Gnupg For Mac Os X



  • T4900 OS X 10.12 and dyld: Library not loaded: /usr/local/lib/libgcrypt.20.dylib.
  • Similar Products/Initiatives. GnuPG; GPGTools. GPGTools provides a Mac OS X version of GnuPG. It is nicely integrated into an installer and features all required tools.

Based on the latest version of GnuPG. GPG Suite at a glance. It's all about the keys. To use GPG to encrypt and verify mails or files you and your friends need GPG keys. GPG Keychain lets you manage your own keys and find and import keys of your friends. Create your own key.

$ sudo port info depends:gnupg
duplicity @0.5.11 (sysutils)
Duplicity backs directories by producing encrypted tar-format volumes and
uploading them to a remote or local file server. Because duplicity uses
librsync, the incremental archives are space efficient and only record the parts
of files that have changed since the last backup. Because duplicity uses GnuPG
to encrypt and/or sign these archives, they will be safe from spying and/or
modification by the server.
Homepage: http://www.nongnu.org/duplicity/index.html
Library Dependencies: python25, librsync, gnupg
Runtime Dependencies: py25-gnupg, py25-boto, py25-zlib, py25-hashlib, ncftp
Platforms: darwin
Maintainers: nomaintainer@macports.org
--
gpgme @1.1.7 (devel, security, crypto)
Variants: darwin_7, smime, universal
GnuPG Made Easy (GPGME) is a library designed to make access to GnuPG easier for
applications. It provides a High-Level Crypto API for encryption, decryption,
signing, signature verification and key management. Currently it uses GnuPG as
its backend but the API isn't restricted to this engine in fact we have already
developed a backend for CMS (S/MIME).
Homepage: http://www.gnupg.org/related_software/gpgme/
Library Dependencies: gnupg, pth, libgpg-error
Platforms: darwin
Maintainers: boeyms@macports.org openmaintainer@macports.org
--
p5-module-signature @0.55 (perl)
Variants: universal
Module signature file manipulation
Homepage: http://search.cpan.org/dist/Module-Signature/
Library Dependencies: perl5, gnupg, p5-digest-sha
Platforms: darwin
Maintainers: narf_tm@macports.org openmaintainer@macports.org
--
pwman @0.3.8 (security)
Variants: universal
PWman is a curses based password storage application. It uses GnuPG to encrypt
and decrypt the password file. The interface was inspired by Jaako Heinonen's
abook.
Homepage: http://sourceforge.net/projects/pwman
Library Dependencies: ncurses, libxml2, gnupg
Platforms: darwin
Maintainers: mni@oaf.dk
--
py-gnupg @0.3.2, Revision 1 (python)
GnuPGInterface is a Python module to interface with GnuPG. It concentrates on
interacting with GnuPG via filehandles, providing access to control GnuPG via
versatile and extensible means.
Homepage: http://py-gnupg.sourceforge.net/
Library Dependencies: python24, gnupg
Platforms: darwin
Maintainers: nomaintainer@macports.org
--
py25-gnupg @0.3.2 (python)
GnuPGInterface is a Python module to interface with GnuPG. It concentrates on
interacting with GnuPG via filehandles, providing access to control GnuPG via
versatile and extensible means.
Homepage: http://py-gnupg.sourceforge.net/
Library Dependencies: python25, gnupg
Platforms: darwin
Maintainers: ram@macports.org openmaintainer@macports.org
--
py26-gnupg @0.3.2 (python)
GnuPGInterface is a Python module to interface with GnuPG. It concentrates on
interacting with GnuPG via filehandles, providing access to control GnuPG via
versatile and extensible means.
Homepage: http://py-gnupg.sourceforge.net/
Library Dependencies: python26, gnupg
Platforms: darwin
Maintainers: ram@macports.org openmaintainer@macports.org
--
signing-party @1.0 (mail, security)
signing-party is a collection for all kinds of PGP/GnuPG related things,
including signing scripts, party preparation scripts, etc.
Homepage: http://pgp-tools.alioth.debian.org/
Library Dependencies: perl5, p5-gnupg-interface, p5-text-iconv,
p5-text-template, p5-mime-tools
Runtime Dependencies: gnupg, dialog
Platforms: darwin
Maintainers: milosh@macports.org openmaintainer@macports.org
--
zeroinstall-injector @0.39 (sysutils)
The Zero Install Injector makes it easy for users to install software without
needing root privileges. It takes the URL of a program and runs it (downloading
it first if necessary). Any dependencies of the program are fetched in the same
way. The user controls which version of the program and its dependencies to use.
Homepage: http://0install.net
Library Dependencies: python25, gnupg
Runtime Dependencies: py25-gtk, py25-xml, sudo
Platforms: darwin, freebsd, linux
Maintainers: afb@macports.org
--
kerberos5 @1.4.3 (net, security)
Variants: universal
Kerberos is a network authentication protocol. It is designed to provide strong
authentication for client/server applications by using secret-key cryptography.
A free implementation of this protocol is available from the Massachusetts
Institute of Technology. Kerberos is available in many commercial products as
well.
Homepage: http://web.mit.edu/kerberos/www/
Build Dependencies: gnupg
Platforms: darwin
Maintainers: nomaintainer@macports.org
$ sudo port install gnupg
---> Fetching bzip2
---> Attempting to fetch bzip2-1.0.5.tar.gz from http://www.bzip.org/1.0.5
---> Verifying checksum(s) for bzip2
---> Extracting bzip2
---> Applying patches to bzip2
---> Configuring bzip2
---> Building bzip2
---> Staging bzip2 into destroot
---> Installing bzip2 @1.0.5_2
---> Activating bzip2 @1.0.5_2
---> Cleaning bzip2
---> Fetching readline
---> Attempting to fetch readline-6.0.tar.gz from http://mirrors.ibiblio.org/pub/mirrors/gnu/ftp/gnu/readline
---> Verifying checksum(s) for readline
---> Extracting readline
---> Applying patches to readline
---> Configuring readline
---> Building readline
---> Staging readline into destroot
---> Installing readline @6.0.000_1
---> Activating readline @6.0.000_1
---> Cleaning readline
---> Fetching gnupg
---> Attempting to fetch gnupg-1.4.9.tar.bz2 from http://distfiles.macports.org/gnupg
---> Verifying checksum(s) for gnupg
---> Extracting gnupg
---> Configuring gnupg
---> Building gnupg
---> Staging gnupg into destroot
---> Installing gnupg @1.4.9_0
---> Activating gnupg @1.4.9_0
---> Cleaning gnupg

