Security researchers are warning users of PGP/GPG email encryption plugins not to use the software, after critical vulnerabilities were discovered that could potentially be used reveal the plaintext of encrypted emails.
The official advice from security researchers is to disable and/or uninstall the affected software until the vulnerabilities are disclosed and fixes can be issued. In the meantime, users are advised to seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.
This short how-to guides users through the steps necessary to remove the popular open-source encryption plugin GPG Tools (GPGMail) from Apple Mail. It requires deleting a "bundle" file used by the app. Users' existing encryption keys are not affected by the procedure and will remain on their hard disk. GPGTools has also since published a temporary workaround that it believes mitigates against similar so-called "Efail" attacks.
How to Uninstall GPG Tools from Apple Mail
- Quit Apple Mail if it is running (Mail -> Quit Mail in the menu bar).
- Click on the desktop and in the Finder menu bar, select Go -> Go to Folder....
- In the Go to Folder dialog that appears, type /Library/Mail/Bundles and click Go.
- Delete the GPGMail.mailbundle file by either dragging it to the trash in your dock or by right-clicking (Ctrl-clicking) it and selecting Move to Trash in the contextual dropdown menu. If you don't see the mailbundle file, return to the previous step but type ~/Library/Mail/Bundles in the Go to Folder dialog (note the tilde (~) character denotes your home folder).
- Enter your administrator password if prompted to confirm the action.
After following the above steps, the GPG Tools email plugin will be gone from Apple Mail the next time you launch the client.
Top Rated Comments
[doublepost=1526316516][/doublepost] This article seems ill-advised. How about telling people how to temporarily disable the software, rather than rushing through a multi-step process to delete it?
It is also unclear whether my encrypted emails are affected since I use plaintext emails by default.
If, as the researchers claim, any previously send Email is at risk, removing the software now does not magically makes these Emails secure.
At the moment too little is known to fully understand the problem. Most security problems require certain elements to make an attack successful in the wild. From what I have gathered so far, the attack is successful against MIME-encoded Emails. So changing your Email-settings to send them as 'plain-text' may be far more effective than blindly uninstalling PGP.