How to Remove GPGTools/GPGMail Encryption Plugin From Apple Mail

Discussion in 'Mac Blog Discussion' started by MacRumors, May 14, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Security researchers are warning users of PGP/GPG email encryption plugins not to use the software, after critical vulnerabilities were discovered that could potentially be used reveal the plaintext of encrypted emails.

    The official advice from security researchers is to disable and/or uninstall the affected software until the vulnerabilities are disclosed and fixes can be issued. In the meantime, users are advised to seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.

    This short how-to guides users through the steps necessary to remove the popular open-source encryption plugin GPG Tools (GPGMail) from Apple Mail. It requires deleting a "bundle" file used by the app. Users' existing encryption keys are not affected by the procedure and will remain on their hard disk. GPGTools has also since published a temporary workaround that it believes mitigates against similar so-called "Efail" attacks.

    How to Uninstall GPG Tools from Apple Mail
    1. Quit Apple Mail if it is running (Mail -> Quit Mail in the menu bar).
      Click on the desktop and in the Finder menu bar, select Go -> Go to Folder....
      [​IMG]

      In the Go to Folder dialog that appears, type /Library/Mail/Bundles and click Go.
      [​IMG]

      Delete the GPGMail.mailbundle file by either dragging it to the trash in your dock or by right-clicking (Ctrl-clicking) it and selecting Move to Trash in the contextual dropdown menu. If you don't see the mailbundle file, return to the previous step but type ~/Library/Mail/Bundles in the Go to Folder dialog (note the tilde (~) character denotes your home folder).
      [​IMG]

      Enter your administrator password if prompted to confirm the action.
    After following the above steps, the GPG Tools email plugin will be gone from Apple Mail the next time you launch the client.

    Article Link: How to Remove GPGTools/GPGMail Encryption Plugin From Apple Mail
     
  2. Detektiv-Pinky macrumors 6502a

    Detektiv-Pinky

    Joined:
    Feb 25, 2006
    Location:
    Berlin, Germany
    #2
    I don't think removing PGP is solving any problem.

    If, as the researchers claim, any previously send Email is at risk, removing the software now does not magically makes these Emails secure.

    At the moment too little is known to fully understand the problem. Most security problems require certain elements to make an attack successful in the wild. From what I have gathered so far, the attack is successful against MIME-encoded Emails. So changing your Email-settings to send them as 'plain-text' may be far more effective than blindly uninstalling PGP.
     
  3. Telos101 macrumors regular

    Telos101

    Joined:
    Apr 29, 2016
    Location:
    Ireland
    #3
    As I understand it, the uninstall advice from EFF seems to be a protective measure for people who expect the encryption to 'just work' in their mail app of choice. At least this way they know their emails aren't secure and can choose a different means of communicating. Signal does seem a good alternative for now.
     
  4. Mike MA macrumors 68000

    Mike MA

    Joined:
    Sep 21, 2012
    #4
    Some prime service with one thread before mentioning the vulnerability.
     
  5. Westside guy macrumors 603

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #5
    Removing it seems like overkill, assuming the fix is indeed “coming very soon”. It’s easy to have it off by default (which is how I use it - it’s uncommon for me to need to send an encrypted email, but occasionally the need is there).

    It is also unclear whether my encrypted emails are affected since I use plaintext emails by default.
     
  6. Sasparilla, May 14, 2018
    Last edited: May 14, 2018

    Sasparilla macrumors 6502a

    Joined:
    Jul 6, 2012
    #6
    The workaround is to uncheck "Load Remote Content In Messages" from the Viewing preferences in Mail.

    If you care at all about security this shouldn't be checked in the first place (cause you don't want to be auto-loading all HTML email's and their potential security holes, you should just be auto-loading things as plain text from a security perspective).

    Fix is coming soon according to the GPGtools folks, perhaps folks are over-reacting?
     
  7. AlxM macrumors newbie

    AlxM

    Joined:
    Mar 21, 2018
    Location:
    North America
    #7
    That’s not good. But uninstalling is an overreaction. Wait for a fix.
     
  8. CarlJ macrumors 68020

    CarlJ

    Joined:
    Feb 23, 2004
    Location:
    San Diego, CA, USA
    #8
    Agreed. This article seems akin to "Researchers have discovered that seatbelts don't always work - here's how to cut them out of your car" (the dealer will really appreciate that when you take it in for repair). Well, great, when they come up with an updated app, it'll be harder to get it installed. How about just hold off on encrypting things for a bit.
    --- Post Merged, May 14, 2018 ---
    This article seems ill-advised. How about telling people how to temporarily disable the software, rather than rushing through a multi-step process to delete it?
     
  9. Markoth macrumors 6502

    Markoth

    Joined:
    Oct 1, 2015
    Location:
    Behind You
    #9
    This vulnerability has nothing to do with the strength of the encryption, but rather ability to trick users into decrypting their own emails and sending them to you. Although, the steps involved in actually carrying out the attack make this entire thing quite laughable. Plus, this is only an issue in poorly-coded mail programs that ignore errors spit out by the GPG/PGP library.

    In short, no, do not remove GPGTools.

    It would be nice if MacRumors did their own research a little bit before advising users to make what could be a difficult change to undo, especially given that later reveals have shown that this vulnerability is mostly a non-issue.
     

Share This Page