Despite the appearance of a number of good privacy-focused webmail services, Pretty Good Privacy (PGP) remains the gold standard of email encryption. In this guide, we show you how to use PGP on Mac, explain how it works and how secure PGP really is.
PGP does have a number of issues (discussed below), but it is still the most widely used email encryption system, and therefore the most interoperable with others no matter which platform or email service they use.
It can also be used for signing and encrypting all sorts of other stuff but is mainly used to secure emails.
How does PGP work?
Download GnuPG for OSX for free. GnuPG 2.2.x Distribution for Mac OS X. This project provides the toolsets as well as full-featured releases of GnuPG 2.2.x for Mac OS X. A project to bring GnuPG to Mac OS X with a nice front end and inter application services. I gladly may announce that a new and more active group has taken over the projects that were published on MacGPG.
The details of how PGP works are, to be honest, rather complicated. The important thing to remember, however, is that PGP uses public-key cryptography.
Each user has a private key which they keep secret and use to decrypt emails sent to them using their public key. They also have a public key, which they freely so that other people can use it to send them encrypted emails.
- Private key – kept secret and used to decrypt own mail
- Public key – distributed so that others can use it to encrypt mail for sending to you
For this tutorial, we’ll stick to how to use PGP for encrypting emails, but PGP keypairs are also very useful for signing and verifying digital signatures.
PGP vs OpenPGP
When discussing PGP these days we almost always mean OpenPGP. This is an open-source 100% compatible clone of the original PGP, which is now closed-source software owned by Symantec.
Issues with PGP
When PGP is used to secure emails, the metadata - such as email addresses of both the sender and recipient, date and time of sending, and e-mail’s subject line - is not encrypted. Just the body text and any attachments.
Another problem with PGP is that it does not use Perfect Forward Secrecy (PFS). So once keys for one encrypted email are broken, all other emails encrypted using the same keys will also be compromised.
Arguably the biggest problem with PGP, though, is that it's just not very easy to use, with the result being that most people simply don’t. To combat this, we will show you the two easiest ways to use PGP on your Mac:
Method 1: Malivelope
Mailvelope is a free and open-source browser extension for Chrome and Firefox that makes using PGP on your Mac about as easy as PGP is ever likely to get. Please check out our full Mailvelope How-to guide for a detailed look at how it works.
Method 2: GPGTools with GPG Mail
The most common implementation of OpenPGP is Privacy Guard (also known as GnuPG or just GPG). GPG on its own is a basic command-line tool, but GPGTools for macOS provides a GUI interface and advanced features.
It is worth noting that in 2018 GPGTools make headlines due its vulnerability to the EFAIL attack which affected all versions of PGP at the time. Since GPGTools 2018.2, however, this vulnerability has been patched.
GPGTools is free, but the GPG Mail plugin for Apple Mail is designed to help fund the open-source project and costs $22. This is a one-off fee, but you do need to pay again for new versions as they are released.
Download and install the GPG Suite.
Do please make sure to verify the download before installing it. During installation, stick with all the default settings.
Create a new keypair
.Open the GPG Keychain app, select New (the + sign) and fill in the relevant details. You can leave the Advanced options alone or play with them as you please.
Upload your public key to a keyserver.
This will allow others to find it using your email address so that they can send you secure PGP-encrypted emails.
Do please be aware, though, that once a public key is uploaded to a keyserver it cannot be deleted. The keyserver will send you an email asking you to confirm the upload.
You will see your newly created key in the GPG Keychain.
If you already have a keypair then you can import it by clicking the Import button. You can then right-click on it -> Send Public Key to Keyserver.
Send an encrypted email.
In order to send a PGP-encrypted email, you will need the recipient's public key. If they have already sent it to you (as an email attachment, for example) then you can import it using GPG Keychain.
If you already have it, then you can search by email address for public keys that have been uploaded to a key server. Once you have found the key you want, simply import it into your GPG Keychain.
Open the Apple Mail app. If you're using an up-to-date version of macOS (10.14 Mojave+), you will need to enable GPG in Mail. To do this, Go to Preferences -> General -> Manage Plug-ins and enable the GPGMailLoader.mailbundle plug-in.
Then simply compose an email as normal, ensuring that OpenPGP is selected in the new green drop-down button to the top right of the compose screen.