If you haven’t set up your YubiKey yet, this is a good place to start.

Evil Martians are growing. With more employees and more clients, there is a demand for stronger security. Our clients trust us with their source code and, even more importantly, with access to their production servers, and this trust cannot be broken. In a hostile environment of the modern web, though, it is easier said than done. A good old password, even coupled with a password manager, does not cut it anymore. The most obvious way to increase security is to opt for two-factor authentication (2FA) that is widely supported. Even without hardware keys, it makes an attacker’s job much harder than it used to be.

Install Gnupg Mac Os X

A sticky situation

We have enforced 2FA across all our staff for all the tools that we use daily: email, GitHub, task trackers, and others. By default, it involves requesting one-time access codes either by SMS/phone call or through a dedicated smartphone app. Cellular networks, however, are not the safest place: messages and calls can be intercepted. Opting for an app like Google Authenticator is more secure, but can also be compromised, at least in theory, if a smartphone that runs it is precisely targeted by an attacker.

So, can we do better? There exists an open authentication standard that aims to both strengthen and simplify 2FA.

Known as Universal 2nd Factor (U2F) and originally developed by Yubico and Google, it relies on physical devices (usually USB or NFC) that implement cryptographic algorithms on a chip, similar to smart cards that have been around for ages. You probably have at least few of those in your pockets: phone SIM, bank cards, various IDs and the like.

Now, instead of confirming your access with some code, you need to insert a USB stick into your computer, press the physical button on it, and the device will take care of the rest. Authenticating with U2F is already supported by major browsers (the only notable exception, sadly, is Safari) and you can use it with many online services that software professionals use daily: Google and Gmail, Dropbox, GitHub, GitLab, Bitbucket, Nextcloud, Facebook, and the list goes on.

