GPGMailSecurity researchers are warning users of PGP/GPG email encryption plugins not to use the software, after critical vulnerabilities were discovered that could potentially be used reveal the plaintext of encrypted emails.

The official advice from security researchers is to disable and/or uninstall the affected software until the vulnerabilities are disclosed and fixes can be issued. In the meantime, users are advised to seek alternative end-to-end encrypted channels such as Signal to send and receive sensitive content.

This short how-to guides users through the steps necessary to remove the popular open-source encryption plugin GPG Tools (GPGMail) from Apple Mail. It requires deleting a "bundle" file used by the app. Users' existing encryption keys are not affected by the procedure and will remain on their hard disk. GPGTools has also since published a temporary workaround that it believes mitigates against similar so-called "Efail" attacks.

How to Uninstall GPG Tools from Apple Mail

  1. Quit Apple Mail if it is running (Mail -> Quit Mail in the menu bar).

  2. Click on the desktop and in the Finder menu bar, select Go -> Go to Folder....
    go to folder menu bar

  3. In the Go to Folder dialog that appears, type /Library/Mail/Bundles and click Go.
    go to mail folder

  4. Delete the GPGMail.mailbundle file by either dragging it to the trash in your dock or by right-clicking (Ctrl-clicking) it and selecting Move to Trash in the contextual dropdown menu. If you don't see the mailbundle file, return to the previous step but type ~/Library/Mail/Bundles in the Go to Folder dialog (note the tilde (~) character denotes your home folder).
    delete mailbundle gpg

  5. Enter your administrator password if prompted to confirm the action.

After following the above steps, the GPG Tools email plugin will be gone from Apple Mail the next time you launch the client.

Top Rated Comments

CarlJ Avatar
77 months ago
That’s not good. But uninstalling is an overreaction. Wait for a fix.
Agreed. This article seems akin to "Researchers have discovered that seatbelts don't always work - here's how to cut them out of your car" (the dealer will really appreciate that when you take it in for repair). Well, great, when they come up with an updated app, it'll be harder to get it installed. How about just hold off on encrypting things for a bit.
[doublepost=1526316516][/doublepost]
The official advice from security researchers is to disable and/or uninstall the affected software until the vulnerabilities are disclosed and fixes can be issued. In the meantime, users are advised to seek alternative end-to-end encrypted channels ...

This short how-to guides users through the steps necessary to remove the popular open-source encryption plugin GPG Tools (GPGMail) ('https://gpgtools.org') from Apple Mail.
This article seems ill-advised. How about telling people how to temporarily disable the software, rather than rushing through a multi-step process to delete it?
Score: 2 Votes (Like | Disagree)
Westside guy Avatar
77 months ago
Removing it seems like overkill, assuming the fix is indeed “coming very soon”. It’s easy to have it off by default (which is how I use it - it’s uncommon for me to need to send an encrypted email, but occasionally the need is there).

It is also unclear whether my encrypted emails are affected since I use plaintext emails by default.
Score: 1 Votes (Like | Disagree)
Detektiv-Pinky Avatar
77 months ago
I don't think removing PGP is solving any problem.

If, as the researchers claim, any previously send Email is at risk, removing the software now does not magically makes these Emails secure.

At the moment too little is known to fully understand the problem. Most security problems require certain elements to make an attack successful in the wild. From what I have gathered so far, the attack is successful against MIME-encoded Emails. So changing your Email-settings to send them as 'plain-text' may be far more effective than blindly uninstalling PGP.
Score: 1 Votes (Like | Disagree)
Telos101 Avatar
77 months ago
I don't think removing PGP is solving any problem.

If, as the researchers claim, any previously send Email is at risk, removing the software now does not magically makes these Emails secure.
As I understand it, the uninstall advice from EFF seems to be a protective measure for people who expect the encryption to 'just work' in their mail app of choice. At least this way they know their emails aren't secure and can choose a different means of communicating. Signal does seem a good alternative for now.
Score: 1 Votes (Like | Disagree)

Popular Stories

maxresdefault

Apple to Launch New iPad Pro and iPad Air Models in May

Thursday March 28, 2024 11:07 am PDT by
Apple will introduce new iPad Pro and iPad Air models in early May, according to Bloomberg's Mark Gurman. Gurman previously suggested the new iPads would come out in March, and then April, but the timeline has been pushed back once again. Subscribe to the MacRumors YouTube channel for more videos. Apple is working on updates to both the iPad Pro and iPad Air models. The iPad Pro models will...
General Apps Messages

Google Reveals When to Expect RCS Support on iPhone for Improved Texting With Android Users

Friday March 29, 2024 7:14 am PDT by
In November, Apple announced that the iPhone would support the cross-platform messaging standard RCS (Rich Communication Services) in the Messages app starting "later" in 2024, and Google has now revealed a more narrow timeframe. In a since-deleted section of the revamped Google Messages web page, spotted by 9to5Google, Google said that Apple would be adopting RCS on the iPhone in the "fall...
airtag new orange

Criminals in Montreal Using AirTags to Steal Vehicles

Friday March 29, 2024 12:50 pm PDT by
Thieves in Montreal, Canada have been using Apple's AirTags to facilitate vehicle theft, according to a report from Vermont news sites WCAX and NBC5 (via 9to5Mac). Police officers in Burlington, Vermont have issued a warning about AirTags for drivers who recently visited Canada. Two Burlington residents found Apple AirTags in their vehicles after returning from trips to Montreal, and these...
top stories 30mar2024

Top Stories: WWDC 2024 Announced, New iPads Delayed, and More

Saturday March 30, 2024 6:00 am PDT by
Apple's WWDC 2024 dates have been announced, giving us timing for the unveiling of the company's next round of major operating system updates and likely some other announcements. This week also saw some disappointing news on the iPad front, with update timing for the iPad Pro and iPad Air pushed back from previous rumors. We did hear some new tidbits about what might be coming in iOS 18 and...
iphone 16 cases sonny dickson 1

First iPhone 16 Cases Outline New Rear Vertical Camera Bump

Friday March 29, 2024 4:09 am PDT by
Photos of the first iPhone 16 cases have been shared online, offering another preview of the rumored new vertical rear camera arrangement on the standard iPhone 16 and iPhone 16 Plus. Image credit: Accessory leaker Sonny Dickson Over the last few months, Apple has been experimenting with different camera bump designs for the standard iPhone 16 models, all of which have featured a vertical ...
Apple iPhone 15 Pro spatial video capture lifestyle

$3 App Shoots Better Quality Spatial Video Than iPhone's Camera App

Friday March 29, 2024 4:48 am PDT by
A $3 third-party app can now record spatial video on iPhone 15 Pro models in a higher resolution than Apple's very own Camera app. Thanks to an update first spotted by UploadVR, Spatialify can now record spatial videos with HDR in 1080p at 60fps or in 4K at 30fps. In comparison, Apple's native Camera app is limited to recording spatial video in 1080p at 30fps. Shortly after Apple's Vision ...