Using Apple Mail with GPG
- GPG (GNU Privacy Guard) from macgpg.sourceforge.net:
- GPGMail to allow signing, encrypting, and decrypting within Apple Mail:
- GPG Keychain Access for GUI key management:
Set preferences for GPGMail in Apple Mail: Mail-> Preferences->PGP so that messages are signed, but not encrypted by default:
- On the "Composing" tab: unset default checkbox for "Encrypt when all keys are available"
- If the user never leaves the computer unattended without locking the screen or logging out, you can improve ease of use by allowing the passphrase to be cached. If this is appropriate in your environment, on the "Keys" tab, check "Remember passphrases during session" and set Timeout to some length appropriate in your environment.
- By default, all messages will be PGP-signed. That default can be changed in the Mail->Preferences->PGP window on the "Composing" tab.
- In the New Message window, check the "Encrypted" checkbox if you wish to encrypt the message.
- As you address a message you wish to encrypt, GPG will automatically select the appropriate key for any recipients on your keychain.
- If you don't have a particular recipient's key, you can use the "Keys" drop-down menu to the right of the Encrypted checkbox to select "Download" and search a key server for the recipient's key.
- Before using a key you've downloaded, you should (at minimum) contact the recipient by phone or in person to verify that the specific key ID you found actually belongs to them. In the search results window, the key ID is the first item in the description, beginning with 0x and a series of 8 hexadecimal characters.
- When viewing a reply to a PGP-signed message, it will appear to be signed, even if the reply itself is not signed. Clicking "Verify" will show who signed it, at which point it's clear who did the signing.
- GPG Keychain Access doesn't show signatures.
- GPG Mail uses Mail's private internal API, so it lags OS releases. Officially it's still beta for Leopard, but we've used it without incident.
- GPG Mail allows a new key to be downloaded at time of message creation, but doesn't show signatures or fingerprints.
- The default key server for downloading keys is hkp://subkeys.pgp.net, although ldap://keyserver.pgp.com can be selected. We've recommended keyserver.pgp.comsince it does initial verification of of new keys, and semi-annual re-verification. However, it does not support updates to key signatures, so subkeys.pgp.net is a better source for getting signed keys. It also appears to update keys published to keyserver.pgp.com, so it's probably the best near-term source for finding keys.
- GnuPG Preferences (a GUI for setting GPG options) doesn't work on an Intel-based Mac. Thus, this documentation assumes it is not used. However, the key search results window in Mail does refer to it.
- Testing was done in November 2008 with Mail 3.5.
Last updated: Monday, December 1, 2008