When you have finished writing your message you can sign and/or encrypt it using the two buttons to the right of the Subject line:
A) Sign - this verifies that the email was sent by yourself. When GPG Mail is installed, all messages are signed by default (button is blue). Click on the button to turn signing off.
B) Encrypt - encrypts the content of the message plus any attachments. It does not encrypt the subject line or hide any other metadata. Click the lock icon (turning it blue) to encrypt your email.
Hit Send, and you will be asked for the password to your PGP key. If you are worried that an adversary may gain physical access to your Mac, then you should untick “Save in Keychain.”
Receive encrypted messages
When you receive PGP email that has been encrypted and/or signed with your public key, GPG Mail will automatically decrypt it and/or verify the signature using your private key.
Verify and sign keys
For maximum security, you should verify and sign keys. You verify a key by comparing the fingerprint you have of the key with the fingerprint owned by the sender to ensure they are identical. Ideally, this is done face-to-face, but a secure communication channel such as Signal Messenger will suffice.
Each imported key’s fingerprint is prominently displayed in GPG Keychain.
Once you are satisfied with the authenticity of a key, you can sign-it to confirm that you consider it valid. PGP works on a chain of trust, so you can opt to publish your signature in order to help others decide if the key is authentic.
And that’s the basic outline of how to use GPGTools to send and receive PGP emails in macOS. GPGTools has more tricks up its sleeve, however, which we may explore in future articles.
ProPrivacy only uses basic cookies to monitor traffic to the site. Is that okay?
Find out how to manage cookies and view our policy here
ProPrivacy does not use marketing cookies
- Fastest VPN we test
- Servers in 94 countries
- Unblocks Netflix, iPlayer and more
wasn't right for you?
We recommend you check out one of these alternatives:
This feature was introduced in version 3.5 of Tower for Mac.Tower offers seamless support for GPG. Read on to find out what exactly you can do with GPG in Tower and find a list of Frequetly Asked Questions.
What is GPG?
GPG is a collection of tools that allow signing and encrypting of data using asymmetric cryptography (with public / private keys). Git uses GPG to sign and verify commits and tags. With such a signature, you can easily verify that a commit (or tag) was really made by a specific user.
Installing & Configuring GPG
We recommend installing GPG Tools from its website. This ensures a valid configuration that works well with Tower. If you install GPG via homebrew or other ways, you should make sure that you have set up the
gpg-agentandpinentry-programhelpers correctly. You should also addno-ttyanduse-agentto~/.gnupg/gpg.confif these values are missing there.After installing GPG on your machine, you need to configure the GPG binary in Tower. Open the Preferences dialog and select it on the 'Git Config' tab.
What Can You Do With GPG in Tower?
Verifying Signed Commits
Tower indicates directly in its History views if a commit was signed or not. On top of that, you can also see the signature status (green / orange / red) and access additional information through a popover window.
Verifying Signed Tags
Apart from commits, you can also verify the signatures for tags in Tower. Either right-click on the tag in the sidebar or directly click it in one of the commit views.
Setting & Managing Keys
You can easily select / set / switch keys in Tower:
- in the global configuration, in Tower's Preferences dialog
- in a specific repository, by selecting the 'Settings' item in the sidebar of an open repository
- in Tower's User Profiles
Download Opengl For Mac
Signing Commits
Kleopatra Pgp For Mac
You can configure if you want Tower to automatically sign new commits - either just in a certain repository or globally. This is not limited to just committing, but also includes actions like merge, revert, cherry-pick, and rebase.
Signing Tags
Apart from commits, you can also sign tags. The 'Create New Tag' dialog contains a checkbox for this.
Frequently Asked Questions
I have a GPG key but signing fails due to a missing password. What can I do?
The password of the key must be stored in Keychain so that GPG can access it. This works by default if you install GPG tools from the website (https://gpgtools.org). The default installation also configures the pinentry-mac program, which displays a password input dialog if a password is required and provides the option to save it into the Keychain.~/.gnupg/gpg-agent.conf has a pinentry-program key that is used to specify the location of the pinentry program. The default installation uses /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac. You can also download this program via homebrew: brew install pinentry-mac. Make sure to configure it in the aforementioned config file.
How can I add a GPG key if I have none?
