How to Remove GPGTools/GPGMail Encryption Plugin From Apple Mail

Discussion in 'Mac Blog Discussion' started by MacRumors, May 14, 2018.

  1. MacRumors macrumors bot


    Apr 12, 2001

    Security researchers are warning users of PGP/GPG email encryption plugins not to use the software, after critical vulnerabilities were discovered that could potentially be used reveal the plaintext of encrypted emails.

    The official advice from security researchers is to disable and/or uninstall the affected software until the vulnerabilities are disclosed and fixes can be issued. In the meantime, users are advised to seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.

    This short how-to guides users through the steps necessary to remove the popular open-source encryption plugin GPG Tools (GPGMail) from Apple Mail. It requires deleting a "bundle" file used by the app. Users' existing encryption keys are not affected by the procedure and will remain on their hard disk. GPGTools has also since published a temporary workaround that it believes mitigates against similar so-called "Efail" attacks.

    How to Uninstall GPG Tools from Apple Mail
    1. Quit Apple Mail if it is running (Mail -> Quit Mail in the menu bar).
      Click on the desktop and in the Finder menu bar, select Go -> Go to Folder....

      In the Go to Folder dialog that appears, type /Library/Mail/Bundles and click Go.

      Delete the GPGMail.mailbundle file by either dragging it to the trash in your dock or by right-clicking (Ctrl-clicking) it and selecting Move to Trash in the contextual dropdown menu. If you don't see the mailbundle file, return to the previous step but type ~/Library/Mail/Bundles in the Go to Folder dialog (note the tilde (~) character denotes your home folder).

      Enter your administrator password if prompted to confirm the action.
    After following the above steps, the GPG Tools email plugin will be gone from Apple Mail the next time you launch the client.

    Article Link: How to Remove GPGTools/GPGMail Encryption Plugin From Apple Mail
  2. Detektiv-Pinky macrumors 6502a


    Feb 25, 2006
    Berlin, Germany
    I don't think removing PGP is solving any problem.

    If, as the researchers claim, any previously send Email is at risk, removing the software now does not magically makes these Emails secure.

    At the moment too little is known to fully understand the problem. Most security problems require certain elements to make an attack successful in the wild. From what I have gathered so far, the attack is successful against MIME-encoded Emails. So changing your Email-settings to send them as 'plain-text' may be far more effective than blindly uninstalling PGP.
  3. Telos101 macrumors regular


    Apr 29, 2016
    As I understand it, the uninstall advice from EFF seems to be a protective measure for people who expect the encryption to 'just work' in their mail app of choice. At least this way they know their emails aren't secure and can choose a different means of communicating. Signal does seem a good alternative for now.
  4. Mike MA macrumors 68000

    Mike MA

    Sep 21, 2012
    Some prime service with one thread before mentioning the vulnerability.
  5. Westside guy macrumors 603

    Westside guy

    Oct 15, 2003
    The soggy side of the Pacific NW
    Removing it seems like overkill, assuming the fix is indeed “coming very soon”. It’s easy to have it off by default (which is how I use it - it’s uncommon for me to need to send an encrypted email, but occasionally the need is there).

    It is also unclear whether my encrypted emails are affected since I use plaintext emails by default.
  6. Sasparilla, May 14, 2018
    Last edited: May 14, 2018

    Sasparilla macrumors 6502a

    Jul 6, 2012
    The workaround is to uncheck "Load Remote Content In Messages" from the Viewing preferences in Mail.

    If you care at all about security this shouldn't be checked in the first place (cause you don't want to be auto-loading all HTML email's and their potential security holes, you should just be auto-loading things as plain text from a security perspective).

    Fix is coming soon according to the GPGtools folks, perhaps folks are over-reacting?
  7. AlxM macrumors newbie


    Mar 21, 2018
    North America
    That’s not good. But uninstalling is an overreaction. Wait for a fix.
  8. CarlJ macrumors 68020


    Feb 23, 2004
    San Diego, CA, USA
    Agreed. This article seems akin to "Researchers have discovered that seatbelts don't always work - here's how to cut them out of your car" (the dealer will really appreciate that when you take it in for repair). Well, great, when they come up with an updated app, it'll be harder to get it installed. How about just hold off on encrypting things for a bit.
    --- Post Merged, May 14, 2018 ---
    This article seems ill-advised. How about telling people how to temporarily disable the software, rather than rushing through a multi-step process to delete it?
  9. Markoth macrumors 6502


    Oct 1, 2015
    Behind You
    This vulnerability has nothing to do with the strength of the encryption, but rather ability to trick users into decrypting their own emails and sending them to you. Although, the steps involved in actually carrying out the attack make this entire thing quite laughable. Plus, this is only an issue in poorly-coded mail programs that ignore errors spit out by the GPG/PGP library.

    In short, no, do not remove GPGTools.

    It would be nice if MacRumors did their own research a little bit before advising users to make what could be a difficult change to undo, especially given that later reveals have shown that this vulnerability is mostly a non-issue.
  10. DailySlow macrumors member


    Aug 5, 2015
    Northern Virginia
    I am curious, has GPG been update and okay to re-install?
  11. elisedriver macrumors newbie

    Jun 23, 2010
    So the EFF have got this wrong. Yes there is a vulnerability in the implementation, but not in the encryption and if you read what the InfoSec rockstars are all saying - then uninstalling is not the answer. I'm a strong believer and supporter of GPGTools - especially on a Mac.

    The work around (not downloading remote content) is actually a strong mitigation for the implementation flaw. That's all you need to do until this is 'fixed'.


    The project is normally particularly slow in getting updates out. I know this is a bigger one that needs addressing ASAP, but the sheer scale of this means it may be some time coming. It's also not down to the core of GPG (the encryption) but how it plays within the mail clients. The last time we had something like this there was problems getting the likes of Apple to make available the necessary resources and documentation.

Share This Page