sign new commits - either just in a certain repository or globally. This is not limited to just committing, but also includes actions like merge, revert, cherry-pick, and rebase.
Signing Tags
Apart from commits, you can also sign tags. The 'Create New Tag' dialog contains a checkbox for this.
Frequently Asked Questions
I have a GPG key but signing fails due to a missing password. What can I do?
The password of the key must be stored in Keychain so that GPG can access it. This works by default if you install GPG tools from the website (https://gpgtools.org). The default installation also configures the pinentry-mac program, which displays a password input dialog if a password is required and provides the option to save it into the Keychain.~/.gnupg/gpg-agent.conf
has a pinentry-program
key that is used to specify the location of the pinentry program. The default installation uses /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
. You can also download this program via homebrew: brew install pinentry-mac
. Make sure to configure it in the aforementioned config file.
How can I add a GPG key if I have none?
You can do so in the repository settings in the sidebar. Make sure a repository user is configured and then select 'Create GPG Key…' from the GPG Key Popup Button menu. You can do the same for the global user in the 'Git Config' tab of Tower's Preferences.
I selected 'No GPG Key' in the repository settings, but the selection always resets to a key.
A global GPG key may be configured in the Git preferences. This key is effective for the repository and would be used, which is why you are seeing it here. Try also setting the global user GPG key to 'No GPG Key' in the Git preferences.
I want to create a GPG key but the 'Create GPG Key' menu item is disabled.
Tower found a key that matches the email address of your current Git user (either global or repository level). You have to change your Git user email address to one that does not already have an associated GPG key.
You should use GPG Keychain if you need advanced key management features.
How can I sign tags?
There is a checkbox in the 'Create Tag' dialog and the dialogs for finishing release and hotfix branches via git-flow. Your preference is remembered across app launches. Signed tags are annotated tags which require a message.
You can select the key that should be used to sign the tag via the popup button below the checkbox. If a GPG key is configured it is preselected.
How can I sign commits?
Enable signing either in the GPG section of the repository settings or the global git config in the application preferences and make sure you have a GPG key selected. Signing is automatic from there on.
How can I verify commit signatures?
A status indicator appears in the history for each commit that has a signature. You can click on it to view signature details.
How can I verify tag signatures?
There are two ways to show the signature of a tag:
(a) Just click on the tag badge in the history or the detail view
(b) Right-click the tag in the sidebar and choose 'Show GPG Signature…'
What do the colors of the status indicator mean?
- Green: Signature Good
- Yellow: There is an issue with the signature, click the indicator to read a status message in the popover.
- Red: Signature Bad
I am colorblind and cannot differentiate the status colors, what can I do?
Turn on the accessibility setting Differentiate without color
in System Preferences > Accessibility > Display
. Tower respects this setting and will draw the bad signature status indicator with a square instead of a circle and the warning signature status with a triangle instead of a circle.
My keys are not shown when clicking the button, why is that?
Make sure you have a GPG binary configured. Restart Tower if the keys still don't show up.
All GPG status indicators in the history are yellow, why is that?
You haven't trusted any of the keys that have been used to sign the commits. This means that verifying the commit leads to status 'Unknown Validity'. See the next question for a solution.
A / my signature is shown with status 'Unknown Validity'. How can I change that?
You can open GPG Keychain, show details for the key and use the context menu to accredit it (by signing it with your private key). Make sure that you verify the key fingerprint with the author of the commit or tag before trusting it.
A signature is shown with status 'Cannot Be Checked' and shows no name or avatar, just the key fingerprint and the status. How can I change that?
The commit was signed with a private key and you don't have the associated public key in your keyring. Usually the public key is downloaded automatically in these cases, but it may fail sometimes. You can search for and download the public key in GPG Keychain by using the hash from the popover.
You can add auto-key-retrieve
to ~/.gnupg/gpg.conf
to enable the automatic behavior.
A signature is shown without a GPG key fingerprint, why is that?
GPG support in Tower requires Git 2.20 or newer. The options to read the fingerprints from signatures are not available in older versions.
What does 'Verify GPG Signatures' in Merge/Pull dialogs do?
Git checks the signature of the tip commit of the commits that should be merged. If the commit does not have a valid signature, the operation is aborted. If there are signatures with unknown validity, you may have to go into GPG Keychain (or the command line) and adjust the trust value of the associated public keys. Make sure that you verify the key with the author of the commit or tag before trusting it.
I use a subkey for signing but it does not appear in the GPG keys menu!
We don't support subkeys at the moment.
Loading the GPG status in the history takes really long. What can I do?
Verifying commits is an expensive operation, because Git has to call gpg --verify
for each commit with a signature. You can improve loading times by reducing the maximum number of commits Tower loads in a batch (see the 'Number of commits in history' option in the 'General' tab of Tower's Preferences).
A likely cause for really long loading times is, that you don't have the associated public key for the GPG signature of some commits and Git / GPG is unable to download them. In this case the verification of the signatures is really slow (you can also verify this on the command line).
How To Use PGP On Mac | Set Up Guide [with Images]
To solve this problem you can do one of the following:
- Find the commits with yellow status indicator and 'Cannot Be Checked' status, copy the key fingerprint and download the public key in GPG Keychain.
- Disable 'Verify GPG Signatures' in the history view settings