tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/60232-save-to-keychain-is-enabled-by-defaultGPGTools: Discussion 2018-07-18T14:02:00Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112017-10-18T09:22:51Z2017-10-18T09:22:51ZSave to Keychain is enabled by default<div><p>Hi fanzeyi,</p>
<p>we have changed this default since we found that it makes handling passphrases a lot easier for many of our users. But you can of course change the default in System Preferences -> GPG Suite</p>
<p>Hope that helps.</p>
<p>P.S.: Nice investigation :)</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112017-10-21T22:39:33Z2017-10-21T22:54:26ZSave to Keychain is enabled by default<div><p>@luke le: we've noticed this too and unfortunately while it may make things easier in the short run - it can seriously compromise the security of the GPG passphrase as many users sync their keychains to iCloud (often without realizing it since Apple likes to make this the default during setup). Would it be possible to persuade you to change the default back to having it unchecked - or perhaps adding a step during installation/upgrade that at least prompts & asks the user whether or not they'd like enabled - perhaps with a brief explanation of the risks of doing so?</p>
<p>I also just realized I had already created an issue for this here: <a href="https://gpgtools.tenderapp.com/discussions/problems/59031-gpgtools-20171-re-checks-store-in-macos-keychain">https://gpgtools.tenderapp.com/discussions/problems/59031-gpgtools-...</a></p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112017-11-04T23:28:06Z2017-11-04T23:28:06ZSave to Keychain is enabled by default<div><p>I agree with gpg_dude that the save to Keychain box should NOT be checked by default. I accidentally saved my key to Keychain without realizing it, and this created a security vulnerability for me. Security should be the highest priority with a product such as gpg.</p></div>anontag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112017-12-10T16:55:40Z2017-12-10T16:55:40ZSave to Keychain is enabled by default<div><p>We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll stay in the loop and get notified as soon as we have news. Feel free to open a new discussions should you run into further problems or need assistance.</p>
<p>The idea is to explicitly ask the user and inform them about the pros and cons of storing the password in macOS keychain.</p>
<p>Kindly,<br>
steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-01-24T22:43:09Z2018-01-24T22:43:10ZSave to Keychain is enabled by default<div><p>I agree with fanzeyi and Steve that saving to the Apple Keychain should NOT be the default. If you want to add connivence for users, give them a first-use pop-up that directs them to preferences -> settings. You should always default to a position of higher security.</p></div>Matt Martinitag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-01-25T11:06:06Z2018-01-25T11:06:06ZSave to Keychain is enabled by default<div><p>Thanks for your input Matt. I've added your vote and input to the open ticket.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-03-26T16:25:14Z2018-03-26T16:25:14ZSave to Keychain is enabled by default<div><p>Hey Steve - any update on the ticket for this?</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-03-26T16:34:21Z2018-03-26T16:34:21ZSave to Keychain is enabled by default<div><p>Sorry, not yet. As always we will keep you posted as we have news.</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-03-26T16:36:38Z2018-03-26T16:36:38ZSave to Keychain is enabled by default<div><p>Is there any way to bump it? I recently sat with some folks I helped get up on GPGmail a year ago and several of them had no idea what their GPG passphrase was because "one day it just stopped asking me for it, but encryption kept working"</p></div>gpg_dudetag:gpgtools.tenderapp.com,2011-11-04:Comment/437925112018-03-28T13:36:57Z2018-07-18T14:01:38ZSave to Keychain is enabled by default<div><p>Hi gpg_dude and others,</p>
<p>this issue is high on our priority list for the setup wizard we are currently planning on developing. Unfortunately at the end of last year our development and distribution infrastructure broke down and it took us quite some time to get it up and running again, which set us back longer than expected.</p>
<p>While we absolutely agree that this can be a security issue for some, we most often hear from our users that they don't know what their GPG passphrase is and that they can't remember it. Depending on your data that can be a much more problematic situation to be in. So a setup wizard where the user is alerted to the possible consequences of the "store passphrase" choice is definitely the way to go.<br>
I'd like to believe that users who have more serious thread levels to consider will be able to find the option where to disable this preference.</p></div>Luke Le