Gpg For Mac
You can do so in the repository settings in the sidebar. Make sure a repository user is configured and then select 'Create GPG Key…' from the GPG Key Popup Button menu. You can do the same for the global user in the 'Git Config' tab of Tower's Preferences.
I selected 'No GPG Key' in the repository settings, but the selection always resets to a key.
A global GPG key may be configured in the Git preferences. This key is effective for the repository and would be used, which is why you are seeing it here. Try also setting the global user GPG key to 'No GPG Key' in the Git preferences.
Gpg For Macos
I want to create a GPG key but the 'Create GPG Key' menu item is disabled.
Tower found a key that matches the email address of your current Git user (either global or repository level). You have to change your Git user email address to one that does not already have an associated GPG key.
You should use GPG Keychain if you need advanced key management features.
How can I sign tags?
There is a checkbox in the 'Create Tag' dialog and the dialogs for finishing release and hotfix branches via git-flow. Your preference is remembered across app launches. Signed tags are annotated tags which require a message.
You can select the key that should be used to sign the tag via the popup button below the checkbox. If a GPG key is configured it is preselected.
How can I sign commits?
Enable signing either in the GPG section of the repository settings or the global git config in the application preferences and make sure you have a GPG key selected. Signing is automatic from there on.
How can I verify commit signatures?
A status indicator appears in the history for each commit that has a signature. You can click on it to view signature details.
How can I verify tag signatures?
There are two ways to show the signature of a tag:
(a) Just click on the tag badge in the history or the detail view
(b) Right-click the tag in the sidebar and choose 'Show GPG Signature…'
What do the colors of the status indicator mean?
- Green: Signature Good
- Yellow: There is an issue with the signature, click the indicator to read a status message in the popover.
- Red: Signature Bad
I am colorblind and cannot differentiate the status colors, what can I do?
Turn on the accessibility setting Differentiate without color in System Preferences > Accessibility > Display. Tower respects this setting and will draw the bad signature status indicator with a square instead of a circle and the warning signature status with a triangle instead of a circle.
My keys are not shown when clicking the button, why is that?
Make sure you have a GPG binary configured. Restart Tower if the keys still don't show up.
All GPG status indicators in the history are yellow, why is that?
You haven't trusted any of the keys that have been used to sign the commits. This means that verifying the commit leads to status 'Unknown Validity'. See the next question for a solution.
A / my signature is shown with status 'Unknown Validity'. How can I change that?
You can open GPG Keychain, show details for the key and use the context menu to accredit it (by signing it with your private key). Make sure that you verify the key fingerprint with the author of the commit or tag before trusting it.
A signature is shown with status 'Cannot Be Checked' and shows no name or avatar, just the key fingerprint and the status. How can I change that?
The commit was signed with a private key and you don't have the associated public key in your keyring. Usually the public key is downloaded automatically in these cases, but it may fail sometimes. You can search for and download the public key in GPG Keychain by using the hash from the popover.
You can add auto-key-retrieve to ~/.gnupg/gpg.conf to enable the automatic behavior.
A signature is shown without a GPG key fingerprint, why is that?
GPG support in Tower requires Git 2.20 or newer. The options to read the fingerprints from signatures are not available in older versions.
What does 'Verify GPG Signatures' in Merge/Pull dialogs do?
Git checks the signature of the tip commit of the commits that should be merged. If the commit does not have a valid signature, the operation is aborted. If there are signatures with unknown validity, you may have to go into GPG Keychain (or the command line) and adjust the trust value of the associated public keys. Make sure that you verify the key with the author of the commit or tag before trusting it.
I use a subkey for signing but it does not appear in the GPG keys menu!
We don't support subkeys at the moment.
Loading the GPG status in the history takes really long. What can I do?
Verifying commits is an expensive operation, because Git has to call gpg --verify for each commit with a signature. You can improve loading times by reducing the maximum number of commits Tower loads in a batch (see the 'Number of commits in history' option in the 'General' tab of Tower's Preferences).
A likely cause for really long loading times is, that you don't have the associated public key for the GPG signature of some commits and Git / GPG is unable to download them. In this case the verification of the signatures is really slow (you can also verify this on the command line).
To solve this problem you can do one of the following:
Pgp For Mac
- Find the commits with yellow status indicator and 'Cannot Be Checked' status, copy the key fingerprint and download the public key in GPG Keychain.
- Disable 'Verify GPG Signatures' in the history view settings