MacGnupg

The advantages of a hardware solution are obvious: a possibility of a remote attacker gaining access to one of your tools is pretty much eliminated. The attacker needs to physically get a hold of your USB key, which is still a security risk, but in an entirely different domain.

There is a number of vendors that sell USB keys, and we chose Yubico and their YubiKey 4 series. They are versatile, compact and can either be carried around on a keychain or, for smaller models, stay in the USB slot of your laptop all the time. There are also USB-C models for newer Macs, so you don’t need dongles. Besides implementing U2F, YubiKey 4 series supports various security standards: Teamviewer download for macbook air.

  • Smart card PIV

Authenticating online with U2F works out of the box on Linux, macOS, and Windows and in all major browsers. However, if you want to use your YubiKey for SSH connections, things quickly get less straightforward.

Sticks and Macs

We do have our fair share of Linux users, but the instructions we offer further are for macOS only, as replacing default ssh-agent with a gpg-agent on a system level is a Mac-specific problem.

A Mac is a computer of choice for most of us at Evil Martians. We also use SSH all the time: while pushing code to GitHub or accessing remote servers. As all our employees work remotely from their private machines, contents of their ~/.ssh folders should never be allowed to leak. Common security measures, like the hard drive encryption, are always in order, but with YubiKeys already being used for U2F, would not it be better to store RSA keys for SSH on them too, and off the computer?

As YubiKey already supports OpenPGP, we can use it as the OpenPGP card with all the benefits:

  • Once RSA keys are put on a card, they cannot be retrieved programmatically in any way.
  • Keys written to a card can only be used in combination with a PIN code, so even if a YubiKey is stolen, a thief would not be able to authenticate directly.

To set up YubiKey as a smart-card holding your PGP keys, you need first to replace your ssh-agent that comes pre-installed with macOS with a GnuPG solution. The easiest way to do it is directly from Terminal with Homebrew:

If you want to install a full GPG Suite that includes GUI applications, you can run another command (requires Homebrew Cask), or download it from the website:

At the time of this writing, the most recent version of gpg is 2.2.X. Let’s double-check, just to be sure:

Many guides out there tell you how to install YubiKey with gpg 2.0.X, and there has been a lot of significant changes since then. We recommend updating, and that should also be done with caution: backup your ~/.gnupg directory before making any changes!

Gnupg For Mac Os X 10.13

Important!Now you need to either generate your PGP keys directly on the YubiKey or create them locally and copy over. There is an official guide for that, as well as a more evolved instruction on GitHub from the user drduh.

After all that is done, you need to enable your SSH client (the built-in Terminal app, for instance) to read PGP keys directly from YubiKey. It is time to say goodbye to a built-in ssh-agent that have served you well before.

Insert a YubiKey holding a PGP key in your computer and run the following commands; they will launch a gpg-agent and instruct your applications to use a new SSH authentication socket:

If everything went well, you should see that your private RSA key is now in fact located on a YubiKey (it has a unique cardno), the output of an ssh-add -l should resemble this:

Congratulations, you are done! This changes will not persist, however.

As soon as you reload your system, or even switch to a new console window, this setup will go away.

Let’s see how we can make it permanent.

Making things stick

The first thing that comes to mind when changing any shell-related setup is to change the local profile, be it ~/.bash_profile or ~/.zsh_profile (if you don’t know what type of shell you have, most likely you have bash, it comes by default with macOS). Open that file in an editor and add:

Now every time you launch a console, it will know how to SSH properly. If you live in a shell, use Vim or Emacs to write your code and were never tempted with GitHub’s visual features, you are all set.

However, if you use an IDE or one of those modern text editors with integrated GitHub functionality, such as Atom or Visual Studio Code? Those applications are not concerned with your shell setup and will still use system defaults for SSH, which is not what we want since we store all our keys securely on a YubiKey.

“But before we dealt with gpg, we did not need to set up anything, and everything worked!” you might say, and you would be right: macOS takes care of all that with a built-in service-management framework called launchd. You can read more about it by running man launchd, but you don’t have to.

