Security researchers are warning users of PGP/GPG email encryption plugins not to use the software, after critical vulnerabilities were discovered that could potentially be used reveal the plaintext of encrypted emails.
The official advice from security researchers is to disable and/or uninstall the affected software until the vulnerabilities are disclosed and fixes can be issued. In the meantime, users are advised to seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.
This short how-to guides users through the steps necessary to remove the popular open-source encryption plugin GPG Tools (GPGMail) from Apple Mail. It requires deleting a "bundle" file used by the app. Users' existing encryption keys are not affected by the procedure and will remain on their hard disk. GPGTools has also since published a temporary workaround that it believes mitigates against similar so-called "Efail" attacks.
How to Uninstall GPG Tools from Apple Mail
- Quit Apple Mail if it is running (Mail -> Quit Mail in the menu bar).
- Click on the desktop and in the Finder menu bar, select Go -> Go to Folder....
- In the Go to Folder dialog that appears, type /Library/Mail/Bundles and click Go.
- Delete the GPGMail.mailbundle file by either dragging it to the trash in your dock or by right-clicking (Ctrl-clicking) it and selecting Move to Trash in the contextual dropdown menu. If you don't see the mailbundle file, return to the previous step but type ~/Library/Mail/Bundles in the Go to Folder dialog (note the tilde (~) character denotes your home folder).
- Enter your administrator password if prompted to confirm the action.
After following the above steps, the GPG Tools email plugin will be gone from Apple Mail the next time you launch the client.