Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove gpg-suite #531

Closed
ckundo opened this issue May 14, 2018 · 1 comment · Fixed by #607
Closed

Remove gpg-suite #531

ckundo opened this issue May 14, 2018 · 1 comment · Fixed by #607

Comments

@ckundo
Copy link

ckundo commented May 14, 2018
edited
Loading

Hey friends, researchers have found a vulnerability that prompted EFF to make this recommendation:

Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

The laptop script includes gpg-suite. From what I can tell, gpg-suite autodecrypts emails by default.
ckundo pushed a commit to ckundo/laptop that referenced this issue May 14, 2018
Remove gpg-suite
c11739b 
- EFF released a recommendation to uninstall or disable GPG autodecryption
- Details forthcoming on the vulnerability
- https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
- https://twitter.com/seecurity/status/995906576170053633

[Closes thoughtbot#531]
@ckundo ckundo mentioned this issue May 14, 2018
Closed
ckundo added a commit to ckundo/laptop that referenced this issue May 16, 2018
@ckundo
Remove gpg-suite Mail.app bundle
2022cd2 
- The plugin autodecrypts messages, which exposes users to EFAIL vulnerability.
- https://efail.de/
- https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

[Closes thoughtbot#531]
@croaky
Copy link
Contributor

croaky commented Feb 25, 2019

The laptop script includes the Homebrew gpg-suite cask
so that the ASDF version manager can check Node.js downloads
against OpenPGP signatures from the Node release team.

The current recommendation in https://github.com/asdf-vm/asdf-nodejs
is to use the gpg Homebrew package.

Since this vulnerability only applies to users of PGP email,
maybe the simplest thing is to update the Homebrew package
and not worry about this vulnerability (which is also ~1y old,
probably received some patches)?

Alternatively, a change could remove gpg-suite
and disable signature verification for Node:

- bash "$HOME/.asdf/plugins/nodejs/bin/import-release-team-keyring"
+ export NODEJS_CHECK_SIGNATURES=no

That approach recognizes that key management and signature
verification adds extra complication and opportunity for errors.

Perhaps a simpler method could one day be used for Node packages:
https://blog.gtank.cc/modern-alternatives-to-pgp/

@jbeard6 jbeard6 mentioned this issue Jan 12, 2022
Closed
@cpytel cpytel mentioned this issue Mar 30, 2022
Merged
cpytel added a commit that referenced this issue Mar 30, 2022
@cpytel
Use gpg-suite-no-mail (#607)
ef509a8 
Closes #575
Closes #531

Use an alternative gpg-suite package which does not install the mail extension.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use gpg-suite-no-mail thoughtbot/laptop
2 participants
@croaky @ckundo