You only need to know that launchd deals with so-called “property lists”. These are XML files with a .plist extension that define services to be launched and their launch options. They are located in the following directories:

  • ~/Library/LaunchAgents for per-user agents provided by the user.
  • /Library/LaunchAgents for per-user agents provided by the administrator.
  • /Library/LaunchDaemons for system-wide daemons provided by the administrator.
  • /System/Library/LaunchAgents for per-user agents provided by macOS.
  • /System/Library/LaunchDaemons for system-wide daemons provided by macOS.

Let’s do some digging and look for anything SSH-related. Here it is, right in a /System/Library/LaunchAgents/com.openssh.ssh-agent.plist:

Without diving into much detail, we see that this is how macOS makes ssh-agent a default utility for SSH authentication.

Unfortunately, we cannot edit this file directly, as anything located in a /System folder is protected from tampering by a macOS feature called System Integrity Protection. There is a way to disable it, but you don’t want to do that. Apple folk came up with it for a reason.

A stickler for detail

Nothing prevents us from writing our own .plist though! All these XMLs will be treated as instructions for launchd, so this is our chance to circumvent ssh-agent once and for all!

First of all, let’s read man gpg-agent and learn what GnuPG agent for Mac is capable of:

  • It can become a daemon and live in the background with the --daemon option.
  • There is a --supervised option designed for systemd which makes the gpg-agent wait for a certain set of sockets and then access them through file descriptors.
  • A --server option allows our agent to hook onto the TTY and listen for text input, without opening any sockets.

Unfortunately, launchd only tracks processes that run in the foreground, and neither --supervised, nor --server will do us any good. So, the best way to launch an agent is by using the same command that we used before: gpgconf --launch gpg-agent. Let’s express it in launchd-compatible XML:

Now save it as homebrew.gpg.gpg-agent.plist and put it into ~/Library/LaunchAgents folder. To test that it all works (you won’t have to do it after restart), tell launchd to load a new plist:

Now let’s make sure that the agent is loaded:

A digit in the launchctl list output shows the exit status of a launched program, and 0 is what we want to see. pgrep confirms that we are in fact up and running.

However, we are not done yet. We still need to point SSH_AUTH_SOCK environment variable to $HOME/.gnupg/S.gpg-agent.ssh. The problem is that the variable is already set (user-wide) by the launchd default setting for ssh-agent.

At this moment, I have nothing better in mind than the following “hack”: forcibly symlink gpg-agent’s socket to the default one, stored in an SSH_AUTH_SOCK variable. The power of Unix allows us to do that, but that effectively messes up the default SSH configuration. However, as we are now using GnuPG for everything SSH-related, that should not be a problem. If you have better ideas, please contact me on Twitter.

We can create another plist that will do all necessary symlinking on login.

The only trick here is to call the shell directly, with /bin/sh (so we can reference shell variables), and pass a command to it. Now, save the file as ~/Library/LaunchAgents/link-ssh-auth-sock.plist and load it with launchd.

Let’s test the result: Sony reader for pc.

Bingo! Our macOS is now effectively tricked into thinking that it deals with ssh-agent, even though it’s the gpg-agent doing authenticating and reading PGP keys directly from your YubiKey.

All you need to do know to authenticate over SSH in a true hardware fashion is to turn on your laptop, put a stick in the USB and push a button on it. Your Mac is now completely secure!

Still stuck?

There is another problem you may encounter when you start using YubiKey as an OpenGPG card. Our gpg-agent sometimes get stuck, and it looks like a YubiKey is not connected at all, replugging it also does nothing. It is a known problem, discussed here.
My observations show that it appears after I put my laptop to sleep. Let’s deal with that too.

First, we need a tool that keeps track when our laptop wakes up: sleepwatcher is made just for that. Install it with Homebrew:

By default, it expects two scripts: ~/.sleep to run before the computer goes to sleep, and ~/.wakeup to run after it wakes up. Let’s create them.

The minimal ~/.sleep script can look like this (we only need to be sure it passes as a shell script)

In ~/.wakeup we will forcibly restart our gpg-agent: Net paint for mac.

Now we need to add execution flags and enable sleepwatcher’s service:

Thank you for reading! In this article, we showed how to set up your SSH authentication flow with YubiKey as an OpenPGP card and how to make your gpg-agent play nicely with macOS. Now all you need to do to access a server or push code to a remote repository is to insert a stick into your USB and enter a PIN code when requested. Passphrases no longer required!